Security pros don’t know the number of cloud apps in their networks

In what could be called a tale of perception versus reality, the Cloud Security Alliance (CSA) released the results of a new survey that found a significant difference between the number of cloud-based applications IT and security professionals believe to be running in their environments, and the number reported by cloud application vendors.

The survey, which included responses from IT and security professionals from around the globe representing a variety of industry verticals and enterprise sizes, was conducted by the CSA. The aim of the survey was to gain insight and understand the perceptions of how enterprises are using cloud apps, what kind of data is moving to and through those apps, and what that means in terms of risks.

Among other things, the survey found that 54 percent of IT and security professionals said they have 10 or fewer cloud-based applications running in their organization, with 87 percent indicating that they had 50 or fewer applications running in the cloud (with a weighted average of 23 apps per organization). These estimates are far lower than commonly reported by vendors and research reports, which count more than 500 cloud apps present, on average, per enterprise.

“We found these results particularly interesting and at the same time concerning,” said Jim Reavis, CEO of the CSA. “It’s hard to control what you can’t see. If you are only seeing one tenth of your actual cloud usage, it’s impossible to put cloud policies in place to protect users and data. This tells us that cloud app discovery tools, along with analytical tools on cloud app policy use and restrictions, are very important in the workplace, especially when it comes to sensitive data being used by cloud applications.”

On the positive side, for known cloud apps, the vast majority of respondents report having policies and procedures in place to protect data and ensure compliance, and most report that those policies are well-enforced. When looking at the most protected cloud apps, nearly 80 percent of policy enforcement is in cloud storage and cloud backup, indicating serious concerns about data leakage and protection.

Additionally when it comes to bring-your-own-device (BYOD) policies, more than 50 percent of respondents reported having a policy addressing BYOD, and more than 80 percent believe it is at least somewhat followed.

“Beyond raising awareness around cloud service risk, the findings here are intended to provide usage intelligence that helps IT, security, and business decision-makers take action,” said JR Santos, Global Research Director of the CSA. “By consolidating and standardizing the most secure and enterprise-ready cloud services, knowing what policies will have the most impact, and understanding where to focus when educating users, we can improve the protection of data and applications in the cloud.”