A new survey from the Cloud Security Alliance (CSA) shows that many IT and security pros underestimate the number of cloud-based applications that are running in their environments.
The survey, which features responses from 165 IT and security professionals from around the world, found that 54 percent of respondents said they have 10 or fewer cloud-based applications running in their organization, with 87 percent indicating that they had 50 or fewer applications running in the cloud.
On average, that came to 23 apps per organization. But those estimates are far lower than commonly reported by vendors and research reports, which count more than 500 cloud apps present.
"We found these results particularly interesting and at the same time concerning," said Jim Reavis, CEO of the CSA, in a statement. "It’s hard to control what you can’t see. If you are only seeing one tenth of your actual cloud usage, it’s impossible to put cloud policies in place to protect users and data. This tells us that cloud app discovery tools, along with analytical tools on cloud app policy use and restrictions, are very important in the workplace, especially when it comes to sensitive data being used by cloud applications."
Rob Fry, senior information security architect at Netflix, said that the company thought before an audit it was using maybe 50 to 100 cloud providers internally.
"We discovered that there were there were over 600," he said. "It was a big wake up call for us. We realized that the concept of trying to control it should just go away. We learned that you have to be in line and communicating with the business. We don’t want to dictate to business, telling them this is the next big thing and pick providers. We make an effort to go out and talk to users."
Cara Beston, PricewaterhouseCoopers' cloud assurance leader and a partner in its risk assurance practice, noted that automated software tools allow enterprises to identify existing and new cloud services that are communicating through the enterprise's network.
"Additional analysis capabilities can help to identify the actual cloud service, IP addresses using the service, the location of use, extent of usage across the enterprise and the size of data downloads and uploads from the service," she said.
She tied the growth of shadow IT to the explosion of SaaS offerings supporting relatively discrete business and operational processes. Today's employees, she said, have easy access to standard solutions for managing human resources, customer relation management systems and other back office functions with low to no upfront investment or ongoing operating expense, which allows them to make decisions about using technology without going through traditional procurement, business or IT approval processes.
Juan Walker, principal security strategist at EMF Broadcasting, said his company had to get out in front of the issue of shadow IT, and has a few discovery processes in place to detect applications.
"When we find something we advise on best use cases and security," he said in an email. "We have also developed a trusted advisor and consultant relationship [with] business units. In most cases they come to us for advice before deploying - especially when it has infosec implications. "
"If we find an application we don't want in the environment," he added. "We recommend others that are safer to use."
The last resort, he said, is to block applications within the environment and on company-issued devices.
The survey, which was sponsored by Netskope and Okta, also found that the vast majority of the respondents have policies and procedures in place to protect data and compliance. Nearly 80 percent of policy enforcement in cloud apps is in cloud storage and cloud backup, indicating serious concerns about data leakage and protection. Additionally, when it comes to bring-your-own-device (BYOD) policies, more than 50 percent of respondents report having a BYOD policy, and more than 80 percent believe it is at least somewhat followed.
"Beyond raising awareness around cloud service risk, the findings here are intended to provide usage intelligence that helps IT, security, and business decision-makers take action," said JR Santos, global research director of the CSA, in the statement.
"By consolidating and standardizing the most secure and enterprise-ready cloud services, knowing what policies will have the most impact, and understanding where to focus when educating users, we can improve the protection of data and applications in the cloud," Santos said.