Do you know if "shadow IT" cloud services present a problem to your company?

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  

Does your organization have a shadow IT problem? Would you even know if you did? According to the Cloud Security Alliance (CSA), 72% of respondents to the 2014 Cloud Adoption Practices and Priorities survey know the scope of shadow IT in their computing environments.

CSA defines shadow IT as “technology spending and implementation that occurs outside the IT department, including cloud apps adopted by individual employees, teams, and business units.” Nearly half of the survey respondents (49%) say their primary concern about shadow IT is the security of corporate data in the cloud.

Their concerns are legitimate according to Skyhigh Networks Cloud Adoption and Risk Report – Q3 2014. Skyhigh combed through usage data from more than 13 million users at over 350 companies worldwide. The data represents all major vertical market segments and industries. The first thing that jumps out in this report is the average number of cloud services in use by a company: 831, up from "just" 738 the previous quarter.

That’s certainly a large number of cloud services for any organization. What's common, according to Skyhigh, is that some of the cloud services are sanctioned and even advocated by a company's IT department, but most are not—and this is where the issue of shadow IT comes in. Many companies don't even know what services employees are using, and this creates a concern not only about data security but also potential compliance violations, conflicts with company policies, and redundant services that create inefficiencies.

Skyhigh Networks operates a CloudTrust Program in which it defines a broad list of attributes of a cloud service to determine how risky the use of that service might be. The attributes include things like data sharing, encryption of data in transit, multi-factor authentication, user activity logging, terms of use, privacy policy, and many more factors. Skyhigh's research found that fewer than 10% of all cloud services met the stringent requirements that most enterprise organizations value when it comes to risk avoidance. That means that 90% of the cloud services that are in use can put organizations at risk in one way or another.

For example, only 2.9% of services enforce strong password policies, and only 1% encrypt data with customer-controlled data keys. On the positive side, 78.1% of services encrypt data in transit and 10.1% encrypt data at rest in the cloud, and while the service providers still have control of the encryption keys, at least they are making an effort to protect the customer's data.

Some cloud service providers (21.2%) are attaining certifications such as SAS 70, SSAE16, or ISAE3402 and have third party penetration testing of their service (39.5%). However, there's still a long way to go until all cloud services utilize these basic tenets of security validation that are highly desired by enterprise organizations.

According to Skyhigh, the average company uses 37 different file sharing services, including a mix of enterprise-ready services and high-risk services. Companies use an average of 125 collaboration services. Whether all these services represent a risk to the company or not, the problem is that data is being dispersed in so many services that the company will not know where its data resides in order to adequately protect and account for it.

Many companies attempt to block access to cloud services that don't meet their acceptable use policy. Skyhigh points out, however, that there's a vast discrepancy in the intended block rate and the actual block rate. Skyhigh calls this the "cloud enforcement gap." The gap arises when cloud services introduce new URLs that aren't blocked, or when access policies aren't standardized throughout the enterprise, or when certain groups get an exception to access various services. This cloud enforcement gap guessed it, shadow IT.

According to the report: "Whether or not these services present risk to the organization and need to be blocked is not the issue; they illustrate that companies are not enforcing access policies as consistently as they think they are. These policies are meant to ensure a company meets its security and regulatory requirements. Our findings show organizations need to tighten enforcement of existing policies to meet these requirements."

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10