DRIVEN IN PART BY SHADOW IT INVESTMENTS, THE PROLIFERATION OF CLOUD SERVICES HAS PROVIDED

MANY BENEFITS FOR COMPANIES. BUT SECURITY CONCERNS AND CHALLENGES REMAIN.

Multi-cloud Organizations Confront IT Security Challenges

WHITE PAPER

Cloud deployments and cloud-based services adoption are not

only mainstream business practices today, but the dominant

mode of computing for many organizations. This rapid transition

has delivered many business and technical benefits but, inevi-

tably, has also introduced challenges and concerns.

For most IT professionals, cloud and security concerns have

always been intertwined. Typically, these concerns have focused

on securing sensitive information and applications in public

cloud environments outside of corporate firewalls. Over time,

security doubts have moderated as reputable cloud providers

have proved their security chops, and cloud computing became

more commonplace. Ironically, however, the growing popularity

and proliferation of cloud solutions has introduced new

security concerns.

Virtually all companies today are “multi-cloud” organizations.

This term reflects the strategic decision to use multiple cloud

environments—public, private, or hybrid—to run enterprise

applications, and the decision to use a mix of cloud service

providers. More broadly, however, the multi-cloud designation

encompasses every cloud service being tapped by company

employees as part of their business activities.

IBM and IDG content

Within large enterprises, the number of cloud services at play

can easily number in the hundreds, if not thousands. Further-

more, many of these deployments are materializing via shadow

IT investments made by individual business units—often without

the involvement of IT.

Not surprisingly, the proliferation of multi-cloud environments

and associated vendors and services has triggered its own set

of security challenges. Organizations still have to address the

“traditional” issue of securing data and software—but now for

dozens or hundreds of cloud environments rather than just

a handful. In addition, companies must ensure that all their

environments don’t have security vulnerabilities that emerge

in the gaps both among them as well as between cloud and

on-premises IT infrastructures.

A new survey of large multi-cloud enterprises conducted by IDG

Research has revealed an interesting mix of both confidence

Market Pulse

2 MULTI-CLOUD ORGANIZATIONS CONFRONT IT SECURITY CHALLENGES

and concerns among those responsible for securing these fluid

and evolving environments. The survey also provides insights

into security reporting hierarchies, and explores organizations’

varying attitudes about shadow IT.

High confidence in security skills, but concerns persistTo get a window into the issues affecting organizations, IDG

Research surveyed 200 IT decision makers at companies

that have deployed workloads across multiple cloud service

providers. The respondents—all with director-level or higher

titles—work at companies with revenues from $500 million

to $10 billion, and across a wide variety of industry sectors.

Overall, respondents exhibit high levels of confidence in their

in-house information security expertise. Nearly 95% character-

ized their security capabilities as either expert (58%) or knowl-

edgeable (36%).

As is often the case, however, those closest to the front lines

of the security battle are more circumspect in their self-assess-

ments. Only 38% of the survey respondents with director-level

titles rated their companies’ security skills as expert, compared

to two-thirds (67%) of the C-level respondents. This disconnect

between C-suite perceptions and operational realities suggests

some top executives may not fully grasp the daunting security

challenges their organizations face.

When it came to cloud-specific security issues, the surveyed

organizations again professed generally high confidence levels in

their own capabilities. For example, [as shown in Figure 1], 90%

of the survey respondents either strongly or somewhat agreed

with this statement: “We have a good understanding in-house of

the security related regulatory and compliance issues involved

with cloud migration.”

Despite their generally high confidence levels, significant

percentages of the survey respondents expressed concerns

about some aspects of the multi-cloud trend. Three-quarters

say technology adoption—of which cloud deployments are a

big part—introduces increased security risks. True, more than

70% say the specific security risks associated with that cloud

computing are outweighed by its benefits, but that still leaves

nearly 30% of the respondents who believe otherwise.

Also, even though most of the respondents express confidence

in their in-house security skills, many tacitly acknowledge the

need for outside security assistance. In one of the more notable

data points, 74% agree that cloud providers can offer a better

level of security than their in-house resources can provide.

