The cloud is here to stay – but it has brought some security headaches with it. Now, Cisco has created a cure with a service that gives its customers much needed visibility and control over risky cloud-based services.
More companies are flocking to cloud-based software-as-a-service (SaaS) applications than ever before. IDC said that they’re exceeding demand for on-premise applications five-fold, and believes that SaaS will consume 27.8% of the worldwide enterprise applications market by 2018, generating $50.8bn in revenue. That’s up from $22.6bn in 2013.
Cloud-based applications bring a range of benefits to IT departments in areas such as cost savings and agility. They also bring a particular headache: shadow IT. Business departments are paying for cloud-based services not provided by the IT department, which introduces a worrying array of security and compliance problems.
The problem is growing. In late 2013, Frost & Sullivan company Stratecast surveyed 600 workers in North America, the United Kingdom, Australia and New Zealand . It found that 80% of workers admitted to using SaaS applications at work without approval.
When technology takes over
IT departments can tell business employees not to do this, but policies only go so far. Cisco recently announced its Cloud Access Security (CAS) product, aimed at solving the shadow IT problem once and for all.
As shadow IT grows, the risk to organizations increases. While many cloud-based applications such as Salesforce and Office 365 are designed with security in mind, many are consumer-focused applications not optimized for enterprise use. This can create a mixture of legal and technical risks.
Some consumer apps claim ownership of the data that users upload there. If an organization’s private information finds its way onto those systems, then companies face legal problems. This is a particular concern for intellectual property and personally identifying information (PII).
On the technical side, many consumer-focused SaaS apps fail to encrypt data at rest, or even in transit. Some don’t even require users to create an account. This creates large security loopholes and puts company information at risk.
CAS shows IT administrators which applications are being used in the organization, providing a running audit of third party cloud services that employees are accessing. It goes further than simply listing the applications by offering a detailed security rating for each one.
The product extends Cisco’s ‘Security Everywhere’ strategy a step further. The company already embedded security across its network infrastructure products, but is now expanding it to cover cloud and mobile users.
This will be an important tool for IT administrators, who can use the tool to plug potential information leakage points within the organization. It will help them to stay compliant with sector-specific regulations, of which there are many.
For example, healthcare companies face significant privacy controls and data breach reporting requirements under the 1996 HIPAA and 2009 HITECH acts.
Any organization accepting and storing credit card information is bound by the Payment Card Industry Data Security Standard (PCI DSS). Version 3.0 of this standard explicitly mandates due diligence when working with third party service providers.
Finally, the US government’s 2002 FISMA legislation requires federal agencies to provide high levels of information security to its assets – including those managed by third parties.
Cloud computing is not just a luxury; it has become a crucial business tool for many, who rely on third party services to bolster their own internal resources. The challenge for companies comes in drawing firm boundaries between legitimate services, and those that pose new risks.
Cisco’s entry into this market underlines the importance of the issue, and the market opportunity for IT companies who can help customers stamp out shadow IT. Its own Global Cloud Index projects a 35% CAGR for SaaS-based cloud services between 2014 and 2019, as SaaS dominates an increasing proportion of cloud service contracts. Using tools like this, it will be easier for companies to secure themselves against shadow IT now, while the problem is still manageable.