Enterprises are using a record number of cloud applications, but just how many of those have the IT department’s stamp of approval? A new report by cloud access security broker Netskope discovered that a staggering 92.7 percent of the cloud apps used by people in the enterprise are not enterprise-ready, including human resources apps.
Shadow IT has long been a thorn in the side of the IT department, but in many cases, it has been relegated to the unauthorized use of cloud storage services like Google Drive or Dropbox, use of personal email or mobile devices, or messaging apps like Slack or WhatsApp. But it’s more than that. Netskope says that the procurement of human resources apps – like SuccessFactors, Ultimate Software, and Workday – are also not necessarily led by IT, a troubling realization when you consider the type of personal data HR professionals interact with every day.
Per its analysis, which is based on usage of its Netskope Active Platform from Oct. 1 to Dec. 31, 2017, enterprises used 139 human resources apps on average this quarter, the highest across any category. This unauthorized cloud use could be putting sensitive data about employees at risk.
“We found that this report had the highest amount of HR and marketing apps, and that’s particularly concerning because … pretty much all the information you are processing in [HR] apps is sensitive data,” Netskope senior security strategist Jervis Hui said.
This news about unauthorized cloud use jeopardizing sensitive employee data lands right as HR departments are facing pressure to be more tech-savvy, replace legacy systems with integrated cloud platforms, and upgrade old tools for learning, recruiting, performance management, per the 2017 Deloitte Global Human Capital Trends report.
“Digital HR requires digital technology expertise. While cloud-based HR systems brought tremendous value to organizations, they are no longer enough. Today, HR teams are rethinking their solutions in the context of workflow-embedded apps … This means using the cloud as a ‘platform’ and building on it for company-specific needs,” Deloitte said in its report.
Enterprises are using an average of 1,181 cloud services this quarter, up from last quarter’s average of 1,022. Hui says that this average has hovered around the low thousands for the past couple quarters, though he has seen smaller organizations with only a few hundred apps, and larger organizations using over 3,000 distinct cloud services.
Most of these cloud services are not sanctioned by the IT department, Hui said, noting that IT may only know about and have given approval to 40 or 50 applications. What's more, some of the 1,181 cloud services may have only been used once – such as a file sharing app like CubbyShare – or may have been used on a short-term basis in a testing capacity.
PwC reports that 45 percent of the 307 companies it surveyed for its Human Resources Technology Survey said their company masks data in their test environments to protect sensitive data such as salary, and to prevent developers, quality assurance, and third-party service providers from having direct exposure to confidential data.
Interestingly, one of the top motivations in using the cloud for HR processes is the ability to be less dependent on IT, the PwC survey said. HR processes such as recruiting, learning management, and performance management are most likely to be in the cloud today, while talent review and succession, on-boarding and HR analytics are processes that are expected to be migrated to the cloud within the next three years, PwC said.
“IT is sanctioning HR apps but the employees within the HR department, not necessarily the execs, but just the employees in HR are testing out these apps to see if they want to use them,” Hui said. “It doesn’t necessarily mean that sensitive data is traveling through those apps while they are being tested out, but it does mean that organizations should get visibility into what is being used.”
Cloud software vendors target lines of business owners directly, skipping IT decision-makers and going straight to the prospective users of the application. This tactic is not exclusive to human resources apps; healthcare software vendors are targeting doctors and nurses directly, creating a whole different set of cloud security problems.
“There are a lot of these apps in these organizations, and it is rapidly growing still,” he said. “With new regulations like the GDPR coming out, it’s critical for organizations to start securing these apps, and gaining the visibility they need, especially since the GDPR is a worldwide regulation because it applies to companies [outside] the EU.”
IT organizations must partner with lines of business to ensure that apps are enterprise-ready and that proper security mechanisms are available and can be placed on these apps, Hui said.
To be suitable for enterprise use, Netskope said a cloud app must meet certain baseline requirements around the following functions: identity and access control; file sharing; data classification; encryption; audit and alert; certifications and compliance; disaster recovery and business continuity. The cloud app must also be able to proxy traffic for inspection and security controls. Netskope measures this through its proprietary Cloud Confidence Index, which scores apps based on criteria across these eight functions.