Does having too many cloud services raise security risks?

SUMMARY:

An average of 897 cloud services in every European organization – bold claims from Skyhigh research.

security_key_1

The average European organization uses 897 cloud services, a growth rate of 61% over the same quarter last year, but a lot of that usage brings with it serious security and data integrity issues.

That’s the claim from security firm Skyhigh Networks. Now clearly, as soon as you’re aware that the data is coming from a security firm, you’re on red alert for the inevitable dire predictions of forthcoming doom and despondency. That’s the risk you take with any form of vendor-sponsored research – it’s going to preach a particular gospel and you can usually work out what that’s going to be in advance.

But what does catch the eye about this study – Cloud Adoption and Risk in Europe – is the security sabre-rattling only makes up part of a wider whole. The firm claims that its study is “unique” – a very, very dangerous word – on the basis that it’s not a survey that asks people to “self-report”, but it is

Top 20 Consumer Cloud Services Source: Skyhigh Networks.
Top 20 Consumer Cloud Services Source: Skyhigh Networks.

 

instead based on actual usage data from 2.5 million employees in European organizations and across 12,000 cloud services. It’s an ongoing study program with the latest report covering Q2 of 2015.

So what are some of the latest headline claims being made? Expanding on the average number of 897 cloud services, the study reports that the minimum number of cloud services it’s found in a single European organization is 507, That was at a company with 200 employees. The highest number is north of 3000.

The study observes:

Another way of looking at this is that the average company is adding more than one new cloud service per day, reminding us that this is a rapidly changing market and the IT department needs constant updates to be able to manage both shadow and sanctioned cloud adoption.

It adds that the average European organization uploads 12.3 TB to the cloud each month, an amount equal to around 7.6 million copies of War and Peace in digital form (at 1.7 MB per copy).

Of the 897 cloud services in use by the average European organization, the most popular category is collaboration with 226 cloud services, such as Office365, Gmail and Evernote. That’s followed by development, on 87 services per organization, such as SourceForge and GitHub. Next is content sharing with 54 services, such as YouTube, social media with 49 services per organization and file sharing with 38, such as Dropbox and Google Drive.

????????????????????????????????????????????????????????The average European employee apparently can be counted on to use 23 distinct cloud services, including seven collaboration services, four file-sharing services, three social media services, and three content sharing services.

But he or she is a rank amateur compared to the most prolific cloud services user that the study uncovered. This individual uses a mighty 594 cloud services, including 101 collaboration services, 38 development services, 38 IT management services, and 22 content sharing services.

Top 20 Enterprise Cloud Services. Source: Sky-high Networks.
Top 20 Enterprise Cloud Services. Source: Skyhigh Networks.

OK, so far, so interesting enough. Now for the security alarm spin. The study argues that while all this cloud services usage means that they are demonstrably in mainstream use, the worrying aspect is that a mere 7% of them meet enterprise security and compliance requirements, as rated by Skyhigh’s CloudTrust Program.

This is pitched by Skyhigh as:

a comprehensive evaluation of a service’s security controls and enterprise readiness based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA). Because there is no cost for qualified cloud service providers to participate in the program, Skyhigh customers are assured that the ratings they rely on are completely objective.

Based on the metrics of that program, Skyhigh’s research concludes that only 15.4% of existing cloud services support multi-factor authentication, 2.8% have ISO 27001 certification, and 9.4% encrypt data stored at rest.

Further conclusions around data sovereignty, a thorny topic for US-based providers and a European Commission determined to strengthen the cloud borders around Europe, include:

  • 14.3% of cloud providers store data inside the EU.
  • 3.6% are in countries with equivalent data protection.
  • 17.1% are U.S.-hosted and have signed up for the Safe Harbor regulations.
  • 64.9% are not safe for EU data. (There’s some improvement here though as in Q4 of 2014, that figure was 74.3%.)

The final conclusion is a charge that European companies are deluding themselves about the threat level. While 18% of European companies surveyed reported an insider threat incident in the last year, Skyhigh’s research finds that 87% reported behavior indicative of an insider threat in the last quarter alone.

It states:

While not all of these events turn out to be malicious activity, the incidence of potentially destructive behavior by employees is much higher than most European organizations realize.

My take

As ever with such studies, you can buy every finding or you can pick and choose which ones you take with a pinch of salt. Skyhigh itself acknowledges in the report that there will be those who will be surprised at the 897 top line figure.

But overall it’s an interesting set of conclusions drawn from what appears to be a very expansive end user footprint. And the data sovereignty angle will provide succour for those in Brussels on a mission.