Market Pulse

The advent of multi-cloud environments has added a new twist

to these security calculations—more than three-quarters (77%)

of the survey respondents said that multi-cloud has made them

look at security differently. Whether this trend, on balance, is

positive or negative from a security perspective is open for some

debate, however.

Some survey respondents saw reason for optimism. Expressing

a common theme, one said, “Multi-cloud software means you

can store things in different places, so you are less likely to lose

all of your data.” Another noted that “cloud providers are rapidly

enhancing their security capabilities.”

On the flip side, one respondent warns, “Multiple systems

working together increases the risk exponentially. You are multi-

plying risk against risk.” And yet another cautions that there is a

“need to make sure that security is unified among on-premises

and the various deployed clouds. Governance and operational

execution is important.”

Shadow IT: An inevitable, but potentially positive, trendThe proliferation of multi-cloud environments is inextricably

intertwined with another trend: the rise of shadow IT. The ease

of purchasing cloud capacity or services without any need

Understand security-related regulatory and compliance issues

Succession plan is in place for key individual in cloud security

Multi-cloud environment and SaaS allow for more shadow IT

Cloud providers have deep expertise regarding data security

My organization has embraced shadow IT because it’s inevitable

Technology adoption opens up greater security risk

Cloud providers offer better level of security than in-house resources

Have adequate visibility into security practices of cloud providers

Cloud computing’s security risks outweighed by benefits

Percent of respondents who strongly agree or agree with the following statements; multiple

choice question so percentages are not mutually exclusive..SOURCE: IDG Research

Trust cloud-based data is secure

90%

85%

85%

85%

84%

76%

75%

74%

73%

72%

FIGURE 1. THE STATE OF CLOUD SECURITY

3 MULTI-CLOUD ORGANIZATIONS CONFRONT IT SECURITY CHALLENGES

Market Pulse

for buying, installing, and managing on-site IT infrastructure,

has essentially supercharged the ability for business users to

buy their own IT services. For most enterprises, business unit

purchases of software-as-a-service (SaaS) and other cloud-

based solutions have become an operational norm.

Indeed, three-quarters of the organizations surveyed see

shadow IT as inevitable. While some organizations continue

to resist this trend, most are trying to determine how to best

live with it.

Shadow IT brings with it a mixture of benefits and challenges.

Among the positive effects: It can make companies more

agile and competitive; can give users and business units more

autonomy and freedom to innovate; and can open IT to new

solutions, platforms, and applications.

As for its negative ramifications, rampant shadow IT can lead to

IT inefficiencies and redundancies; drive IT incompatibilities; run

afoul of regulatory and compliance rules; and, of course, it can

introduce security vulnerabilities.

This mixture of pros and cons has organizations dealing with

shadow IT in three distinct ways. A minority still have hopes

of preventing the practice. For the remainder, it’s a coin toss

between tightly controlling it or, alternatively, fully embracing it.

>> PreventAmong the multi-cloud companies IDG Research surveyed,

only 20% said they hope to prevent shadow IT purchases. As

one respondent explained, “This is a compliance issue with us,

because we are in the financial field and shadow IT leaves us

vulnerable.” Many of those hoping to prevent the practice cited

security concerns. “Shadow IT can lead to major issues [such

as] malware and ransomware,” said one respondent. “This could

cause loss of revenue, customers, and reputation.”

>> ControlAmong the remaining respondents 41% say they hope to control

the shadow IT practice, viewing it as the least onerous of the

available options given its inevitability. “[Shadow IT] cannot be

prevented, so to dedicate resources towards that aim would be

wasteful,” says one respondent. “Embracing it opens the doors

to security risks. The best approach is to implement controls

where applicable to prevent the worst offenses and discourage

its existence in general.”

Despite this ambivalence, some in the “control” camp see

benefits associated with shadow IT investments. One respon-

dent notes that business unit purchases of IT solutions helps to

supplement the central IT budget, for example. And a number of

those advocating control acknowledge the ability of shadow IT

expenditures to introduce new solutions and business practices

to their organizations.

