How much do you really know about your organization’s exposure in the cloud? Can you say with any degree of certainty how many cloud applications your employees use, what data is being shared and stored there and who has access to it?
If your answer is no to some or all of those questions then you’re not alone. But that really shouldn’t be of any comfort. A recent survey by SANS found that while 40% of enterprises say they process or share sensitive data in the cloud a somewhat worrying 13% admitted they don’t know if their organization has sensitive data in the cloud.
This is going to become a massive issue as enterprise cloud adoption ramps up, with 80% of IT spend going to cloud services within the next 16 months according to a survey by Intel Security. We all know the importance of security in the cloud, but how can you secure what you have no visibility over in the first place?
Before we even get to data and applications this need for visibility starts with the cloud infrastructure. In the SANS survey 58% of organizations said a lack of visibility into cloud providers’ infrastructure is their biggest operational issue. With public cloud it’s so easy today for organizations to rent computing space and start up new virtual machines. Organizations may only switch these cloud machines on infrequently, once a month or once a quarter, when needed. In the meantime they lie dormant and forgotten with the IT department having no visibility or control over the security settings.
Enterprises need to ensure they have a security management connection hooked up with their cloud infrastructure provider to enable asset discovery scanning. That gives the IT department visibility as to how many images are in the cloud, what is online and offline, to enforce security policies and check if things like antivirus and intrusion detection systems are up-to-date. This is the first important step for cloud security because if you cannot manage your infrastructure for cloud usage you are completely out of control – you have no visibility.
Shadow IT is another big challenge to visibility and control in the cloud and our survey reveals an alarming lack of visibility around cloud-based shadow IT exposure among enterprises. Fewer than half (45%) of respondents claimed they had visibility into their SaaS shadow IT, while only 42% said the same about Iaas shadow IT.
Levels of shadow IT are, perhaps not surprisingly, highest in sales, R&D, and marketing departments, where teams will tactically use cloud services when they need to respond quickly to the latest business needs and customer trends. Take the example of a sales team bypassing the IT department and setting up a Salesforce account to run a short campaign. The IT department potentially has no control or visibility over what kind of data is going outside the organization to that Salesforce cloud app.
The biggest question mark when it comes to shadow IT, however, hangs over the legal department where some 37% of respondents said they can’t tell if that department is procuring cloud without the knowledge of the IT department.
IT needs to regain control of shadow IT. That’s not about trying to shut it down. Instead the IT department needs to be the educator and broker that can still empower departmental teams to be able to access the tools and services they need but using more secure alternatives.
Data in the cloud – how to regain visibility
One of the biggest fears of CISOs is the leakage of confidential corporate information from insecure cloud services used by employees. One technology that is increasingly being used by enterprises to secure data in the cloud is cloud access service brokers (CASBs). These allow for the centralized control and enforcement of security policies. It gives CISOs control and visibility, with consistent security policies applied wherever the data is stored, shared and however it is accessed. CASBs give the context to decide if the data is even allowed to go outside the organization into the cloud and if it is, whether it needs to be encrypted.
The IT department, CIOs and CISOs need to be the enablers who support the business as it seeks to reap the benefits of cost savings, flexibility, innovation and productivity gains through greater use of the cloud. But that needs to be done securely and the only way to achieve that is by having greater visibility of cloud usage and data in the cloud.