Industry Trends

Confronting Cloud Sprawl: Importance & Key Tactics

By Lior Cohen | April 01, 2019

The transition to cloud has been rapid and unprecedented. Today, almost every organization uses cloud applications in some capacity. However, back in 2012, only about 12% of organizations had any infrastructure or applications in the cloud.

That said, the work isn’t finished just yet. Not even the cloud is immune to digital transformation and consolidation. The biggest indicator of this is the consolidation of the public cloud marketplace. A recent estimate from IDC found Amazon Web Services, Microsoft,, Google, and Oracle represent 38% of worldwide cloud revenue, and this number is growing 32% year over year.

While almost every organization uses cloud technology, they may not know where every instance of the technology exists. Gartner studies, for example, have found that Shadow IT comprises 30 to 40% of IT spending in large enterprises, with the average enterprise using a staggering 1,935 different cloud services, with fewer than 50 of them known to IT. And according to IBM, only 8.1% of cloud services meet the strict data security and privacy requirements of enterprises.

Cloud Sprawl Causes Security Challenges

The cloud promises freedom and flexibility. For this reason, many organizations are enticed to adopt and deploy solutions before they have put a comprehensive security strategy. In the majority cases, a large amount of cloud-based spending bypasses the CIO, as lines of business have a vested interest in deploying cloud solutions as quickly as they deployed on-premises solutions.

According to Foundry, 55% of organizations now have a multi-cloud deployment in place – but most organizations do not have any sort of unified system in place for monitoring, managing, or securing their legitimate cloud applications and infrastructures. And as IT organizations race to put these systems in place, they tend to pass over solutions that have been adopted by users without IT’s knowledge. The end result of this is a massive amount of cloud technology with very little protection against threats.

Preventing Cloud Sprawl with People and Technology

Failing to address the security challenges of such dramatic cloud sprawl puts your organization at serious risk. Getting out in front of this challenge requires security teams to develop a two-pronged campaign that focuses on human intervention and the adoption of new technologies.

Human Intervention

Security leaders must begin by educating corporate executives, line of business leaders, and users on the risks associated with unsupervised cloud adoption. At the same time, IT teams cannot afford to be seen as restricting business. Your job is to educate users on the range of solutions that meet their needs and that can also be easily integrated into your existing IT security strategy.

Technical Strategy

Organizations also need to put a technical strategy in place to control the cloud sprawl security issues:

  • Integrate security tools: Security tools must work as a single, integrated system that spans the entire network—including cloud elements that you may not know about.

  • Leverage native cloud controls: Security solutions that use native cloud controls to manage and secure cloud resources ensure the fastest and most effective results.

  • Span security across clouds: Cloud connectors designed specifically for each cloud environment enable quick and easy deployment of security solutions while ensuring consistent visibility and control across a multi-cloud deployment.

  • Implement intent-based segmentation: Intent-based segmentation translates business language into security protocols to isolate resources as they traverse the distributed network, including across and between multi-cloud environments.

  • Establish strong access controls: Analyze, process, secure, and monitor every device, application, transaction, or workflow looking to interact with cloud infrastructures and applications.

  • Deploy CASB: Cloud access security brokers (CASB) provide visibility, compliance, data security, and threat protection for any cloud-based service being used by an organization—even Shadow IT.

Read more about how Fortinet secures multi-cloud environments with our Security Fabric.