Today, virtually every organization consumes a notable number of SaaS services, most over 500. So you would think that when it comes to ensuring that sensitive digital assets are being properly secured that IT would be all over it.
Not true, according to a Ponemon study. Several months ago Ponemon published a sponsored survey that seems to indicate that IT is not stepping up to the access and security plate for cloud based applications and services being consumed by their business users. The Cloud Multiplier Effect Survey Report is a fairly quick read so I recommend doing so but here are some high level key points.
Before going on, let me clarify that the survey was intended to create talking points for Netskope (the survey’s sponsor). The survey was limited to the United States but Ponemon did get a decent sample size of 613 respondents that work directly, or are familiar with, the IT security operations for those organizations.
As I read about IT’s lack of confidence in their providers notifying them in a timely manner when breaches happen, I was certainly able to relate. During the past few years, several as-a-service offerings that I use were breached, and none of them alerted me in a timely manner that my financial information or credentials had been compromised. Instead, I found out either through the press or from a belated email that was too little too late. It appears to me that unless you are in an industry where the provider is mandated to notify you of breaches ASAP it’s not going to happen. In fact today’s vague security contracts and total lack of visibility virtually ensure that we’re not in for a change in the near term.
The multiplier effect referred to in this survey boils down to the reality that not only are business users consuming cloud applications at an accelerated rate, but they are often doing so on their mobile devices. So not only is private information leaving corporate, but the vulnerability points multiply as the business users across the organization consume cloud applications that may themselves compromised.
Invariably these business users use their own cloud-based service, and access all of the above using their mobile devices (does anyone really have just one anymore?) further obscuring any visibility that IT would hope to have. And as if the multiplier effect wasn’t increasing risk to the business enough, the observation that the weakest security link across all these many environments is often a common set of credentials; for risk a multiplier of a multiplier.
I’m convinced that no one in IT would accept this level of information risk if it were under their name, and yet over half of them don’t see it as their problem. I think a case can be made that shadow IT continues to take an unacceptable toll on IT’s role in enabling and securing the business. Shifting to SaaS apps doesn’t relieve IT of their responsibility to secure the organization’s sensitive information (IP, customer data, financial information, regulated data, etc.), but when the business users can go around IT with a credit card it becomes a difficult battle.
So will the pendulum swing the other way? Perhaps one organization at a time, at least initially. My guess is that most people will agree that it’s going to take a breach that’s painful enough to have a serious conversation.
With that in mind there’s another interesting survey finding that caught my eye. It’s a common perception (over 70%) that their cloud service providers do not have the correct security policies in place. A decent vote of no confidence. And with the current cadence of breaches that continue to occur it might actually be an accurate perception.
It’s worth pointing out a couple of areas where I believe IT has plenty of clout and undisputed accountability. One key focus is having a first-rate BYOD policy. While it’s true that the user’s personal device is indeed personal, there still needs to be a clear and up-to-date policy on the code of conduct for both employees and contractors. In today’s world of consumerization, if you have a BYOD policy there’s a good chance that your organization’s current mobile culture doesn’t match it. It needs to be realistic so it can be followed.
The other IT activity that is sure to be more common and naturally lead to cloud security and risk discussions is software asset management. Or, to be more accurate, SaaS asset management. Even though SaaS offerings are purpose built, their pervasiveness virtually guarantees overlap and waste. And even though it’s the business driving SaaS enrollment and consumption, I’m sure that waste and overlap has already reached levels where SaaS sprawl will need to be managed. And aside from the typical discussions around unused licenses or duplication of services, this is the perfect time for the security and risk discussion to be part of the vetting process.
If you haven’t already done so, I propose taking a closer look at your digital business risk with an eye to confidentiality, integrity and availability. Years ago the National Institute of Standards and Technology (NIST) published a methodology for assessing risk. While you can’t control all that your users consume in the cloud, you can analyze your risks, formalize a policy and practice and manage against it. Remember, the objective is not to be a barrier to cloud adoption, but rather an enabler. It’s also worth getting a refresher on the latest identity and access management solutions from NetIQ. They’ve been updated to meet today’s cloud based needs in very competitive fashion.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.