Failing to have controls in place to keep users from sending sensitive data to the Cloud.
One key to using cloud services securely is to be diligent about what data ends up on a third party’s server. Many companies plan their cloud computing strategies so they can keep the most sensitive and critical data in house and out of the Cloud.
However, most organizations fail to keep a close watch on what data users move to cloud storage services on their own, according to a recent survey from Varonis, a maker of data governance software.
At the businesses that use cloud storage, nearly half (46%) of IT pros don’t know how access to those services is granted. Just 9% of respondents said they’ve created new authorization and review processes for granting access to cloud storage, while others are still developing their processes or currently have only an informal, ad hoc process.
Also, among companies that use cloud storage services to let employees share files, just 39% set up corporate accounts for those users — meaning the others may be allowing employees to use those services without any way to control what they do or what data they share.
Among the 400 IT pros surveyed:
- 74% said their organizations don’t have procedures to track which files are put into cloud storage by users
- 56% believe IT can’t accurately measure employee use of cloud storage services, and
- 49% said senior management doesn’t know where all the organization’s data resides, including data on internal systems and on external services.
That’s despite the fact that the organizations in the survey understand the security risks of cloud storage. In fact, 35% of respondents said third-party storage is less secure than their own internal storage. That’s compared to 11% who said data is more secure in the Cloud, and 27% that said the level of security is the same.
But the risks of a haphazard approach to the Cloud extend beyond security. Giving users and department managers the freedom to sign up for cloud services on their own can lead to so-called “cloud sprawl,” in which the company is paying for too many services. It could also let them mistakenly agree to cloud contract terms that are unfavorable for the company.
To avoid that, companies should develop a formal process for signing up for cloud services, create policies regarding what data can be sent to the cloud, and monitor accordingly.
Also, IT should keep users from setting up their own public cloud storage, using services such as Google Drive and Dropbox, without the proper security controls in place. To prevent against that impromptu cloud provisioning, Varonis recommends companies give users access to secure cloud storage and collaboration services.