CSA Survey: Security of Cloud Data Now a Board-Level Concern

Security and Skills Gap Hold Back Cloud Projects While Shadow IT Grows

By Cameron Coles, Sr. Product Marketing Manager, Skyhigh

A recent Cloud Security Alliance & Skyhigh survey shows that while security and skills gaps remain significant barriers to corporate-sanctioned cloud projects, end users are pushing IT departments to provide more cloud applications, faster than ever. The survey of 212 IT and security professionals looked at the state of cloud adoption – both sanctioned and shadow IT – and asked respondents how their organizations approach security, spending on cloud versus on-premise technology, and governance of data. The results show that while 33% of companies have a “full steam ahead” attitude toward cloud adoption, security concerns continue to hold back formal cloud projects. And, the concern about security has reached well beyond IT to the executive suite and boardroom.

The top barrier to cloud projects continues to be the security of data, with 73% of respondents indicating it was holding back cloud projects. Another significant barrier is a lack of knowledge and experience on the part of IT and business managers. This cloud skills gap held back cloud projects for 37% of companies in Europe and 29% of companies in the Americas. One explanation is that IT personnel are also focused on maintaining legacy on-premise infrastructure, and don’t have room to invest in the skills and resources needed for the cloud era.

Of course, employees are adopting cloud services unknown to IT and are not necessarily worried about the security of company data. Skyhigh’s Cloud Adoption and Risk Report shows that the scope of shadow IT can be 10 times greater than what IT is aware of. For most companies today, shadow IT is unknown and unmanaged. The overwhelming majority of respondents – 72 percent – said they did not know the scope of shadow IT at their companies but wanted to know. At companies with more than 5,000 employees the number grows to 80 percent. That makes free offerings like Skyhigh’s Cloud Audit that discover all cloud apps in use across an organization and provide a risk assessment of these apps so valuable.

Perhaps due to the flood of recent high-profile data breaches, including the attack on Target that led to a 46 percent drop in the company’s quarterly profit and the resignation of it CIO and CEO, the security of company data has spread far beyond the IT department. Cloud security is now an executive-level and board-level concern for 61% of companies. That interest is driving increased oversight over how companies govern their data that will ultimately benefit everyone, although in the short term it means IT teams are looking for help with presenting their company’s security posture in terms that make sense to non-technical board members.

Despite, or perhaps because of, barriers to cloud projects, rank and file employees are taking an active role advocating for the cloud apps and devices they’ve come to expect in their personal lives. Among IT professionals, 79% receive requests for new cloud apps each month from end users. Highlighting the disconnect between sober IT departments and eager employees, 49% of IT professionals said they had felt pressured to approve an app they felt did not meet the company’s security requirements. The most requested categories of services include File Sharing and Collaboration (e.g. Box, Dropbox, Google Docs, OneDrive) followed by Communication (e.g. HipChat, Skype, WebEx, Yammer), and Social Media (e.g. Facebook LinkedIn, Twitter).

One of the most surprising findings is that companies that are best positioned to adopt the cloud securely – because they have more mature governance programs – are, somewhat paradoxically, slower to adopt the cloud. Companies with more than 5,000 employees are more likely to have a cloud governance committee (34.8% versus 12.0%), have a policy on acceptable cloud usage (60.9% versus 44.8%), and have a security awareness training program (26.1% versus 20.3%) compared to companies with fewer than 5,000 employees. However, only 36.2% of them spend more than 20% of the IT budget on cloud services, compared with 49.0% of companies with fewer than 5,000 employees.

When it comes to enforcing these cloud policies, such as which employees are allowed to access what cloud services and where sensitive data can be uploaded, companies across the board prefer to use their firewall and proxy infrastructure versus rolling out device agents to employee devices. For all companies, 65% prefer to use their firewalls and 63% prefer to use their proxy. For companies with more than 5,000 employees, a whopping 95% of companies prefer to use their firewall or proxy versus leveraging device agents.

To read all of the findings in the CSA Cloud Adoption Practices & Priorities survey, download the full report.