As bank executives continue to debate, hesitate and worry over the security issues related to using applications that connect to the cloud, their employees are using cloud-based apps by the hundreds — often without banks' knowledge.
The average bank had 844 cloud services in use throughout its network in the third quarter of this year, according to an analysis conducted by Skyhigh Networks, far higher than bank IT departments estimated.
"If you did a survey where you asked the financial services companies themselves [how many cloud services they use], the answer would be somewhere between 32 and 34, because you approved those," said Rajiv Gupta, CEO of Skyhigh, which provides cloud security software.
The gap is because many employees are quietly downloading cloud services like Dropbox and Gmail, in the interest of being more productive, while a bank's IT department is not even aware it's happening or the potential security problems that could result. Indeed, many IT departments distrust cloud services because they do not view them as secure.
"There's a big disconnect, and it's frightening," said David Albertazzi, who is senior analyst, retail banking and payments at the Aite Group. "It's not so much about cloud computing. It's about a failure in vendor risk management programs and overall risk assessment of the institution."
Vendor management can often be overwhelming. Many banks deal with 500 to 1,000 venders, but only a handful are considered mission critical. But Albertazzi said it's important that all vendors be included in the vendor risk program so that nothing falls between the cracks.
A recent Cloud Security Alliance survey found that 52% of IT professionals in financial services have been pressured to approve an app they did not think met the company's security or compliance requirements. And IT executives themselves break the rules at times.
"I was talking to the CISO of a bank, he was nodding and taking notes, and he stopped and realized he was taking notes in Evernote, which is not an approved service at the bank," Gupta said. "He was using a service that makes him efficient."
Financial services companies do approve the use of some cloud services. The Cloud Security Alliance survey found that 24% of financial services companies have a "full steam ahead" attitude toward the cloud and another 62% of these companies are moving with caution.
But 76% of IT professionals at financial services companies said they did not know the scope of shadow IT at their companies, but wanted to know.
PROTECTING WESTERN UNION
The high rate of under-the-radar use of cloud apps in financial services companies comes as no surprise to David Levin, director of information security at Western Union.
"I think  is a true number across a lot of organizations," he said.
Common cloud-based apps could include Facebook and Gmail, he said.
Western Union has long had a web filter that blocked certain categories of sites (including cloud services). But frustrated users requested more and more apps to a degree that was overwhelming.
Levin, who oversees security for 10,000 corporate employees, said his biggest security concern about cloud apps is around document sharing sites like Dropbox and Box.
"Your data is in the cloud, you don't know how it's being used," Levin said. "The users don't realize the risks, they just see it as a productivity improvement product."
Sites for collaboration and project management also raise concerns, Levin said, as well as sites used for code development and analysis.
"Going to a cloud application to run a project doesn't necessarily introduce risk to the network," he said. "The tough thing is that the security policies and standards Western Union adheres to might not be shared by the cloud computing company."
As more users sign up for cloud apps, however, they're accepting those companies' terms and conditions.
"Who's reading those? Is legal involved in that?" Levin said. "Most likely not."
Levin also worries about the authentication measures cloud providers use.
"Do they have the same password complexity? Do they offer two-factor authentication? These are all the kinds of things we typically check when we work with vendors through the proper process, and the cloud kind of bypasses all that," he said.
To address these issues, Western Union created an initiative called WISE — Western Union Information Security Enablement.
"We were all about the security team providing next-gen technology to our employees to help them do their job better, rather than saying, you can't go to that website, tough luck," Levin said. "If you tell them no, they'll go anyway. If you give them solutions that are easy to use and feel like they're next gen or make their lives easier, they'll migrate to that, and you'll reduce your risk of them going to the other side."
The company first brought in a cloud single-sign-on authentication solution called Okta, then a file transfer solution from Accellion that's similar to Box, but with added security and housed in Western Union's private cloud. It implemented Skyhigh's software to monitor the use of cloud apps and understand how the apps are being used, who's using them, and the risks of those apps.