Corporate IT departments have lost the fight against cloud computing, but continue to put their companies at risk by refusing to secure the intersection of the cloud they can't stop and the enterprise the have to protect.
The fight over public cloud, if there ever really was one, is over. Thirty-eight percent of end users admit deliberately using non IT-approved cloud apps because getting approval from IT is too difficult, according to a recent GigaOm report.
But 81 percent admit using unauthorized Software-as-a-Service (SaaS) apps. 81 percent!
One user who does something dangerous is a security problem. One percent of users doing the same thing is a persistent internal threat.
Thirty-eight percent is a massive, dramatic failure to help users get their work done in the way the company wants them to do it. Thirty-eight percent should get a lot of CIOs fired.
Eighty-one percent means is, effectively, everyone. Eighty-one percent means the war was lost so long ago the winners don't remember why the losers are still complaining.
The GigaOm report – based on the results of three previous GigaOm surveys and co-sponsored by enterprise cloud-services security provider CipherCloud – urges enterprise IT departments to embrace Shadow IT and make some accommodation with the cloud that will make it safe to use.
But 81 percent means "shadow" IT is real IT, and the IT department better get on board with its priorities right quick.
Most IT departments can't even see cloud apps. IT managers told Cloud Security Alliance pollsters their companies use fewer than 10 cloud apps; traffic analysis from Netskope showed the real average is 579.
Except… IT's cloud blindness seems only to apply to end users, not to itself. According to a November, 2013 Frost & Sullivan survey, 91 percent of IT departments use SaaS apps that have not been approved by IT, while only 83 percent of individuals working in IT use non-approved SaaS apps.
So whole IT departments will use public cloud for their own work, but refuse to update perimeter security or network monitoring enough to let them see web apps, let alone encrypt that traffic and possible secure them? Who is supposed to do that, if not IT?
Seventy-nine percent of IT people polled by Forrester in May of 2014 said end users should be primarily responsible for securing data in the cloud.
That doesn't mean IT thinks users are responsible; no one in IT thinks users are responsible.
The survey said IT people think users should be held responsible if something goes wrong, which is a great way to blame someone else ahead of time for a disaster that IT knew was inevitable and could have prevented.
Which means that IT knows as much as it needs to about cloud and is just avoiding it to keep from having to be held responsible, which is unacceptable. Regardless of whether IT approved the tools employees are using to do their jobs or not, IT is responsible for the security of the company's IT infrastructure and data even when the threat is coming from sources of which IT disapproves.
IT has lost that battle. It's time to step up and fix the security problem.
Luckily, since we're talking about the cloud, no one has to actually fix the problem; they only have to hire someone from outside who will.
No one suggests cloud security is perfect or that services are available to fix every problem, but there are lot of cloud security choices available.
CipherCloud offers a starter service that inventories and lays out the important details of a company's cloud traffic, in a service that's easy to set up and completely free.
Then, among its paid services, CipherCloud offers high-level encryption, access control, malware filters and other layers of protection for specific cloud services or all of them.
CipherCloud competitor Adallom claims an eight-minute setup for its simplest services, and eventual visibility all the way to the (virtual) metal for cloud-based storage or apps, so lack of convenience or depth are not good excuses.
There are plenty of choices available to IT to enhance cloud security. The one choice IT does not have is to continue doing nothing to secure the junction of the cloud and the enterprise. Users have voted; IT lost. The cloud is part of the enterprise and IT is responsible for making sure it's secure.
Finger-pointing is a problem, not a solution.