IT managers trying to protect their businesses are challenged to apply the same corporate security tactics used in-house to their public cloud deployments, according to a new report from Gartner.
More organizations are moving to mobile and software-as-a-service (SaaS) applications as part of the digital transformation process, according to Gartner. This is a necessary step, but one that often leaves security gaps traditional IT solutions cannot fill.
In particular, IT managers face a major challenge in the large number of cloud applications procured without their knowledge -- a practice known as Shadow IT. Many of these services lack sufficient enterprise controls, and security practitioners are unsure of how to secure them all.
[Read: Microsoft raises security concerns with Secure Boot key leak.]
"The heart of the issue is that most organizations are moving to a relatively large ecosystem of cloud service providers, rather than a monoculture," said Gartner research VP Craig Lawson in a statement. The influx of cloud apps can do more harm than good.
"Creating and maintaining a security policy on a per-cloud-service basis is more than a chore when hundreds of cloud services are in use -- it quickly becomes a high source of risk," Lawson explained in the statement.
The trend has escalated to the point where the growth of cloud and mobile adoption has surpassed the control IT organizations have over their risk exposure. As a result, user behavior is a greater concern than vulnerabilities inherent to any cloud service provider.
Most businesses try to address the wrong SaaS risks, Gartner found. For example, IT managers are more likely to focus on provider security failure -- which is relatively unlikely -- than to address how they manage their own users and data.
When IT departments attempt to limit SaaS use within the enterprise, their efforts are often insufficient. They may cause users to find less secure alternatives. On top of this, their processes for buying SaaS products fail to meet the need for user, activity, and data controls.
Cloud vendors add to the IT challenge by not offering many assurances for their security features. Customers are left responsible for implementing native or third-party security measures. Many cloud services don't offer security policy tools to span cloud services outside their own.
It's critical for security practitioners to do everything they can to minimize the risk of SaaS security gaps within their organizations. These five steps, as recommended in Gartner's report, can help security managers tighten cloud security and keep their organizations safe:
- Leverage Cloud Access Security Brokers: These can help IT managers pinpoint unauthorized SaaS apps and help them decide whether the apps should be replaced. CASBs give managers a single control point to manage risk across a set of cloud services.
- Recommend business-ready cloud services: Security standards will be better addressed by services that align with your organization's specific technical needs.
- Use third-party tools: Built-in tools and third-party services alike can boost the security of corporate data across cloud services and SaaS apps.
- Support enterprise agility: Security pros can support enterprise agility by showing how IT can change as quickly as the business can.
- Use threat protection: IT managers should launch the threat protection features of CASBs and Identity-as-a-Service (IDaaS) to cover cloud-based services that existing security solutions cannot access.
Have you faced challenges with cloud and SaaS security in your organization? Are these measures enough to help you mind the gaps? Are there other tips and tricks that have worked for you? Tell us about it all in the comments section below.