The security of data in the cloud is a top executive-level concern, according to the “Cloud Adoption, Practices and Priorities Survey Report,” which was released by the Cloud Security Alliance (CSA) on Friday.
More than 200 individuals in 17 different countries were surveyed – most of whom are in the Americas and work in IT, IT security, and compliance and audit roles. The majority of respondents work for organizations – many with between one and 5,000 employees – in the high tech, financial services, telecommunications, entertainment, government, healthcare and manufacturing industries.
Overall, 61 percent of respondents said that the security of data residing on the cloud is an executive or board-level concern, according to the report. In the Asia-Pacific region, 82 percent of respondents said it is a concern, compared to 54 percent in the Americas.
“The big takeaway is that cybersecurity has moved beyond the IT department to the executive team and board of directors,” Cameron Coles, senior manager at Skyhigh and coauthor of the report, told SCMagazine.com in a Monday email correspondence.
It shows too – the report indicates that cloud security is the top IT project for organizations in 2014, with nearly 75 percent of respondents saying it was important or very important. 74 percent said intrusion prevention systems were important or very important, and 67 percent said the same of firewalls and proxies.
When asked what best describes their company's attitude toward cloud services, 33 percent of overall respondents said “full steam ahead,” whereas 41 percent said “moving with caution,” 15 percent said they are in the “early stages of investigation,” and 11 percent said it is “not a priority.”
“One of the most surprising findings is that companies that are best positioned to adopt the cloud securely – because they have more mature governance programs – paradoxically are slower to adopt the cloud,” Coles said.
There are several challenges holding back cloud adoption – 73 percent of respondents said they are concerned about the security of data, 38 percent are concerned about loss of control over IT services and about regulatory compliance, and 30 percent are concerned about compromised accounts or insider threats.
“A company's acceptable use policy can specify cloud services not permitted at work for productivity reasons (such as social media), but they also are meant to protect sensitive corporate data,” Coles said.
Half of respondents said their company has a policy on acceptable cloud usage, with only 16 percent saying that it is fully enforced. Of the 50 percent who said their organization has no policy, only 27 percent said the company plans to create one. Furthermore, 21 percent of respondents said their company has a cloud governance committee.
The idea of Shadow IT is also explored, and is defined in the report as “technology spending and implementation that occurs outside the IT department, including apps adopted by individual employees, teams, and business units.”
Altogether, only eight percent of respondents said they know the number of Shadow IT apps in use at their company, and 20 percent said they do not know and do not care. Nearly 50 percent of respondents said their primary concern regarding Shadow IT is the security of corporate data in the cloud.
Coles said that many companies are already – and possibly unknowingly – using hundreds of cloud services, and that employees rely on those services to do their jobs. He added that blocking cloud services would put the company at a competitive disadvantage.
“The best approach is to understand what cloud services your employees are using, the drivers behind that usage, and then put in place policies that encourage the safe use of cloud services,” Coles said. According to the report, 22 percent of organizations have a cloud security awareness training program.