Is your enterprise in control of its cloud deployments?
The answer might seem obvious. Of course the enterprise is in control of its adopted cloud applications—the enterprise is the one that adopted them, after all!
That’s the wrong answer. The enterprise may have formerly adopted some of its clouds, but nothing close to all of its clouds, as CipherCloud research shows. In a 2014 cloud adoption and security risk study, we discovered that a shocking 86% of cloud applications in use at the large enterprises we surveyed are unsanctioned.
Unsanctioned means that IT has not approved of the use of the applications and in many cases is not even aware of their existence (though the IT department is itself guilty of plenty of shadow IT violations itself). If IT is unaware of the applications in use in the enterprise, IT has no visibility into the applications and no control over what data goes into them, how that data is used, or with whom that data is shared—a recipe for compliance violations and data breach disaster. And no matter what your industry or vertical, even if you’re in a heavily regulated and privacy-conscious field like health care or financial services, your organization is almost guaranteed to have at least some kind of shadow IT in use. That means that you are not in control of your enterprise clouds.
Taking control of your enterprise clouds means first and foremost discovering your enterprise clouds. Tools now exist to detect shadow IT applications being accessed on the corporate network. This discovery step is critical to turning a shadow IT problem into a cloud enablement solution.
Once you’ve discovered which shadow IT applications your employees have adopted, you must make further steps to understand the risks each application creates. CipherCloud’s Risk Intelligence Lab has analyzed, and continues to analyze, tens of thousands of cloud applications from all over the globe. The risk scores thus compiled in the CloudSource knowledge base are evaluated based on a wide range of factors, ranging from security tool such as data encryption at rest and multi-factor authentication all the way to compliance certifications, including EU Safe Harbor, PCI, and HIPAA. At this point, you should also make note of the types of data employees are likely to be uploading into the clouds you’ve discovered: some are no doubt being used to handle more sensitive data than others.
Your assessment of your organization’s shadow IT clouds doesn’t stop at the risks, however. In order to fully understand what you must do to truly take control of your enterprise clouds, you must understand the rewards of shadow IT. What do these applications give your employees that your IT-sanctioned enterprise equivalents do not? And what secure and enterprise-grade solutions could your organization adopt that would provide those rewards without incurring shadow IT’s risks?
With the understanding you gain from closely evaluating the shadow IT applications you discover in your enterprise, you’ll be able to formulate a strategy for secure cloud enablement that will keep your business in compliance, your corporate and customer data safe, and your employees satisfied and no longer tempted by the lure of shadow IT.
Ready to learn more about just how much risk the average enterprise has taken on through uncontrolled shadow IT? Download CipherCloud’s “Cloud Adoption and Risk Report: 2014 North American and European Trends” and take a look at our comprehensive Shadow IT Management Guide.