>> Embrace

It’s shadow IT’s perceived benefits that draw nearly 39% of the

respondents into the “embrace” group. “I’m quite convinced

shadow IT drives innovation,” says one respondent. Several others

noted that business units understand their own needs better than

Whose Job is It, Anyway? Almost all of the IT managers and executives surveyed by

IDG Research (95%) say their organizations have clear chains

of command for IT security responsibilities. At nearly half

of the companies (49%), chief information officers (CIOs)

shoulder the ultimate responsibility for ensuring security

needs are met. For most of the remaining organizations

(43%), this responsibility falls to chief information security

officers (CISOs) or chief security officers (CSOs).

Despite the roughly equal split of security responsibility

between CIOs and CISOs/CSOs, there are distinctions

beneath the covers. CIOs tend to function much more at

the strategic level than the security-titled executives. Only

13% of the survey respondents say their CIOs have mostly

or completely tactical responsibilities, with 62% being

completely strategic and another 24% mostly strategic. By

comparison, 34% of the CISO/CSO executives are seen to

have completely strategic roles, 37% mostly strategic, and

29% mostly or completely tactical.

Security requirements, of course, span both strategic and

tactical realms, and security’s importance is clear in the

budget expectations. In 2018, on average, security-related

investments will account for an impressive one-quarter (24%)

of the total IT budget, survey respondents predict.

At the high end of the spending spectrum, those in the

telecom sector expect to invest 30% of their IT budgets on

security expenditures. Even those in the lowest-spending

industry sectors – manufacturing/distribution and consumer

packaged goods, among others – anticipate spending 19% of

their IT budgets on security in the coming year.

4 MULTI-CLOUD ORGANIZATIONS CONFRONT IT SECURITY CHALLENGES

Market Pulse

the IT department can hope to grasp. “Each department knows

what is best for their organization, and shadow IT should be

embraced (with IT’s oversight),” says another respondent.

Some IT decision makers say they actually appreciate the

involvement of business units. “They may have found applica-

tions that we have not looked at, and they have done the work

for us. It is best to see what they have accomplished before

regulating it,” explains one respondent. Along the same lines,

another respondent notes, “Instead of fighting to retain control

I’m focusing on managing risk and on understanding where

employees are adding value with their self-provisioned tools

and apps.”

Beyond its ability to drive innovation and tightly align solutions

to business needs, some are embracing shadow IT primarily as a

corrective to slow and bureaucratic IT departments. “Shadow IT

isn’t the problem,” one respondent simply states. “The problem

is that going through proper channels is too difficult.”

Given current trends and the ease of deploying SaaS and other

cloud-based solutions, those still seeking to prevent shadow IT

are likely fighting a losing battle. Indeed, if they surveyed their

employees’ cloud usage, they could well find that the battle has

already been lost.

A better strategy is one that combines elements of both the

control and embrace strategies. Properly leveraged—and even

encouraged—shadow IT can fuel innovation, drive efficiencies

and productivity, and empower employees. But companies

need to establish clear policies, and the practice must be well

monitored and managed. With this approach, companies can

ensure that shadow IT’s benefits aren’t undermined by security

vulnerabilities and other risks it might otherwise introduce.

The Bottom LineThe emergence of multi-cloud organizations is very real. What-

ever the reasons why, the result is clear: companies need to

revisit their security technologies, practices, and needs.

Assessing the security of data stored in public cloud environ-

ments or within the servers of SaaS providers can be challenging

in its own right. Beyond such assessments, however, companies

must also ensure they have a comprehensive and consistent

security regime that encompasses both their on-premises IT

infrastructure and their multiple cloud environments.

To this end, it’s important that companies not overestimate their

own abilities to address the many security challenges associated

with the multi-cloud landscape. C-suite executives should be

aware that their high confidence in their in-house security exper-

tise may not be shared by the employees actually doing battle in

the security trenches.

Inevitably, the complex matrix of security challenges posed by

multi-cloud can stress even the most sophisticated of corporate

IT security professionals and teams. How should CIOs, CISOs,

and CSOs best deal with these security challenges? Their top

response: a partnership or collaboration with a managed cloud

provider. In fact, for multi-cloud organizations, third-party part-

ners may prove essential addressing many security risks.

Learn more about how IBM can help secure

and manage your multi-cloud environments.