Businesses are being put at risk by shadow IT cloud services, overseas storage and bad security
The upcoming London Cloud World Forum is risking nettle-rash by grasping the prickly subject of cloud security. This year several keynotes will look at the issues from a broader, user perspective rather than just the technical issues. The conference and exhibition will be held at London Olympia on 17 and 18 June.
One of the springboards that led to security becoming a Forum issue was a substantial report from Skyhigh Networks which claimed that nine out of 10 cloud services are putting European businesses at risk. It concluded that this revelation, taken from a survey of over a million users, highlights the need for greater employee education and caution when entering agreements.
The report analysed users from over 40 companies and found that enterprises access an average of 588 cloud services. Of these services, only nine percent provide enterprise-grade security, bringing to the fore concerns around the regulation of cloud privacy issues.
The whole area of cloud application and data security has to be re-evaluated in an atmosphere where the European Court of Justice has declared as invalid the Data Retention Directive – whereby ISPs were required to retain data for two years – and the European Parliament also investigated and declared that, in the light of the Snowden revelations, data protection “safe harbor” agreements with the USA should be suspended, .
Udo Helmbrecht, executive director of the European Union Agency for Network and Information Security (Enisa), will use a case study during his keynote at the Forum to highlight the issues.
“Big cloud computing service providers are gaining more and more grounds on the international market, leaving no space for SMEs … At Cloud World Forum, I intend to look at the cyber security problems for governmental bodies, providers and SMEs, the dilemma of legal compliance versus operational security and Enisa’s contribution in the EU’s cloud strategy.”
The Skyhigh Cloud Adoption & Risk Report Q1 2014 found that only one percent of the cloud services in use offered both enterprise-grade security capabilities and stored their data within Europe’s jurisdictional boundaries. This is of particular concern because many of the cloud services are being used without the consent or knowledge of the CIO or CISO.
Such “Shadow IT” practices have been easy to adopt by the average employee, often with little or no consideration for the security implications or the services’ impact on wider business policies. When CIOs examine the use of cloud services across the organisation, they generally find Shadow IT is 10 times more prevalent than they initially assumed, Skyhigh claimed.
Georgios Kipouros, head of production for the Cloud World Series, said, “Cloud security concerns should not deter enterprises or organisations from using cloud services when it makes business sense. This year’s event will address the challenges of cloud security and privacy, while highlighting how organisations can overcome these when outsourcing data applications and infrastructures in the cloud.”
Other key findings from the report included: Only five percent of cloud services in Europe are ISO 27001 certified, posing compliance issues for those organisations unaware that their employees are using uncertified services; 25 of the top 30 cloud services in collaboration, content sharing, and file sharing categories were based in countries where privacy laws are far less stringent than in Europe, such as the United States, Russia and China; 49 different services in use are tracking the browsing behaviour of employees on the internet, exposing organisations to increasingly-prevalent watering hole attacks.