This Halloween, it's not the ghouls and goblins that give us the biggest scare. It's cloud apps.
Yes, cloud apps make us more productive, give us access to the latest features, and let us pay-as-we-go. And yes, we love them. But don't look too closely because they're also pretty scary. Here are five reasons why.
First, just learning the sheer number of apps running in your enterprise is enough to make you jump out of your skin. Whereas IT professionals usually estimate around 50, the number is actually a whopping 579, according to a recent report by Netskope.
Second, 88.7 per cent of those cloud apps aren't enterprise-ready, which means they don't meet enterprise standards for security, auditability, and business continuity against an objective yardstick adapted from the Cloud Security Alliance. In some cases, they lack basic audit logging capabilities, in others, they don't support multi-factor authentication, and others don't separate tenant data in the cloud, which can lead to data exposure or even data loss.
Third, many cloud apps are made up of flawed components. As we saw in the recent POODLE attack, bad guys were able to take advantage of a vulnerability in the SSL v3.0 protocol. Guess what? More than 70 per cent of the enterprise cloud apps we track were vulnerable to this on day one, and still today we see 1632 vulnerable apps as our countdown continues. Security company Veracode just released a report that finds that open source and third-party components introduce 24 vulnerabilities into every cloud app, on average. If that doesn't give you the chills, we don't know what does.
Fourth, for all of their goodness, Application Programming Interfaces (APIs) let your business data flow hauntingly among many cloud apps. Large, "anchor tenant" apps like Salesforce, Box, and Google have thousands of apps that integrate with them and share data in (and outside of) your enterprise. While the "anchor tenant" app may be enterprise-ready, the ecosystem apps may not be. Imagine your data flowing from your secure cloud storage app through content routing, document signing, workflow, and business intelligence apps. Do you have the same level of visibility and security controls across all of those?
And finally, even if a cloud app is inherently secure, user activities within that app may not be safe. Do you know who's uploading sensitive content to your cloud apps? Who's sharing that content, and with whom they're sharing? Last year, information management professional body AIIM reported that one in four users of its members admitted to sharing corporate content via unsanctioned file sharing apps.
These apps are a Frankenstein's monster of insecure capabilities, flawed third-party components, and unchecked usage patterns. What's to be done? Just like the masks come off the day after Halloween, you can also de-mystify your enterprise cloud apps.
We advise three steps: First, understand what apps you have running in your enterprise and their risk. Then, get a sense for how people are using those apps, and what corporate data are in them. And finally, enforce granular, activity- and data-level policies across all of your apps – sanctioned or not – to protect your sensitive corporate data and rein in risky behaviour.
By following these three steps, your IT team can rest easy this Halloween. So long as they check under the bed before turning out the lights...
Author: Paul Cooper