Most IT teams are aware of the issue of unsanctioned cloud use inside their company but they may be significantly underestimating the extent of the problem.
IT leaders and information security practitioners in Europe reckon 10 percent of their firm's business-critical applications in the cloud are not visible to IT, together with 23 percent of the business data stored there, according to new research from Netskope and Ponemon.
Corresponding figures from an earlier identical study the two companies conducted in the US were worse, with business-critical app invisibility at 22.5 percent, and cloud data invisibility at 35 percent.
However, Sanjay Beri, CEO of cloud app analytics and policy firm Netskope, believes the true picture is more extreme, with the average medium- to large-sized business actually using between 300 and 400 cloud apps: "Companies right now are using cloud applications, 90 percent of which are not brought in by IT — Salesforce, Box and all the rest."
According to Beri, producing an inventory of cloud applications as well as figures on their use invariably throws up surprises.
"We often go into companies and ask them, 'Of these 400 cloud apps, which ones did you buy in IT?'. They give us a list of 10 and it always shocks them to find that the 10 they tell us about are in many cases not among the top 10 most-used," Beri said.
"So that just speaks to this notion that you can't just push something on your users. You have to involve them in the process."
Companies' first reaction to discovering the extent of their loss of control over cloud spending is often to look at the financial implications but the other and more telling concern — data security — immediately surfaces.
"Customers say, 'Hey, I just found 300 cloud apps I didn't know about. People are using them and — wait a minute — this one app is being used by 5,000 people and there's a lot of usage'," Beri said.
"So they call the [cloud] company up, which says, 'Yeah, you're using it'. The IT person says, 'No, I'm not' and they say, 'Well, you're paying us $1m a year'. This is a real case.
"We've gone into places and found that there's five or 10 instances of the same app because every group — APAC, Europe, US — they each buy their separate instance. Ten groups are buying the same app, each sub-optimally, each going to this company, signing up, not negotiating, not worrying about, 'Hey, do you meet the proper security standards, are you going to notify us if there's a breach?' None of this.
"So what worries IT is, one, 'Wait, we're spending a hell of a lot of money on a tool that we should be spending a lot less on if we negotiated a corporate agreement' and, two, 'We don't have the proper SLAs in place to protect the data'. All of that worries them."
Even where companies do have a handle on the cloud application in question, their insight into its use is often sketchy.
"One of our customers — 100,000-plus employees, a Fortune 100 company — they had a sanctioned cloud app. Their problem was, 'Wait a minute. We bought this app and people are using it but we don't know what kind of data they're actually storing in it and even if they are storing sensitive data, what are we doing about it?'," Beri said.
"They found confidential design docs, their IP, all stored up in this cloud storage provider, while that wasn't the purpose of the application. So even the ones they know about, they don't currently govern them or secure them or even have visibility into them."
Once a business has established an inventory of its cloud apps and patterns of usage, and analysed the risks represented by certain providers, it has to think about policies to control what employees use them for.
"An average company uses 30-plus cloud storage systems, and 40-plus marketing cloud apps. We look at all of them and say these ones actually have some basic security functionality and are not vulnerable, so you get that rating. Then you say, 'I want to know within those marketing apps, those engineering apps, what are people doing — uploading sensitive data, sharing with competitors?'. At that point they then set policies," Beri said.
"I always tell people don't set a policy like, "When the guy goes to Box, don't allow him to upload intellectual property'. Every time someone tells me that, I say, 'Look, there are 19 other storage providers in your company. You're just talking about the one you bought'.
"The ones most at risk are the ones employees adopt. So when you get to policies, you need to make it simple. I'm a healthcare company. What do I want? 'Stop uploading healthcare information to unsanctioned cloud storage'. That's my policy."
Setting policies on how staff use cloud services and policing those activities require not only simplicity but also a light touch.
"You block the risky activities but you allow the person to use the app. When you block it, you don't just tell Scott, you actually coach him. You say. 'You've just attempted to upload sensitive content to an unsanctioned cloud app. Please don't do that. If you want to do that, do it this way'. So you're not being Draconian to your end user," Beri said.
Security spending still focuses on on-premise measures, he said. But it should really be following where the apps are.
"Two weeks before they quit, a sales person downloads an entire sales contacts list to the cloud to bring it with them. When a company goes beyond discovery of apps and finds what people are doing, they just find that their confidential data is ungoverned. It's just being stored in the cloud," he said.
"They have this big blind spot. They're pouring money into this on-premise stuff but the top-level big problem — there's nothing there. If I was a malicious person and I wanted to take data, I wouldn't use a USB stick. I'd save it on XYZ SaaS app. Then when I go, I retrieve it. It's not hard. That's such a big problem and it's not being monitored."
The Netskope-Ponemon study, Data breach: The cloud multiplier effect in European countries, was conducted among 1,059 IT and IT security practitioners in Europe who are familiar with their company's usage of cloud services.