Many IT organizations are not fully aware of which cloud applications are in use across the enterprise, making it difficult for enterprises to monitor and control user access to mission-critical applications and data, according to a survey of 400 IT and business at British and American companies with at least 5,000 employees.
The report, conducted by research firm Loudhouse on behalf of identity management solutions provider SailPoint, found enterprises are running one-third of their mission-critical applications in the cloud today and expect to have half of all critical applications running in the cloud by 2015. While business users have gained more autonomy to deploy cloud applications without IT involvement, they do not feel responsible for managing access control. The survey found 70 percent of business leaders believe that IT is ultimately responsible for managing user access to cloud applications.
"As organizations adopt cloud applications, they are very likely to increase their risk exposure by putting sensitive data in the cloud without adequate controls or security processes in place," SailPoint's vice president and general manager of the cloud business unit, Jackie Gilbert, said in a statement. "And this year's survey illustrates how 'at risk' companies already are."
Companies lack visibility on data in the cloud and also who can access that data, she added.
"It's imperative that companies put in place the right monitoring and controls to mitigate these growing risks," said Gilbert.
Just 34 percent of companies bring IT staff into the vendor selection and planning process when a cloud application is procured without using an IT budget, and more than 14 percent of business leaders said they have no way of knowing if sensitive data is stored in the cloud at all, suggesting a lack of visibility and control that could greatly increase an organization's risk of security breaches or exposure to insider threats.
The rise in bring-your-own-device (BYOD) initiatives is also resulting in cloud-based security challenges, as the same mobile devices are being used to access corporate applications in more than 95 percent of cases. Security concerns are heightened when around half of the business leaders surveyed say they frequently use the same password for personal Web applications as they do for sensitive work applications. Less than a third of companies are fully locked down when it comes to application usage at work, meaning these activities frequently take place outside the purview of IT.
"For the third year in a row, our Market Pulse Survey shows that the majority of large companies remain very concerned about security breaches and their ability to meet regulatory compliance requirements," Kevin Cunningham, president of SailPoint, said in a statement. "This is due in part to the ever-changing IT landscape that makes existing identity-management issues even larger."
The consumerization of IT has placed companies in a difficult spot, Cunningham added.
"They want to provide business users the convenience and flexibility promised by cloud and mobile devices, but they must also make sure controls are in place to monitor and manage who has access to what," he said.