Security Experts:

Despite Concerns, Businesses Still Place Sensitive Data in the Cloud

According to a report form Forrester, despite their security concerns – and perhaps because most IT managers simply have no other option – as many as one-third of enterprises are placing sensitive data into the cloud.

Forrester’s study focused on IT Security managers in the U.S. dealing with IAM needs on behalf of IAM vendor Symplified. As noted in the report itself, while most enterprises are concerned about exposing data to the cloud, nearly a third of them already place highly sensitive data like regulated financial (34%) and healthcare information (29%) in SaaS apps.

As for their preferred method for consuming cloud security, the top two choices – embedded in the cloud service (23%) and third-party on-premise solution (20%) – were evenly split. Moreover, half of those who took part in the study mentioned that their existing IAM infrastructures will not work well in the cloud, and provide essentials such as SSO.

“This survey reveals that enterprises recognize the need for cloud identity and access management, but they’re concerned about their ability to integrate these capabilities within existing infrastructures,” said Brian Czarny, vice president of marketing for Symplified.

“It’s also clear that supporting non-SAML apps is a big challenge, and that organizations want the ability to choose between cloud-based and on-premises security options.”

Other findings include the fact that user provisioning (61%) and SSO/Web Access Management (53%) are the two leading access control priorities for enterprise and that 48% of respondents were very concerned or somewhat concerned that their organization needs SSO to non-SAML or non-federated SaaS apps.

“The data collected shows that IT managers are living with a gap between cloud usage and corresponding cloud security. As solutions for managing cloud access mature, we anticipate IT departments will feel corresponding pressure to improve the fundamental processes of identity management and access management within their own organizations,” said the study.

“They must increasingly support business owners in a drive to take advantage of cloud-enabled and mobile-enabled business partnerships — and their ability to execute will be significantly affected by the ability of their IAM systems to adapt.”

Forrester’s report was not made available to the public.

In related news, nCircle spoke with 127 attendees at the Cloud Expo West conference, where it was learned that 51% of respondents said they outsource “less than a third” of their infrastructure to the cloud, and 31% said they outsource “one-third to one-half” to the cloud. Expanding this to meet the numbers needed to conform to the Fortune 500 is a bit of a stretch, but not by much.

When it comes to the type of data outsourced, nCircle’s findings show that 37% said they outsource “moderate impact” data to the cloud; 42% said they outsource “low impact” data to the cloud; and 21% said they outsource “high impact” data to the cloud.

“In spite of the cost efficiencies, the cloud continues to be a small part of most organizations’ infrastructure,” said Lamar Bailey, director of security research and development for nCircle. “Cloud infrastructure creates a whole new set of security questions that aren’t easily answered, and many IT security tools don’t adapt well to the cloud, making it difficult for users to migrate quickly.”

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.