The Cloud is still akin to the Wild West when it comes to the security of the data hosted there, according to new survey findings.
In fact, one in seven companies admit that they know there are potential access violations in their Cloud applications, but they don't know how to find them. The survey also found that there is widespread confusion about who is responsible for securing Cloud data: 78.4 percent of respondents could not identify the single party responsible. As enterprises increasingly leverage Cloud solutions amid this confusion, more data is at risk of unauthorized access.
Cloud adoption may be outpacing commensurate security controls. Even more startling, the lack of knowledge about which systems or applications employees have access to is actually increasing, up nearly 10 percent from last year's figures. This indicates an alarming growth in the lack of control enterprises have over user access, which is only exacerbated by the use of Cloud solutions.
Key cloud-related results from the survey include:
-- Nearly half (48.1 percent) of respondents said they are not confident that a compliance audit of their Cloud-based applications would show that all user access is appropriate. An additional 15.7 percent admitted they are aware that potential access violations exist, but they don't know how to find them. Confusion abounds about Cloud data security - more than three quarters of respondents cannot say who they believe should be responsible for data housed in a Cloud environment.
-- While 65.4 percent said that the company from which the data originates, the application provider and the Cloud service provider are all responsible, another 13 percent said they were not sure. There is no consensus on who the single party should be that protects that data.
-- 61.2 percent of respondents said they have limited or no knowledge of which systems or applications employees have access to. This number spiked from 52.8 percent in 2009, demonstrating an increasing risk of "zombie" accounts -- accounts that remain active after employees have left the company or changed roles, which can lead to data breaches. Fittingly, enterprises are less confident this year than in 2009 that they can prevent terminated employees from accessing one or more IT systems.
-- 64.3 percent said they are not completely confident, compared with 57.9 percent last year. There was a slight increase in the percentage of companies who were more concerned with external IT security threats than internal ones. 56.5 percent of respondents said that external threats were still the biggest concern, compared with 54 percent last year.
Comment from Courion: These results show that many organizations are not currently doing the proper due diligence to ensure that sensitive data is being accessed by the right employees on-premise, not to mention when data is housed by a third party provider. The responses indicate that the problem is getting worse, and is only being exacerbated by the increasing use of Cloud-based applications, which creates more access violation risk. Courion recommends careful inspection of Access Assurance policies that define, verify and enforce that the right users have the right access to the right resources and are doing the right things, and also that companies deliberate on which applications are best-suited for Cloud environments and which are best kept on-premise.
About the survey: Courion Corporation conducted the 2010 Access Assurance Survey in October 2010 among 384 business managers from large enterprises, 86 percent of which had at least 1,000 employees.
Contact: http://www.courion.com
No comments:
Post a Comment