Half of all cloud services outside of IT departments, but IT is getting wiser

A new study from the esteemed Ponemon Institute says we still aren't doing nearly enough to protect enterprises in the cloud.

For starters, the survey of 3,476 IT and IT security practitioners, commissioned by Gemalto, a digital security vendor, finds that half of all cloud services and corporate data stored in cloud are not controlled by IT departments. So, there's a lot of cloud activity among business units that's potentially not vetted or governed.

However, IT departments are getting a better handle on things, the survey also shows. Fifty-four percent of respondents are "confident" that the IT organization knows all cloud computing applications, platform or infrastructure services in use - a nine percent increase from a similar survey from 2014.

The survey doesn't spell out how and why IT is getting a better grip on shadow cloud adoption. It may be assumed that there are more policies in place and greater communication and collaboration on best practices. IT may be getting more active in its evolving role as cloud broker or service provider to the enterprise, providing catalogs or directories of vetted services available to business users.

Still, cloud adds a whole dimension to security and governance. Seventy-three percent agree that management of privacy and data protection regulations is more complex in the cloud than on-premises. But only 43 percent report they have defined roles and accountability for safeguarding sensitive information in the cloud. The good news is that this is up from 37 percent two years ago, but it's obvious there's still a lot of work ahead.

When asked about the main issues with cloud security, 70 percent report that "it is more difficult to apply conventional information security in the cloud computing environment" than it has to their traditional on-premises systems. Another 70 percent report "it is more difficult to inspect cloud provider for security compliance directly." A majority, 53 percent, also cite difficulties managing end-user access to sensitive data in the cloud -- up from 48 percent in the previous survey.

The bottom line is that the onus for security is on the cloud end-user -- it's something that cannot be outsourced away. Survey respondents are evenly split on the question of who is ultimately responsible, with 36 percent saying the end-user is responsible, and 33 percent saying it's up to the cloud provider to assure security, Another 31 percent say it's a shared responsibility.

Still, more enterprises are holding cloud vendors' feet to the fire -- the survey shows a significant increase in the use of contractual negotiation and legal reviews to evaluate cloud providers, from 51 percent of respondents in the previous study to 62 percent of respondents today.

The Ponemon report's authors offer the following advice for getting a better handle around cloud security:

• Involve IT security in vetting and evaluating its security practices.
• Increase visibility into the use of cloud applications,platforms and infrastructure to reduce the Shadow IT risk.
• Protect data at risk in the cloud through technologies such as encryption, tokenization, cryptographic solutions, and access management solutions such as multi-factor authentication.
• Establish and communicate policies on business cloud applications such as document sharing.