Cloud Survey Finds Organizations Lack Acceptable Use Policies


Printer-friendly version Email this CRN article

Cloud adoption is growing steadily, but a new survey found that many organizations lack acceptable use policies and those that do have guidelines often don’t have the means to enforce them.

A survey of 212 IT professionals and security practitioners found that about half of companies had an acceptable cloud usage policy today, but only 16 percent had a policy that is being fully enforced. Most organizations are either partially enforcing their policies or not enforcing them at all, according to the "The Cloud Adoption Practices & Priorities Survey Report" (.PDF) conducted by the Cloud Security Alliance, a nonprofit organization that promotes cloud security best practices.

In addition, the survey, sponsored by cloud security vendor Skyhigh Networks, found that organizations often lack a governance committee but a growing number are creating one. Line-of-business units are often not engaged in a discussion, creating a gap in how business units use cloud services and exactly which services are critical to overall success, said Jim Reavis, co-founder and CEO of the Cloud Security Alliance. The gap is shrinking as more corporate boards become increasingly aware of security threats and the need for stronger data protection, Reavis said.

[Related: Survey: Security Chiefs Expect Boost In Cloud Security Spending]

“Adoption is really growing and concerns are beginning to get pushed up to C-level executives,” Reavis said. “They are getting engaged and getting their organizations to be more responsible when it comes to what is being used and how data is being protected.”

About 80 percent of those surveyed indicated that end users are requesting the use of more cloud applications. The most popular category was cloud-based file sharing and collaboration tools followed by Web-based communication and social media applications.

Reavis told CRN that the survey found greater cloud provider adoption than he had expected. The survey found that 86 percent of companies are spending at least part of their IT budgets on cloud services. Company size is a major factor in cloud adoption, the Cloud Security Alliance found. Nearly half of companies with fewer than 5,000 employees spent more than one-fifth of their IT budget on cloud services while 36 percent of organizations with more than 5,000 employees spend more than one-fifth of their IT budget on cloud services.

“We know that in the last year big companies are telling us the cloud is important to them, but their spend has been a tiny fraction of their budget,” Reavis said. “We’re finally starting to see organizations starting to differentiate between trusted providers to increase spend.”

Cloud security projects were the leading IT projects in 2014. Globally 75 percent of companies indicated that cloud security projects were important or very important. Intrusion prevention came next followed by firewall, exploit detection and mobile device management.

IT professionals also indicated that the top security issues facing their organizations were malware, followed by advanced persistent threats, compromised accounts and insider threats. Seventeen percent of those surveyed indicated they had seen an insider threat incident in the past 12 months.

The security of data in the cloud is now an executive- or board-level concern for 61 percent of those surveyed and, according to solution providers, that may be complicating some deals. Employee mistakes and human fallibility also increase risks. A study last week conducted by Skyhigh Networks' competitor Netskope highlighted increasing anxiety over stolen cloud account credentials. Netskope's analysis of its customer base found "15 percent of users have had their credentials compromised in a prior data exposure, and many of those users reuse passwords even to log into apps that contain business-sensitive information."

High-profile data breaches and a misunderstanding of cloud services and products have fueled anxiety about cloud investments, according to a study conducted by Arizona State University in October.  Solution providers tell CRN that there has been a cloud adoption pullback over the last year. Some projects have stalled while executives heavily scrutinize security, privacy and data protection before moving forward with cloud services or SaaS-based application investments. Some executives worry about losing control over core intellectual property and meeting compliance mandates, but solution providers say there is room to have a discussion about options to ease those fears. Organizations had an average of 613 cloud applications in use in their environment, according to the Netskope data.

At Tech10 Networks, the discussion is about the major pain points associated with application delivery and data security and not necessarily about cloud, said Matthew Lawson, professional services director and head of the security practice at Dallas-based Tech10 Networks. Lawson said his approach is to take the word “cloud” out of the vernacular and instead talk about evaluating “decentralized computing” options.

“You can talk about hybrid, private or on-premises use cases and make sure that the client knows that there is flexibility to address their overarching concerns,” Lawson said. “We start at the top with centralized management and then have a discussion about the distributed components.”

PUBLISHED JAN. 12, 2015

Printer-friendly version Email this CRN article