And what the CIO can do to wrestle it back
IT departments have lost track of the cloud computing applications being used within their organisations, undermining their ability to guarantee the security of their technology infrastructure, a survey has found.
Cloud computing - which allows data to be stored and processed using an internet platform rather than on an organisation's own infrastructure - holds out the promise of cheaper and more efficient corporate IT.
Because cloud-based applications don't require buying hardware or complex integration, it is easy for individuals or departments within an organisation to use them without alerting the IT department. However, as a result, the IT department may be unable to do the due diligence around security - such as ensuring data protection standards are in place - that would usually take place around what is a fast-developing area of technology.
As a result, half of CIOs, CTOs and CFOs and other execs are not confident that their organisation is aware of all the cloud computing in use, according to a survey by researchers the Ponemon Institute. European execs were slightly more confident in their knowledge of the cloud applications being used inside their organisation than execs in the US, even though the US respondents were more likely to be using cloud for vital business applications.
The researchers said the findings suggest the consumerisation of IT "creates a void in the organisation's ability to evaluate cloud computing security".
The report added that users of cloud-based services could be putting their organisations "in peril" as a consequence of insecure applications.
"Cloud computing deployment decisions are frequently made by end-users who may not have the knowledge or expertise to properly evaluate security risks," it warned.
The report said CIOs should take an inventory of all the cloud computing services in use across their organisation, and assess the security risks they may pose. They should then decide whether to stop using them or beef up the security around them, according to the report.
The next step for IT chiefs is to put in place a policy that lets IT security professionals evaluate the security implications of all cloud applications, with priority given to essential applications which are being moved to the cloud.
Issues that organisations should consider before migrating applications to the cloud include ensuring access rights - especially for privileged users - are managed correctly, and to make sure they take steps to locate sensitive information after it has been deployed to the cloud.
Organisations should also set polices to make sure key applications and sensitive data deemed too risky to be in the cloud are kept on-premises, and vet providers before deploying their services and educate end users on the risks of cloud computing.
"While on-premise computing is not without its inherent security risks, cloud computing poses new threats and challenges that need to be seriously considered before adoption," the report warned.
The report was sponsored by CA Technologies - the rebranded software company previously known as CA.