Cloud adoption in the enterprise is accelerating. While many companies assume they are blocking all cloud services not approved by IT, the sheer number of cloud services (over 12,000) and the fact these services periodically introduce new URLs that are not yet blocked means that it’s not uncommon for companies to use hundreds of cloud services unknown to their IT departments. The average company now uses 1,083 cloud services, which is 47% higher than this time last year. We polled CIOs and found there are 12 metrics they hold their teams accountable to when it comes to shadow IT and sanctioned cloud usage:
- Which services are employees and business units using overall and in each category (e.g. file sharing, social media, collaboration)?
- Which services are gaining in popularity and should be evaluated for enterprise-wide adoption?
- What is the risk-level of each service in use?
- How effective are my firewalls and proxies at identifying cloud services and enforcing acceptable cloud use policies?
- Which redundant services are employees using, and are they introducing additional cost and risk and inhibiting collaboration?
- How do I quantify the risk from the use of cloud services and compare it to peers in my industry?
- Which services house sensitive or confidential data today?
- What are the security capabilities of the services storing sensitive data?
- Which data is available to external collaborators outside of the company?
- Which partners’ cloud services are employees accessing and what’s the risk of these partners?
- Which external collaborators are granted access to our company’s services?
- How do I track and log all user and admin actions for compliance and investigations?
The highly convenient accessibility of cloud services comes with its pros and cons. On one hand, individual users and businesses can adopt cloud services in a matter of minutes, often times needing only an email or credit card to sign up. They can do this without any involvement from IT departments. The benefit of this is that being able to access cloud services almost instantaneously can boost productivity, but the downside is that IT departments have little to no visibility into the services that their employees are utilizing. This can make it difficult to manage finances as well as gauge the security risks that come with these services.
Organizations must protect sensitive data for a variety of legal and commercial reasons. Regardless of the nature of cloud services being used, IT departments need visibility into the data that goes in and out of the cloud, in order to detect anomalies that may indicate a compromised account or security breach.
With that being said, enterprises need to make sure they don’t overstep privacy boundaries when monitoring their employees’ activity in the cloud. The same protocol that an organization has in place to increase visibility into sanctioned cloud services, could theoretically also be used to monitor somebody’s personal social media accounts. For this reason, IT departments need to ensure that they don’t cross “perceived ethical or legal privacy boundaries”. Furthermore, corporations should integrate cloud visibility into already-existing systems, such as Security Information and Event Management (SIEM) products.
At this point, usage of cloud services is essentially a necessity in almost every modern day workplace. The average employee uses 27 different cloud services at work, including six collaboration services, four social media services, and three file-sharing services. Many of these applications are consumer based, so security is far from a guarantee. For this reason, it is imperative that IT departments have insight into what services are being used, the data going in and out of the cloud, and the necessary privacy capabilities to secure information.