More than one in three IT professionals believe cloud providers should turn over encrypted data to the government when they are asked. However, a majority believe that these vendors should not cooperate, according to a Cloud Security Alliance (CSA) and Bitglass survey of 176 information security professionals.
More than a third (35%) of respondents reported that they believe cloud app vendors should be forced to provide government access to encrypted data, while slightly more than half (55%) noted that they are opposed.
The survey also found nearly two-thirds (64%) of US-based information security professionals are opposed to government cooperation, compared to only 42% of respondents in Europe, the Middle East, and Africa (EMEA).
In addition to those finding on encryption, businesses and their IT departments seem to lack visibility into their cloud infrastructure. Less than half (49%) of organizations even know basics such as where and when sensitive data is being downloaded.
Even more worrying is the fact that only about 28% have access into user logins, and a mere 29% have audit logs, although confidence in cloud vendors seems to be growing. Some 67% of respondents said they were moderately concerned or not at all concerned about their cloud application vendors being compromised.
"Since cloud apps are accessible from any device, anywhere, having robust identity management and access control is critical," Rich Campagna, vice president of products for Bitglass, told InformationWeek.
"Organizations must employ tools that provide the ability to identify and control suspicious logins, anomalous user activities, and unmanaged device access across all of their cloud applications."
The report also found the deployment of cloud access security brokers (CASBs) are on the rise, with 60% of organizations having deployed or planning to deploy a CASB, with data leakage prevention cited as the most important capability.
Deployed between cloud apps and devices, CASBs provide data protection and visibility. They leverage features such as encryption, data loss prevention (DLP), and access control.
"Cloud access security brokers have become the go-to solution for closing security and compliance gaps in the public cloud," Campagna explained.
The report revealed most organizations have experienced some cloud security incident, with 59% related to unwanted external sharing and 47% involving access from unauthorized devices.
Among the other issues facing organizations and their IT security specialists are shadow IT threats -- information technology systems and solutions built and used inside organizations without explicit organizational approval.
The report found that few of the organizations surveyed have taken action to mitigate these threats. Only 29% of respondents said they use a proxy or firewall to redirect users.
"The ease with which employees can use unsanctioned shadow IT apps makes control difficult, with 62% using written policies according to our survey -- not at all effective in controlling usage," Campagna said. "In addition, 38% of respondents said they outright block applications, which tends to drive employees to work around IT, accessing these apps outside the corporate network."
He explained that discovery -- the ability to identify unsanctioned cloud usage and the risk profile of each application -- is the first step IT departments should take when tackling shadow IT issues.
"Organizations can then decide what to do, including secure and sanction, block, or redirect," Campagna said.