And solving it is apparently not as simple as simply issuing a directive forbidding the use of cloud services without the approval of IT.
"People look for the path of least resistance," said Edy Almer, vice president at Wave Systems. "And for organizations that are not willing to fire good employees just to set an example, technical measures are mandatory to support the written policy."
Vinny Sakore, program manager for cloud security services at ICSA Labs, said,Ã'Â "Remember, the issue here isn't automation but human behavior, and we humans are resilient beings who often like to think out of the box."
Chris Eng, vice president of research at Veracode, said it is technically possible for IT simply to block open cloud services from the corporate network, but he said "there'd still be ways around it.
"For example, people take work home, and maybe they simply access Dropbox from there instead. Or they switch to one of many other cloud storage services, like Box or SkyDrive," he said. "Now you have sensitive company data on several cloud services instead of just one. People will always find ways to circumvent the rules, especially if they feel it makes their job easier."
Beyond that, there are enough benefits to "bring your own cloud" that management doesn't want to discourage it. "The productivity benefits and cost improvements of many of these services are bubbled up to the CEO, who sees the benefit, and may not appreciate the risk," said Andres Kohn, vice president of technology at Proofpoint.
Dave Elliott said there's no turning back. "You don't really want to stop it," he said of rogue cloud use. "The forward thinkers want to enable users to take advantage of the cloud. It's productivity enhancing -- a business enabler," he said.
So, Elliott and other experts say it is up to IT to mitigate the risks. Kohn said: "Organizations on the leading edge of this trend have already implemented a CISO position that has greater visibility and power in the organization, and whose role is not to say 'no,' but to say 'yes, you can do it securely in this way."
Elliott said besides written policies, awareness training and monitoring, companies can choose certain public cloud services in different categories, "and make them the 'blessed' ones." Some companies, he added, can create in-house cloud services that are as easy and convenient as the popular public ones.
The ideal will be when IT departments can create a "seamless ability for your end users to use any cloud service, but layer visibility and control on top of it. Then people can extend the personal into corporate," Elliott said.
That would have to include encryption of data and "letting the company manage the keys, not the cloud provider," he said.
Eng notes that most workers are just looking to do their jobs better and faster. "If it solves their pain point, they won't need to skirt the policies," he said.
Sign up for CIO Asia eNewsletters.