Roman Sakhno - Fotolia

'Shadow cloud' services a growing threat to enterprises

Cloud Security Alliance findings show many enterprises struggle to identify and control shadow cloud apps and services; half of those surveyed told the CSA they have no program in place manage cloud apps and services.

The vast majority of enterprises struggle to identify and control the growing number of "shadow cloud" apps and services within their organizations, according to a new study from the Cloud Security Alliance, and some aren't even trying.

More than 70% of executives and IT managers admitted they didn't know how many unauthorized cloud or shadow cloud apps and services their employees were currently used, according to the CSA's 2014 Cloud Adoption Practices and Priorities (CAPP) survey.

The study, which was sponsored by Skyhigh Networks, surveyed more than 200 global IT, information security, and compliance and audit executives and managers across a broad range of vertical industries during the third and fourth quarter of last year.

The CSA defines shadow cloud as cloud applications and services adopted by individual employees, teams and business units with no formal involvement from the organization's IT department. Security experts say this unsanctioned cloud usage represents a growing security risk to enterprises, warning that it can easily lead to data breaches, compliance violations, unnecessary costs and numerous other security and business problems.  

Just 8% of survey respondents said they knew the number of shadow cloud apps and services being used by their employees; 72% said they didn't know the number but wanted to find out, while 20% of respondents said they didn't care about determining how many shadow cloud apps and services were being used in their organizations.

In terms of employee requests, respondents said the most requested cloud apps were file-sharing and collaboration apps, such as Google Docs, Dropbox and Office 365 (80%), while communication apps (41%) and social media tools (38%) were also popular.

Companies are going to try to get control of shadow cloud this year. It's a problem that they can't ignore.
Jim Reavis, co-founder and CEO of the Cloud Security Alliance

Jim Reavis, co-founder and CEO of the CSA, said that while free cloud apps and services can help employees increase productivity, enterprises need to know what apps and services are being used and where corporate data is being stored in order to have effective information security programs.

"Companies are going to try to get control of shadow cloud this year," Reavis said. "It's a problem that they can't ignore. There's so many [cloud apps and services] available that companies can't effectively block or ban them all."

Instead, Reavis said, they have to find a way to secure them and grant proper authorization to those rogue cloud apps and services in order to prevent data breaches or data leaks.

"As more companies try to take advantage of cloud apps and services, I think we're going to federated identity and access management play a much larger role for enterprises in 2015," he said. "That's going to be a key component of cloud security strategies."

Controlling shadow cloud

During the CSA Congress and International Association of Privacy Professionals' Privacy Academy in September, one of the most common topics of discussion was controlling shadow cloud usage in the enterprise. For example, Internet radio company Pandora Media Inc. discussed its process for approving cloud apps and using identity management and onboarding them with IAM and single sign-on systems.

The CAPP survey also showed that few enterprises had any kind of policy or program to manage cloud apps and services. Just 16% of respondents had a cloud usage policy that was "fully enforced"; 26% said they had a policy that "partially enforced"; 8% said they had a policy that wasn't "at all enforced"; 27% said they didn't have a policy but planned to create one; and 23% said they didn't have a policy and had no plans to create one.

Similarly, the study found that just 21% of enterprises surveyed had a formal cloud governance committee responsible for developing and updating cloud security policies, while only 31% percent said they had plans to create such a committee.

Many cloud security vendors have turned their focus to the issue of shadow cloud apps and services. Rohit Gupta, founder and CEO of cloud security automation startup Palerra Inc. in Santa Clara, Calif., said the adoption of cloud services has exposed "some blind spots" in enterprise security and that companies need to be more proactive about cloud about monitoring cloud usage.

"The issue isn't the shadow cloud apps. The issue is where is your corporate data going?" Gupta said. "It's not the cloud provider or app that's at risk, necessarily. It's other things like accidental employee activity that could expose data."

In addition to the topic of shadow cloud, the CAPP survey also offered insight into enterprise cloud growth. According to the survey, 41% of respondents said they are adopting cloud services "with caution," and 33% said they are moving "full steam ahead," while 15% said they are in the "early stages of investigation" and 11% said cloud is "not a priority."

The survey also highlighted concerns to cloud adoption. 73% of respondents cited concerns about data security as a potential obstacle to cloud adoption, while 38% cited both regulatory compliance issues and loss of control over IT services as obstacles.

Next Steps

Char Sample explains why enterprises need to determine the value of their data before storing it in clouds services.

Dig Deeper on Evaluating Cloud Computing Providers