Survey: 63% of enterprises may not pass a cloud access audit
By Asia Cloud Forum staff 28-Oct-2010
One in seven companies were found to be aware of the potential access violations in their cloud applications, yet not knowing how to locate them, a recent survey found.
More than 78% of the survey respondents failed to identify a single party that was responsible for securing corporate data in the cloud. As enterprises increasingly adopt cloud solutions without identifying the data security guards, more corporate data is at risk of unauthorized access.
These findings are based on Courion's 2010 Access Assurance Survey, conducted globally in October 2010 on 384 business managers from large enterprises with an averaged 1,000+ employees. Courion is a US-based company specializing in access governance, provisioning and compliance solutions with offices in the US, UK and India.
Cloud computing adoption may be outpacing commensurate security controls, the Access Assurance Survey suggest. Comparing to last year's figures, the lack of knowledge about which systems or applications that employees have access to have increased by about 10%. This lack of user access control to the cloud will only worsen by further growth in cloud adoption.
The key survey findings in relation to cloud computing are:
Insufficient cloud audit compliance. Nearly half (48%) of the survey respondents said they were not confident about passing a user access compliance audit of their cloud-based apps. About 15% of the respondents cited awareness of the potential access violations, but not knowing how to locate them.
Confusion about cloud data ownership. More than 75% of the respondents cannot identify who they believe should be responsible for their data in the cloud. While 65.4% answered the enterprise user, the application provider and the cloud service provider should all be responsible, another 13% said they were unsure. There was no consensus on which single party should protect the corporate data.
Unclear user access. About 61% of respondents said they have limited or no knowledge of which systems or applications employees has access to. This number spiked from 52.8% in 2009, indicating an increasing risk of “zombie” accounts -- accounts that remain active after employees have left the company or changed roles -- which can lead to data breaches.
Unconfident user access control. Comparing to 2009, enterprises are less confident this year in preventing terminated employees from accessing one or more IT systems. About 64% said they were not completely confident, compared to 58% last year.
Growing concern about external IT threats. There was a slight increase in the percentage of companies who were more concerned with external IT security threats than internal ones. About 56% of respondents said that external threats were still the biggest concern, compared to 54% last year.
Access assurance policies
These survey findings show that more due diligence is required to ensure that sensitive data is being accessed by the right employees on-premise, especially when the data resides at third party cloud providers.
Courion recommends careful inspection of access assurance policies that define, verify and enforce that the right users have the right access to the right resources and are doing the right things, and also that companies deliberate on which applications are best-suited for cloud environments and which are best kept on-premise.