What Keeps CIOs Up at Night
CIOs have plenty to think about these days. Shrinking budgets and too much work for too few resources are just the beginning. Security brings in a much more emergent threat. Cloud apps aren’t just the newest blip on the radar, they can quickly become DEFCON 1. What is the biggest risk to CIOs?
Lack of visibility.
When the IT landscape consisted of on-premise software, tracking investments in and usage of these technologies was relatively simple. The cloud changed all of that for most companies. It became more challenging to control cloud application procurements because they are so easy to find and use - often without anyone in IT every knowing. Symantec believes that CIOs may underestimate the number of apps being used across their organizations by as much as 900.
“At the end of 2016, the average enterprise organization was using 928 cloud apps, up from 841 earlier this year. However, most CIOs think their organization only uses around 30 or 40 cloud apps.” - Symantec
With every SaaS application that joins the software ecosystem, there is risk. With every risk, there is a single denominator - CIOs simply don’t have enough visibility into what’s really going on across their organizations. If you can’t see it, it doesn’t mean it isn’t there. In fact, there’s a good chance it’s the most dangerous type of risk because it hides until it causes enough damage to make itself known.
The 3 Most Common Risks of Cloud App Blindness
If you have a single cloud app in your IT infrastructure, you have risk. Add in a cloud app here and a cloud app there and your risk increases exponentially. Yet it’s not that simple. Different cloud apps bring different threats. What are the most common? We’ll give you three.
1. Attack Vectors
Every account with every vendor is an attack vector. An attack vector is the route by which a hacker finds its way into your network. If you have any system vulnerabilities, you can bet there’s a hacker out there who will find it.
To make things worse, every employee becomes his or her own attack vector. They may not intentionally present risk, but either through negligence or misuse, they still add vulnerabilities. The U.S. Department of Health and Human Services Offices for Civil Rights reported the top breach in 2016 was theft, loss, improper disposal and unauthorized email access or disclosure - all from employees, not hackers half a world away.
Yet it’s not all bad news. Companies can dramatically decrease their risk of attack when they have visibility into those attack vectors. Turn a blind eye and good luck. According to Trend Micro, many companies are turning to vulnerability research in order to identify vulnerabilities within software before they are exploited. Investing in security engineers who focus less on how systems work and more on how systems fail is an investment well spent.
2. Single Sign On
What do you think about SSO? If you’re like most CIOs and employees, you don’t like it. It’s expensive and it’s a bad process. While it may be convenient for employees to use one set of login credentials to access multiple applications, it makes it just as convenient for those with bad intentions to gain the same easy access to every application.
Companies must establish solid policies and governance around SSO without forgetting about the many accounts that may not be connected to SSO. As employees are free to use any app they find, these apps aren’t always included under the SSO umbrella. They can bring the most threats because they aren’t being tracked.
Strong SaaS management using the right tools, however, can shine a light on both SSO applications and non-SSO applications - who is logging in and when. Alerts can be set up to notify IT of any potential issues before they become crises.
3. Unauthorized Access
Who has access to what is a big question mark for many organizations. Does everyone who logs into a cloud app have the right clearance and permissions? Do former employees still have access, perhaps via a personal mobile device?
Without visibility into every cloud app across the enterprise, it’s nearly impossible to know if the proper modifications have been made to each of them when an employee is offboarded. Sure, you may have denied access to DropBox, but what about all of the lesser used apps?
Tracking both cloud apps and the employees who use them is critical to reducing vulnerabilities and risk. Companies can leverage SaaS management software to combine all of this data into one location so tracking is simplified and access is automatically monitored.
CIOs and their teams don’t need glasses to better see their cloud platform; they need x-ray vision. They must be able to see between the lines, inside the shadows, and under the covers. Cloud applications, with all of their benefits, are challenging. You can’t live without them these days, but their risks make it hard to live with them.
Cloud applications aren’t going anywhere, leaving companies no choice but to adjust. They can begin by setting and enforcing standardized policies, choosing the right tool to automate the tracking of cloud apps and their utilization across the enterprise, and continually measuring their effectiveness. It isn’t easy, but no one got into IT because it was easy. Keep your eyes wide open and boost your SaaS management strategy. You’ll reduce your risk, lower costs and gain greater control over your cloud application environment.