Let’s All Freak Over Cloud Apps, Security
Another analyst report on corporate IT use, another reason for compliance officers to reach for the antacids. This time around, a fresh report finds that use of cloud-based IT services is soaring in Corporate America — but use of smart security protocols lags far behind.
Bitglass, a broker of cloud-based services, studied how more than 135,000 organizations use cloud services and found that 81 percent of them use at least one cloud-based app: Office 365, G-Suite, Slack, Salesforce, Amazon Web Services, or similar apps. Only 25 percent, however, use the important security protocol known as single-sign on (SSO).
SSO works so well because it reduces the number of user IDs and passwords a user needs to remember (less password fatigue) and that the company needs to store (less risk of theft by hackers). The ease of SSO also lets the company add other authentication protocols, like sending a one-time passcode to your phone, without driving users crazy. And that multi-factor authentication is what cuts the risk of data breaches dramatically.
That’s the theory, at least. The reality is that most of you aren’t doing it.
“It’s surprising to see that far fewer organizations have invested in basic technologies like SSO to protect their data in the cloud,” said Rich Campagna, head of marketing at Bitglass, who really needs to get out more if this security gap is news to him. “The disparity suggests that data breaches will continue to plague organizations.”
The Bitglass report includes sector-by-sector analysis of which cloud-based apps companies are using: 60.2 percent of construction firms use Office 365; 54.7 percent of tech companies use Slack; 8.9 percent of healthcare firms use Salesforce; and so forth. You can also see what percentage use SSO by industry sector. (And, no surprise, more than twice as many large firms use SSO compared to small firms.)
There’s Security, and There’s Security
A point worth remembering here: many of these cloud-based apps have better security than your company does, to protect against intrusion — hackers breaching your security perimeter somehow and then absconding with valuable data. But that’s not the same as phishing attacks, where hackers dupe one of your employees into sending valuable information like authentic user IDs and passwords.
If an unauthorized person obtains legitimate credentials through some nefarious scheme, none of that security against hackers will matter much. The cloud-based app will still give him access. That’s what cloud apps do: process data for any user who shows up with legitimate credentials.
Hence multi-factor authentication (MFA) is so important: it works at your end of the connection, to challenge the actual human being typing in those user credentials.
Do you need SSO to use multi-factor authentication? No. But SSO does simplify the user’s experience, smoothing the way to implement an MFA policy. In theory MFA reduces hacker risks too, since it cuts down the number of files floating around in your IT systems listing user IDs and passwords. And bonus: your IT help desk spends less time helping people who forgot their passwords.
Conversely, SSO without multi-factor authentication can lead to bigger security risks: once an outsider steals that one set of credentials, he or she has the run of your corporate IT systems.
So MFA without SSO might be too much security for mere human employees to handle; and SSO without MFA might be too little. The best strategy going forward into our cloud-based world really will be to use both SSO and MFA together.
Baby Steps First
That said, if you waltz into your IT department saying, “Let’s implement SSO and multi-factor authentication!” they will probably shoot you with a nerf gun. IT executives certainly appreciate the value of SSO as a concept (they forget their passwords too, after all), but implementing SSO is no easy task as a technical matter. Neither is MFA.
Many cloud-based apps have better security than your company does, to protect against intrusion — but that’s not the same as phishing attacks, where hackers dupe insiders into sharing user credentials.
Multi-factor authentication also requires employees to, ya know, use it. So adoption of MFA will first require a thoughtful assessment of where MFA should be implemented (not all corporate data needs tight security). Then, as always, you’ll need to develop training and policies to guide people on why and how to use it.
Those are posts for another day. For now, if you want to benchmark your own company’s use of cloud-based apps against peers, or are looking for yet another reason to freak out over insufficient cybersecurity practices at your business — the Bitglass report has all the raw material you need.