Today more and more enterprises are moving their business processes to the cloud to save money, get their products to market faster and operate more efficiently.
At the same time, their employees are also adopting cloud services that enable them to do their jobs better and with more mobility.
However, the problem is that IT hasn’t authorized – and usually doesn’t even know about – this employee-led cloud adoption, known as shadow IT. That can cause massive headaches for IT admins if employees store corporate data in cloud services that haven’t been sanctioned.
While these tools benefit individual users, “they allow corporate policies, legal requirements and regulatory obligations to be circumvented, creating a serious information governance problem,” according to a report by Osterman Research.
That’s why companies like Dropbox and Microsoft are not only beefing up the security of their business cloud services but adding enterprise-grade security to their consumer clouds as well.
As the cloud becomes more popular among enterprises and their employees, so does the risk to their corporate data, according to a recent report by the Ponemon Institute. And it’s difficult for organizations to manage the risk of cloud computing without applying the right information governance practices, Ponemon notes.
The statistics regarding employee use of consumer cloud services speak for themselves.
In Q1 2015, the average company used 923 distinct cloud services, an increase of 21.6% over Q1 2014, more than 10 times higher than what IT estimates, highlighting the stunning growth in employee-led cloud adoption, according to a report by cloud security company Skyhigh Networks.
The average company uses 49 file sharing services and the average employee actively uses three separate file-sharing services like Google Drive and Dropbox, according to Skyhigh.
And these services store 39% of sensitive and/or confidential corporate data uploaded to the cloud, including customer and employee Social Security numbers; dates of birth, or addresses; payment information, such as credit card numbers or bank account numbers; or protected health information such as medical record numbers or health plan beneficiary numbers, Skyhigh notes.
Additionally, collaboration services like GoToMeeting are being used throughout the enterprise. The average company uses 162 services and the average employee regularly uses seven different services, accounting for 24.4% of corporate data uploaded to the cloud, according to Skyhigh.
Broken down by category, the average company uses 162 distinct collaboration services, 51 development services, 49 file sharing services, 42 content sharing services, and 30 social media services. The average employee uses 28 cloud services, including seven collaboration services, three file sharing services, four content sharing, and four social media services, Skyhigh notes.
The inability to control how employees access and handle sensitive data in the cloud makes cloud governance – e.g., compliance with regulations – challenging, according to Ponemon. Not only that, but more employees are using cloud apps without specific training on the security procedures they are expected to follow.
To help organizations deal with the problem of unfettered access to critical corporate data and by extension, information governance, Dropbox has boosted the security of its consumer service with an optional two-step verification (via text message or time-based, one-time password apps) adding an extra layer of security to user accounts.
Additionally, data in transit is encrypted using secure sockets layer (SSL) and at rest using AES-256 bit encryption – Dropbox holds the keys to that. And if users’ devices are lost or stolen, they can easily be “unlinked” from users’ accounts to further lessen the risk of unauthorized access.
Microsoft, too, has enhanced the security of its consumer cloud storage service OneDrive. First, files in OneDrive aren’t shared with other people unless users save them in the Public folder or choose to share them.
In addition, data in transit is encrypted using SSL, although it remains unencrypted at rest (encryption at rest is only available on OneDrive for business users). Microsoft has also enabled perfect forward secrecy encryption support for OneDrive, which uses a different encryption key for every connection.
All OneDrive users also get access to two-step verification to help protect their accounts by requiring them to enter extra security codes whenever they sign in on devices that aren’t trusted.
The bottom line is that organizations that are able to solve the problems associated with employees using consumer cloud services will have taken a significant step toward solving their overall information governance problems.
The good news is that the consumer cloud is indeed growing up as more providers add enterprise-grade security features to their consumer cloud offerings, demonstrating the growing importance of information governance in a collaborate-first, ask-IG-questions-later world.