Businesses Unsure How to Protect Cloud Data: Survey

Results show a sharp increase in the percentage of businesses with limited knowledge of which systems employees access.

The cloud is still "akin to the Wild West" when it comes to the security of the data hosted there, Courion's first annual 2010 Access Assurance Survey concluded. The survey found one in seven companies admit that they know there are potential access violations in their cloud applications, but they don't know how to find them.

The survey also found that there is widespread confusion about who is responsible for securing cloud data, with 78.4 percent of respondents unable to identify the single party responsible. "As enterprises increasingly leverage cloud solutions amid this confusion, more data is at risk of unauthorized access," the report noted.

Conducted in October 2010, the global survey of 384 business managers from large enterprises-86 percent of which had at least 1,000 employees-revealed that cloud adoption may be outpacing commensurate security controls. In addition, the lack of knowledge about which systems or applications employees have access to is actually increasing, up nearly 10 percent from last year's figures.

"This indicates an alarming growth in the lack of control enterprises have over user access, which is only exacerbated by the use of cloud solutions," the report said.

Nearly half (48.1 percent) of respondents said they are not confident that a compliance audit of their cloud-based applications would show that all user access is appropriate. An additional 15.7 percent admitted they are aware that potential access violations exist, but they don't know how to find them. More than three quarters of respondents cannot say who they believe should be responsible for data housed in a cloud environment.

While 65.4 percent said that the company from which the data originates, the application provider and the cloud service provider are all responsible, another 13 percent said they are not sure. There is no consensus on what the single party should be that protects that data. Sixty-one percent of respondents said they have limited or no knowledge of which systems or applications employees have access to. This number spiked from 52.8 percent in 2009, suggesting an increasing risk of "zombie" accounts-accounts that remain active after employees have left the company or changed roles-which can lead to data breaches.

Enterprises are less confident this year than in 2009 that they can prevent terminated employees from accessing one or more IT systems, with 64.3 percent of respondents saying they are not completely confident, compared with 57.9 percent last year. There was a slight increase in the percentage of companies that were more concerned with external IT security threats than internal ones, with 56.5 percent of respondents saying that external threats are still the biggest concern, compared with 54 percent last year.

"These results show that many organizations are not currently doing the proper due diligence to ensure that sensitive data is being accessed by the right employees on-premise, not to mention when data is housed by a third party provider," the report concluded. "The responses indicate that the problem is getting worse, and is only being exacerbated by the increasing use of cloud-based applications, which creates more access violation risk."