Shadow IT, cloud app security causing major headaches

There are more opportunities for companies to take advantage of Software-as-a-Service (SaaS) than ever before. But while companies may appreciate these tools, many don’t have a good understanding of the challenges they pose, according to recent research.

Forrester Research in conjunction with Adallom recently polled IT pros on the state of SaaS in the workplace. The findings show that when it comes to cloud software, many IT pros don’t really have a handle on the security measures in place.


A big part of the security confusion comes down to contracts. When asked how well they understood what was their organization’s responsibility vs. the cloud provider, IT pros responded they:

  • completely understood division of responsibility (24%)
  • understood most of the responsibility (47%)
  • have some understanding (24%), and
  • had limited or no understanding of division of responsibility (6%).

Overall, that’s not too shabby: 71% of respondents seem to think they have a handle on security concerns that come with SaaS.

But when you narrow it down to the specifics, the picture is a bit cloudier.

SaaS contract confusion

In addition, respondents seemed to think that cloud providers are less than forthcoming with important security details. According to the poll:

  • 46% said cloud providers made unrealistic or overstated security claims
  • 45% agreed that it’s hard to differentiate between the boundaries of on-site security concerns and those of the SaaS provider
  • 44% found liability limits hard to understand, and
  • 24% said that contracts were unclear.

So while those 71% are confident in their ability to understand individual aspects of cloud security, there’s a lot less certainty.

It’s not always driven by IT

Maybe part of the reason IT seems less-than-enthused about SaaS developments is that in many cases, it’s not their department who is making the decisions. Shadow IT is still a major issue with 43% of respondents agreeing that “it’s here to stay and can’t be ignored.” Another 10% said that they wanted shadow IT blocked wherever possible.

Very few seem to view things differently:

  • only 5% said they thought it provided better security than an organization could on its own, and
  • another 5% said it was going to be a passing fad that shouldn’t be worried about.

Taking control of SaaS security

The last thing you need is to find out that security measures you thought were a vendor’s responsibilities have fallen through the cracks. Examining contracts carefully is a must, but you’ll also want to take these steps to protect yourself with cloud applications:

  • Get a firm count. While most IT groups estimate they have somewhere between 40 and 50 cloud applications, a Netskope study show the average number is actually closer to 461 cloud apps. Go to department heads and try to get a firm count of how many and which applications they’re using.
  • Retain control of security. While it seems logical that cloud companies should take responsibility in case of a data breach, that’s rarely the case. We can all but guarantee you that even in the cloud, they see data security as the company’s responsibility – and will have the contract clauses that back that up unless you negotiate them out.
  • Identify security gaps. Don’t make assumptions about what will or will not be covered by contracts. Go through each line-by-line to see what falls in that gray area of what you thought was covered that may not actually be.
  • Realize old security methods might not cut it. In the Adallom survey, 92% of companies said they felt they had adequate protections in place for SaaS, but cited VPNs, antivirus and firewalls as evidence. Those systems won’t protect against threats that lie outside of your system, which is where SaaS resides.