A new report proves businesses are using more cloud applications than ever before, but unfortunately for cloud-wary security teams, policies aimed at restricting rogue cloud app usage are often undercut by exceptions.
The Netskope Cloud Report, based on data taken from cloud app policy vendor Netskope Inc.'s Active Platform product, showed an average of 461 cloud applications running in the typical enterprise environment during Q1 of 2014, up from 397 in the previous quarter.
The data highlights not only how rapidly enterprises are adopting new cloud applications, but also how drastically IT organizations underestimate that adoption. Netskope's Q4 data showed IT teams on average estimated that no more than 50 enterprise cloud applications were present in their environments.
"Enterprises are blind to cloud usage," said Netskope CEO Sanjay Beri. "People will go off and work in silos, not because they're bad or malicious, but because swiping a credit card is easier than waiting three months to get everyone on the same page. … They don't even necessarily understand the risk, and the number of apps flying under the radar is growing."
Beri said the cloud app sprawl plaguing large organizations is largely the result of a lack of coordination among different business units. He said the report shows that many of the apps present in enterprise environments are redundant, with marketing and human resources apps the most frequent culprits.
Rogue cloud app usage is pervasive
Unsurprisingly, the most popular enterprise cloud applications tend to be for social media -- with Twitter and Facebook being the two most popular overall -- and data storage, with Amazon CloudDrive, Box and Dropbox all among the top 10 apps.
More vexingly for CISOs and security professionals, Netskope found that 90% of cloud apps being used in enterprise environments were thought to be blocked by network perimeter technologies, including firewalls and secure Web gateways. Uploading documents to cloud storage sites was by far the most likely policy violation uncovered via the report, with social media logins and posting also a pervasive issue.
The pervasiveness of rogue cloud apps, according to Beri, is largely the result of two factors. First, blocking enterprise cloud applications with traditional network security appliances usually means breaking business processes. When that happens, business units file complaints with system administrators without the knowledge of the security team, Beri said, and since business needs almost always trump security requirements, cloud security policy exceptions are then created to allow those blocked cloud apps.
The other factor, Beri said, is remote users. Because they are often left uncovered by firewalls and other network-based appliances, it leaves a large blind spot in cloud app usage policies. As a result, Beri said, many of the CISOs he has spoken with were largely unaware of the rogue cloud usage occurring at their companies.
"Numerous customers walk into the door and say, 'Here are our 10 most-blocked applications,'" Beri said, "and that turns out to be nine of the top 10 [apps used in that environment]."
There are no bad cloud apps, just bad activities
Instead of blocking cloud apps outright, Beri advised companies to first eliminate redundant applications across business groups and categories, and then adjust cloud security policy to focus on restricting the "bad activities" associated with such apps. For example, an organization blocking a popular cloud storage app like Box is largely pointless, he said, both because exceptions will likely be applied and it reduces the productivity gains delivered by the service.
What an organization can do though, according to Beri, is apply context to the data being shared via Box. A healthcare organization could lock down the sensitive health information of patients, for instance, while a public company concerned with Sarbanes-Oxley regulations could restrict user access to financial data.
By focusing on the data, Beri said, CIOs and CISOs can ensure the integrity of sensitive information while reducing concerns about rogue cloud apps.
"Usage of these apps is not a bad thing," Beri said, "but organizations do need to understand it. This is an opportunity for IT to take a leadership role and shape that usage the way they want, but at the same time, protect that data."