There is a growing gap between actual business cloud practices and related IT policies that could expose businesses to an increased risk of security breaches, according to an October survey sponsored by cloud backup provider Symform. The survey found that while nearly 20 percent of businesses have no clear security policies or standards concerning employee or departmental use of "cloud," the majority do allow employees to use cloud services and access corporate data from cloud applications or connected devices.
This policy versus utilization gap is consistent for both the 61 percent of respondents who said their company is using the cloud, as well as the remainder who reported not officially leveraging cloud services to-date. The survey queried nearly 500 companies across a wide range of industries and organizational size, with 18 percent representing enterprises, 34 percent from small and midsize organizations, and 48 percent representing IT service providers or small businesses. Respondents were asked about current cloud use, cloud security concerns and benefits, security policies, and employee use of cloud services, applications and devices.
"This research validates how cloud applications and services are being purchased and managed increasingly by non-IT departments, and illustrates the need for IT to reclaim control from a policy and governance standpoint while still enabling the business to benefit from the cloud's agility and cost-effectiveness," Margaret Dawson, Symform vice president of product management, said in a statement. "I always advise IT leaders to be the centralized source of all IT policy, vendor criteria, compliance management and the definition of "trust" for their organizations. Cloud usage is inevitable, but loss of control is not."
Survey results indicated that for many businesses, data growth is outpacing cloud adoption. Coupled with the rise of bring-your-own-device (BYOD) initiatives and the consumerization of IT, the survey suggested many businesses are slow to acknowledge cloud adoption within their organization. As a result, these companies are unable to determine the proper IT security and policies to govern this cloud usage. According to the report, of the 39 percent who said they are not using cloud, 65 percent said they still allow employees or teams to use cloud services, and 35 percent said they allow employees to put company data in cloud applications.
The No. 1 stated concern and key criteria for IT managers with the cloud was access controls; other top security criteria included auditing and tracking, securing data both in motion and at rest, vulnerability management and maintaining strong security service-level agreements (SLAs). The most trusted sources were Microsoft, Amazon, Apple, IBM and other IT vendors, with Microsoft and Amazon receiving an equal 46 percent vote as the top trusted sources on cloud security.
Despite the gap between cloud use and corresponding security policies, the survey found 50 percent of respondents believe even sensitive data can be secured in the cloud, suggesting secure cloud backup is gaining credibility as a safe place to store or use data. However, credit card information was a huge exception, with 70 percent saying they would not put credit card data in the cloud.
"This aligns with the belief that the highest perceived benefit of the cloud is data protection. For those using the cloud, nearly 50 percent stated secure cloud storage services allow them to spend less time managing data protection and on IT security overall," the report noted. "For those not in the cloud, over 50 percent believe that better data protection would be the top benefit gained by moving services to the cloud."