Report: Exploding Use of Cloud Services Raises Security Risks

A report released today by Skyhigh Networks paints a scary picture of the exploding cloud services space, with rising security risks, huge exposure to malware, too much Windows XP use and no safe haven in Europe for companies concerned about government spying.

The quarterly "Skyhigh Cloud Adoption and Risk Report" from the Cupertino, Calif.-based "cloud visibility and enablement company" collates data from more than 8.3 million users in more than 250 companies. It's the third report since the series started last fall.

The number of cloud services in use since last quarter increased 33 percent, from 2,675 to 3,571. On average, organizations used 759 cloud services, compared with 626 last quarter, a 21 percent increase.

But while more cloud services are being used, the percentage of those deemed "enterprise ready" from a security perspective decreased from 11 percent to 7 percent. Enterprise-ready companies meet "the most stringent requirements for data protection, identity verification, service security, business practices and legal protection," according to the company. The decrease in enterprise-ready organizations "suggests that a majority of new cloud services used by employees are exposing organizations to risk," the company said.

The risk of each service is rated with the company's CloudTrust Program, which takes into account more than 50 attributes of risk in the categories of users and devices, services, business and legal.

Skyhigh Networks said a notable security risk is the fragmented use of cloud services, with organizations on average subscribing to 24 file sharing services and 91 collaboration services. "This not only impedes collaboration and leads to employee frustration, but also results in greater risk since 60 percent of the file sharing services used are high risk services," the report stated.

Of the top 10 file sharing services, only one, Box, was deemed enterprise ready. Services such as Dropbox and Google Drive were rated at a medium risk, while high-risk services included Yandex.Disk, 4shared and Solidfiles.

In the collaboration category, Skyhigh rated Microsoft's Office 365 and Cisco WebEx as enterprise ready, while AOL was the lone high-risk service. Services such as Google's Gmail, Google Docs and Google Drive were medium risk, along with Microsoft services Skype and Yammer, among others.

Of all the services reported, the top 10 were:

1. Facebook
2. Amazon Web Services
3. Twitter
4. YouTube
5. Salesforce
6. LinkedIn
7. Gmail
8. Office 365
9. Google Docs
10. Dropbox

The report stated that 18 percent of companies surveyed were using at least 1,000 devices running Windows XP, which lost official support -- and security updates and patches -- from Microsoft last month. Some 90 percent of the cloud services accessed by Windows XP were rated as medium or high risk.

On the positive side of things, a surprising vulnerability to the Heartbleed bug found in the open source OpenSSL cryptography library was reported early in April -- with one-third of cloud services in use being exposed to the bug-- but remediation steps taken by cloud services providers quickly brought that down to less than 1 percent later in the month.

But other security scares remained in full effect. "The malware problem is alive and well, as 29 percent of organizations had anomalous cloud access indicative of malware," the company said. "In addition, 16 percent of organizations had anomalous cloud access to services that store business critical data, introducing an even higher level of risk."

Finally, a last warning highlighted by Skyhigh relates to U.S. companies' concerns about government spying, with the National Security Agency revelations still in the news. "Given the concerns around the U.S. Patriot Act and U.S. government-issued blind subpoenas, there is a growing school of thought advocating the use of cloud services headquartered in privacy-friendly countries (that is, the European Union)," the company said. "However, 9 percent of cloud services headquartered in the EU are high risk, compared to only 5 percent of cloud services headquartered in the U.S. So, while EU-based cloud services provide protection from the U.S. Patriot Act, they do expose organizations to greater security risks."

The Skyhigh report gathered data from 10 vertical industries: education, financial services, health care, high tech, media, oil and gas, manufacturing, retail, services and utilities.

"With this report, we uncovered trends beyond the presence of shadow IT in the enterprise," said CEO Rajiv Gupta. "We provide real data around cloud usage, adoption of enterprise-ready services, the category of services demanded by employees, as well as malware and other vulnerabilities from these cloud services. It’s this type of data and analysis that CIOs use to maximize the value of cloud services and help drive an organized, productive, and safe movement to the cloud."

Posted by David Ramel on 05/07/2014 at 2:18 PM