According to a recent Cloud Security Alliance survey, 61% of large companies have a cloud governance policy. That policy often includes what cloud services employees are permitted to use at work and what data can go to those cloud services. While many companies have a security awareness training program in place to educate employees on these policies, they are also taking additional steps to block access to certain applications. But just how effectively are organizations enforcing these access policies?
Mind the Gap
Not very well at all, it turns out. In conjunction with the Cloud Security Alliance we surveyed IT professionals from over 200 organizations to understand what cloud services they intend to block based on policy. We asked about a range of well-know cloud services from Facebook to Apple iCloud. Next, we measured the actual block rates in the wild. By comparing the two, we found there’s a significant “cloud enforcement gap” between what IT intends to block and actual block rates.
Working with individual companies, we’ve identified 3 main causes of the enforcement gap:
- Cloud services regularly introduce new URLs and domains that are not yet blocked
- Access policies are not standardized across all firewalls and proxies at branch offices
- Certain groups in the company get an exception to use a service and these exceptions are often more broadly applied than intended
The enforcement gap is highest for Dropbox at 59 percent, followed by Instagram (44 percent), Tumblr (42 percent), and Apple iCloud (41 percent). While it’s debatable whether some of these services need to be blocked or not, they illustrate that companies are not able to enforce access policies as consistently as they may think. These policies are meant to protect the company and its data. Companies need to tighten policy enforcement to meet their security and compliance requirements.
To learn more about the cloud enforcement gap, the top 20 cloud services, and other cloud statistics, download the Cloud Adoption and Risk Report below.