by Krishna Narayanaswamy, Netskope Chief Scientist
Shadow IT has been a topic of much conversation in the media, at conferences, and among our customer and partner communities for the past several years. Gartner highlighted the issue when the analyst firm declared cloud access security brokers as the #1 information security priority for this year. And vendors have been reporting for over a year on the many hundreds of cloud apps they observe per enterprise. This is a known issue.
But if you read “Cloud Usage: Risks and Opportunities Report,” which was released by the Cloud Security Alliance on Friday, you may think you’re reading a report from last decade. The report details results from a survey conducted by the Cloud Security Alliance to 165 IT and security practitioners across a variety of industries and geographies.
Among the many surprising responses, three findings particularly struck me:
- How many cloud apps do people think they have? According to the report, more than half (54 percent) of respondents believe that they have ten or fewer cloud apps. Ten or fewer! I use ten cloud apps in my first fifteen minutes at work each day. OK, that’s a slight exaggeration, but not by much. A full 87 percent of respondents believe they have 50 apps or fewer. When we perform a Cloud Risk Assessment for our customers and prospects, we ask this question. The most common answer is 50, and the average we find is 508 apps. That’s a ten-fold difference.
- How much sensitive content is shared? According to the report, nearly half (48 percent) of respondents believe that less than 5 percent of their sensitive content in the cloud has been shared with unauthorized individuals or individuals outside of the organization. I think that’s low. In our cloud, we see that there are three shares for every content upload within cloud storage, and 49 of the 55 app categories we track have apps that enable sharing. That’s a lot of sharing.
- How many apps are connected to the corporate directory? According to the report, 44 percent of respondents believe that 5 or fewer apps are integrated with their corporate directory. I guess that’s not surprising given #1, but if you believe that the reality is that organizations have 508 apps on average, that’s less than one percent. Given all of the recent data breaches, including ones involving cloud-based remote access technologies, you’d think that organizations would either want to authenticate users as they log into cloud apps or enforce policies to steer users to similar apps that are integrated with the corporate directory. After all, many of these apps are business-critical and house sensitive data.
Many of our customers and prospects have become a lot more aware of shadow IT, but based on this survey, it looks like we still have work to do to educate organizations about the magnitude of the issue, and what steps can be taken to discover and safely enable those apps. Get the full report here.