Results show a sharp increase in the percentage of businesses with limited knowledge of which systems employees access.
The cloud is still "akin to the Wild West" when it comes to the
security of the data hosted there, Courion's first annual 2010 Access Assurance
Survey concluded. The survey found one in seven companies admit that they know
there are potential access violations in their cloud applications, but they don't
know how to find them.
The survey also found that there is widespread confusion about who is
responsible for securing cloud data, with 78.4 percent of respondents unable to
identify the single party responsible. "As enterprises increasingly
leverage cloud solutions amid this confusion, more data is at risk of
unauthorized access," the report noted.
Conducted in October 2010, the global survey of 384 business managers from
large enterprises-86 percent of which had at least 1,000 employees-revealed
that cloud adoption may be outpacing commensurate security controls. In
addition, the lack of knowledge about which systems or applications employees
have access to is actually increasing, up nearly 10 percent from last year's
"This indicates an alarming growth in the lack of control enterprises
have over user access, which is only exacerbated by the use of cloud solutions,"
the report said.
Nearly half (48.1 percent) of respondents said they are not confident that a
compliance audit of their cloud-based applications would show that all user
access is appropriate. An additional 15.7 percent admitted they are aware that
potential access violations exist, but they don't know how to find them. More
than three quarters of respondents cannot say who they believe should be
responsible for data housed in a cloud environment.
While 65.4 percent said that the company from which the data originates, the
application provider and the cloud service provider are all responsible,
another 13 percent said they are not sure. There is no consensus on what the
single party should be that protects that data. Sixty-one percent of
respondents said they have limited or no knowledge of which systems or
applications employees have access to. This number spiked from 52.8 percent in
2009, suggesting an increasing risk of "zombie" accounts-accounts
that remain active after employees have left the company or changed roles-which
can lead to data breaches.
Enterprises are less confident this year than in 2009 that they can prevent
terminated employees from accessing one or more IT systems, with 64.3 percent
of respondents saying they are not completely confident, compared with 57.9
percent last year. There was a slight increase in the percentage of companies that
were more concerned with external IT security threats than internal ones, with
56.5 percent of respondents saying that external threats are still the biggest
concern, compared with 54 percent last year.
"These results show that many organizations are not currently doing the
proper due diligence to ensure that sensitive data is being accessed by the
right employees on-premise, not to mention when data is housed by a third party
provider," the report concluded. "The responses indicate that the
problem is getting worse, and is only being exacerbated by the increasing use
of cloud-based applications, which creates more access violation risk."