IT managers trying to protect their businesses are challenged to apply the same corporate security tactics used in-house to their public cloud deployments, according to a new report from Gartner.
More organizations are moving to mobile and software-as-a-service (SaaS) applications as part of the digital transformation process, according to Gartner. This is a necessary step, but one that often leaves security gaps traditional IT solutions cannot fill.
In particular, IT managers face a major challenge in the large number of cloud applications procured without their knowledge -- a practice known as Shadow IT. Many of these services lack sufficient enterprise controls, and security practitioners are unsure of how to secure them all.
[Read: Microsoft raises security concerns with Secure Boot key leak.]
"The heart of the issue is that most organizations are moving to a relatively large ecosystem of cloud service providers, rather than a monoculture," said Gartner research VP Craig Lawson in a statement. The influx of cloud apps can do more harm than good.
"Creating and maintaining a security policy on a per-cloud-service basis is more than a chore when hundreds of cloud services are in use -- it quickly becomes a high source of risk," Lawson explained in the statement.
The trend has escalated to the point where the growth of cloud and mobile adoption has surpassed the control IT organizations have over their risk exposure. As a result, user behavior is a greater concern than vulnerabilities inherent to any cloud service provider.
Most businesses try to address the wrong SaaS risks, Gartner found. For example, IT managers are more likely to focus on provider security failure -- which is relatively unlikely -- than to address how they manage their own users and data.
When IT departments attempt to limit SaaS use within the enterprise, their efforts are often insufficient. They may cause users to find less secure alternatives. On top of this, their processes for buying SaaS products fail to meet the need for user, activity, and data controls.
Cloud vendors add to the IT challenge by not offering many assurances for their security features. Customers are left responsible for implementing native or third-party security measures. Many cloud services don't offer security policy tools to span cloud services outside their own.
It's critical for security practitioners to do everything they can to minimize the risk of SaaS security gaps within their organizations. These five steps, as recommended in Gartner's report, can help security managers tighten cloud security and keep their organizations safe:
Have you faced challenges with cloud and SaaS security in your organization? Are these measures enough to help you mind the gaps? Are there other tips and tricks that have worked for you? Tell us about it all in the comments section below.Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio