While most cloud data is within the control of IT departments (eg, in Office 365, Workday or Slack, or in applications running on IaaS), only 36% of organisations say they can enforce data protection in the cloud.
Since business units can adopt cloud services without input from the IT department, a first step is to gain visibility of shadow IT. "Without visibility, it is hard to enforce controls," Camissar observed.
This could be achieved with security platforms such as McAfee's, for example by observing network traffic patterns.
For example, financial services organisations may find that using collaboration software increases agility, allowing new products to reach the market more quickly. But such software also increases the risk of data leaks unless appropriate controls are applied.
These controls could be applied via a cloud access security broker such as MVision Cloud, which is based on technology that came with McAfee's 2018 acquisition of Skyhigh Networks. But only about one-third of organisations already have such a system in place, Camissar said.
There are also cost considerations. He described the case of a manufacturing company that discovered tens of different file-sharing applications were in use around the organisation. An analysis of data stored in the expenses system revealed that investing in a single, secure file-sharing service would save money as well as reducing risks.
MVision Cloud works with McAfee's on-premises data loss prevention software to ensure the consistent application of policies. For example, if someone tries to send a shared link from Office 365, the software examines the linked file so that the DLP measures are applied just as if it was sent as an attachment.
And where employees may need to download reports from SaaS systems for offline use, McAfee's security products can be used to apply digital rights management as a way of allowing only legitimate users to open the documents.
This isn't just about defending against malicious activity. Research has revealed a significant number of cases where sensitive information had been inadvertently emailed to the wrong people.
Other capabilities include checking security settings, for instance, to ensure that AWS S3 storage buckets haven't been left open for public inspection.
Organisations previously had to choose between moving rapidly to the cloud, or doing it securely, Camissar said. But thanks to products such as the MVision family, both goals could now be achieved simultaneously.