Two separate surveys were recently revealed on the topic of cloud. One, from Exoprise, examined adoption rates primarily across software as a service (SaaS). The other, from Intermedia, examined rogue access in the cloud.
When considering the two together, they paint a somewhat disturbing picture that presents considerable risk to organizations adopting SaaS.
Exoprise found, not unsurprisingly, a heft adoption of cloud in the SaaS market. In fact, it found that nearly 75 percent of respondents indicated their organizations uses or plans to use software as a service. That's unsurprisingly given that most of the applications-turned-cloud being adopted are those easiest to commoditize -- productivity, customer relationship Management (CRM), and Sales Force Automation (SFA). Microsoft Office 365 dominated adoption, with nearly 40 percent of all respondents, compared to around 23 percent citing Salesforce.com usage.
So far so good. Adoption of SaaS is nothing new, nor is the mix of application workloads surprising.
But now let's check on the Intermedia survey, which tells us "89 percent of the survey respondents retained access (that is, a valid login and password) to at least one application from a former employer. They named nearly every major app you can think of: Basecamp, Shopify, Desk.com, Office 365, Google Apps, MailChimp, Wordpress, and many more."
Cross tabulating results in both studies nets us both Office 365 and Google Apps. While a complete list of apps is not made available in the Intermedia survey, one would assume that "nearly every major app you can think of" includes apps like Dropbox, Salesforce.com and, well, basically the same top ten list included by Exoprise.
What these two disparate surveys tell us is that while IT is clearly more comfortable with using cloud (and in particular, SaaS), what they aren't as comfortable with yet is the notion of governing cloud. That is, they haven't yet moved to put into place controls on access that would prevent the 49 percent of former employees Intermedia exposes as having logged in after leaving the company from doing so.
Federating identity is not a new concept. Single sign-on (SSO) has been implementing similar capabilities within the enterprise for years for the purpose of improving productivity and governing access rights. After all, if all your accounts are tied to a single, authoritative "master" account, access is revoked simply by disabling it. Implementing a similar approach for cloud applications is something every enterprise-class SaaS has been supporting for years now, primarily through the use of federation based on SAML.
Rogue accounts, orphan accounts, test accounts. No matter what we call them, the risk they pose remains the same or perhaps more of one for SaaS because while the business functions they provide may be commoditized, the data and information they store is not.
Oversight is still necessary even when the apps reside in the cloud.
Do you believe oversight is still necessary even when the apps reside in the cloud? Why isn't IT comfortable with the notion of governing cloud?