Focus on security obscures rise of ‘shadow IT’
Nearly three-quarters of IT security professionals are unaware of the amount of “shadow IT” within their organizations, according to a recent survey by the Cloud Security Alliance.
Shadow IT, according to CSA, is technology spending and implementation that occurs outside the IT department, including cloud apps adopted by individual employees, teams and business units. “Employees are more empowered than ever before to find and use cloud applications, often with limited or no involvement from the IT department,” according to the survey report, which interviewed 212 participants around the world in professional IT security roles.
Some organizations block certain cloud services altogether, such as those from Dropbox, Facebook, Apple iCloud, Tumblr, but that can be even riskier if employees seek out alternatives that have less mature security controls, CSA said.
Shadow IT is not a new problem, nor solely a cloud-based one. For years, removable drives have made it easy to move files from one office to another, but it used to take some ingenuity to get outside the perimeter. When the world went wireless, there was an exponential jump in the ability to think and work outside the box.
But the recent rise of shadow IT might have to do in part with pressure on IT departments to devote more of their time to defending their networks against escalating threats and incursions.
According to CSA, more software vulnerabilities were uncovered in 2014 than any other year on record. And the security of data in the cloud has risen beyond the domain of IT departments and is now a “board-level concern” of 61 percent of the companies surveyed.
IT professionals cited malware as the top security threat facing their organizations (63 percent), advanced persistent threats (53 percent), compromised accounts (43 percent) and insider threats (42 percent).
In fact, cloud security projects were the leading IT project in the 2014, according to CSA. Globally, three-quarters of organizations said cloud security projects were very important, moving past intrusion detection and firewalls in the level of seriousness.
The report said that organizations’ top concern about shadow IT is the security of corporate data in the cloud, followed by potential compliance violations (25 percent) and the creation of redundant or unplanned services creating inefficiency (8 percent).
Perhaps most alarming, only 8 percent of organizations know the extent of shadow IT at their shops, and 72 percent, “did not know the scope of shadow IT but wanted to know.” That number is higher (80 percent) for organizations with more than 5,000 employees, CSA said.
Despite efforts to manage shadow IT, IT departments at 79 percent of firms get requests from their end users each month to buy more cloud applications, according to the CSA survey.
The 2014 Cloud Adoption Practices and Priorities Survey was designed to gauge how IT organizations handled security for cloud services, including how they manage “employee-led” cloud adoption.
Connect with the GCN staff on Twitter @GCNtech.