The cloud is still akin to the Wild West when it comes to the security of the data hosted there, according to Courion.
In fact, 1 in 7 companies admit that they know there are potential access violations in their cloud applications, but they don’t know how to find them. The survey also found that there is widespread confusion about who is responsible for securing cloud data – 78.4% of respondents could not identify the single party responsible. As enterprises increasingly leverage cloud solutions amid this confusion, more data is at risk of unauthorized access.
Conducted in October 2010, a global survey of 384 business managers from large enterprises – 86% of which had at least 1,000 employees – reveals that cloud adoption may be outpacing commensurate security controls. Even more startling, the lack of knowledge about which systems or applications employees have access to is actually increasing, up nearly 10% from last year’s figures. This indicates an alarming growth in the lack of control enterprises have over user access, which is only exacerbated by the use of cloud solutions.
Nearly half (48.1%) of respondents said they are not confident that a compliance audit of their cloud-based applications would show that all user access is appropriate. An additional 15.7% admitted they are aware that potential access violations exist, but they don’t know how to find them.
Confusion abounds about cloud data security – more than three quarters of respondents cannot say who they believe should be responsible for data housed in a cloud environment. While 65.4% said that the company from which the data originates, the application provider and the cloud service provider are all responsible, another 13% said they were not sure. There is no consensus on who the single party should be that protects that data.
61.2% of respondents said they have limited or no knowledge of which systems or applications employees have access to. This number spiked from 52.8% in 2009, demonstrating an increasing risk of “zombie” accounts – accounts that remain active after employees have left the company or changed roles – which can lead to data breaches.
Fittingly, enterprises are less confident this year than in 2009 that they can prevent terminated employees from accessing one or more IT systems. 64.3% said they are not completely confident, compared with 57.9% last year.
There was a slight increase in the percentage of companies who were more concerned with external IT security threats than internal ones. 56.5% of respondents said that external threats were still the biggest concern, compared with 54% last year.