The majority of companies are delaying deployment of cloud applications due to security and compliance concerns. Among the companies that have started to adopt cloud apps strategically, Bitglass found that Google is outpacing Microsoft in cloud-based email adoption.
“We set out to find whether there was more hype than reality surrounding enterprises truly adopting the cloud. We found that while more strategic, company-wide adoption of the cloud is starting to take hold, there are still basic security mechanisms that have not been put into place,” said Nat Kausik, CEO of Bitglass. “As new technologies to secure cloud apps gain a greater foothold, we expect wider and more accelerated adoption to occur, especially among larger companies and those in regulated industries.”
Using real world and survey data aggregated by Bitglass sampled 81,253 companies across a range of industries and varying company sizes.
They found that private companies are more likely to have adopted cloud-based email than public companies. Gmail was adopted by 16.5 percent of private companies sampled compared to 11.9 percent among all companies sampled. Office 365 was adopted by 7.6 percent of private companies sampled, but adoption actually increases to 8.8 percent with publicly traded companies.
“Since public companies are generally larger and older, they are more likely to have history and substantial ties to Microsoft,” added Kausik. “We believe that the lower rate of cloud adoption among public companies is due to additional regulatory and reporting burdens that private companies do not face. Given the compliance and audit capabilities lacking in most cloud apps, we expect third-party security technology will be required to help close this gap.”
Google Apps demonstrated a higher adoption rate (16.3 percent) than Microsoft (7.7 percent). However, when accounting for company size, Microsoft matched Google at 8.8 percent with organizations of more than 1,000 employees.
The leading reason both large-sized companies (more than 1,000 employees) and small to medium-sized companies (under 1,000 employees) are not moving to the cloud is security concerns, according to ChangeWave Research. More than half of large-sized companies (52 percent) and approximately one-third of small to medium-sized companies (33 percent) cite security as their primary concern. In addition, the percentage of companies concerned about security is increasing – not decreasing: While 25 percent of companies expressed concern in October 2011, this figure increased to 42 percent in July 2013.
“Because larger companies have more established IT processes, they generally have a higher amount of paranoia with respect to cloud security issues. However, they also have the largest economic gains to be had from moving to cloud,” stated Kausik.
Bitglass recommends companies take a strategic approach to cloud and suggests five security areas that must be addressed before moving to the cloud:
1. Identity & Single Sign-On – Companies must use a single sign-on (SSO) service, which authenticates employees via existing identity management infrastructure while adding convenience for employees by no longer requiring them to remember passwords.
2. Visibility – Visibility should be comprehensive, providing insight into all user activity across all cloud apps in an organization. Regulatory compliance requires detailed audit logs, including user information, location, IP address, type of device, application accessed and any other available parameters.
3. Cloud Data Security – Data leakage prevention technology enables dynamic redaction of sensitive data, ensuring compliance and data confidentiality. Data tracking technologies allow sensitive data to be downloaded, but maintain visibility of the data anywhere it goes. These measures protect against cloud vendor data breaches.
4. Encryption – Regulated industries require that data be encrypted prior to upload to the cloud, and decrypted upon download prior to viewing.
5. Access Control – Companies need to invest in solutions that provide the ability to restrict suspicious behaviors and activities via rich, contextual access controls that allow the enterprise to decide who gets access to what, and under which conditions.