Cloud Security Alliance: IT Way Off on Cloud App Penetration

In what could be called a tale of perception versus reality, the Cloud Security Alliance (CSA) today released the results of a new survey that found a significant difference between the number of cloud-based applications IT and security professionals believe to be running in their environments, and the number reported by cloud application vendors.

The survey found that 54% of IT and security professionals said they have 10 or fewer cloud-based applications running in their organization, with 87% indicating that they had 50 or fewer applications running in the cloud (with a weighted average of 23 apps per organization). These estimates are far lower than commonly reported by vendors and research reports, which count more than 500 cloud apps present, on average, per enterprise.

“We found these results particularly interesting and at the same time concerning,” said Jim Reavis, CEO of the CSA, in a statement. “It’s hard to control what you can’t see. If you are only seeing one tenth of your actual cloud usage, it’s impossible to put cloud policies in place to protect users and data. This tells us that cloud app discovery tools, along with analytical tools on cloud app policy use and restrictions, are very important in the workplace, especially when it comes to sensitive data being used by cloud applications.”

The survey, sponsored by Netskope and Okta, also includes data on the percentage of users uploading content to various applications, and the sensitivity of that content. On the positive side, for known cloud apps, the vast majority of respondents report having policies and procedures in place to protect data and ensure compliance, and most report that those policies are well-enforced. 

When looking at the most protected cloud apps, nearly 80% of policy enforcement is in cloud storage and cloud backup, indicating serious concerns about data leakage and protection. Additionally when it comes to bring-your-own-device (BYOD) policies, more than 50% of respondents reported having a policy addressing BYOD, and more than 80% believe it is at least somewhat followed.

“Beyond raising awareness around cloud service risk, the findings here are intended to provide usage intelligence that helps IT, security, and business decision-makers take action,” said JR Santos, global research director of the CSA. “By consolidating and standardizing the most secure and enterprise-ready cloud services, knowing what policies will have the most impact, and understanding where to focus when educating users, we can improve the protection of data and applications in the cloud.”

What’s Hot on Infosecurity Magazine?