cloud adoption & risk report - cirosec

1

CLOUD ADOPTION & RISK REPORTQ4 2014 Published Q1 2015

Cloud Adoption and Risk Report – Q4 2014

TABLE OF CONTENTS

INTRODUCTION

OVERVIEW OF CLOUD ADOPTION AND RISK

CALCULATED RISK

THE OVER-SHARING EFFECT

SENSITIVE DATA IN THE CLOUD

COMPROMISED IDENTITIES

TOP 20 ENTERPRISE CLOUD SERVICES LIST

TOP 20 CONSUMER APPS IN THE ENTERPRISE

TOP 10 FILE SHARING, COLLABORATION, AND SOCIAL MEDIA SERVICES

FASTEST GROWING CLOUD SERVICES

04

05

02

01

10

06

11

12

15

08

Cloud Adoption and Risk Report – Q4 2014 01

There are more cloud services available than ever before, and the average number of

cloud services used in the workplace reached a new high last quarter. This usage includes

both sanctioned cloud services (aka sanctioned IT) and shadow cloud services (aka shadow

IT), which typically include services adopted by the lines of business and services adopted

by individuals. Both sanctioned IT and shadow IT take advantage of the cost benefits of

the cloud as well as the feature sets not available in legacy applications. However, there

is so much hype on the capabilities of what the cloud can provide that it can be difficult

to understand how people are actually using cloud services, what data they store in them,

and what risks exist within these new platforms.

To better understand cloud usage during this period of rapid innovation and change, Skyhigh

publishes a quarterly Cloud Adoption & Risk (CAR) Report. What makes our report unique is

that we base our findings on actual usage data rather than surveys that ask people for their

opinions or best guesses. In this quarterly report, we’ve quantified for the first time how

much sensitive data is stored in which cloud services, where it is shared outside the company,

and the growing problem of compromised login credentials that are bought and sold on the

darknet. As 2014 comes to a close, we’ll also review trends that shaped cloud adoption over

the last year. We hope you enjoy the data in our 6th quarterly report!

INTRODUCTION

01


AVERAGE NUMBER OF CLOUD SERVICESIN USE BY COMPANY

2013 Q3 2014 Q22013 Q4 2014 Q1 2014 Q3

759 738

626545

831

2014 Q4

897

OVERVIEW OF CLOUDADOPTION AND RISK

The Q4 report is based on data from 15 million worldwide users at companies that

span all major industries across the Americas, EMEA, and Asia Pacific. This quarter, the

average number of cloud services in use at each company grew 8% from Q3 2014, and

43% from Q4, 2013 to 897 services. That number is 10-20 times higher than what IT

executives expect; especially considering that many of these cloud services are adopted

by employees acting on their own, without the knowledge of the IT department.

Looking back at our Q4 2013 report, we wanted to compare how usage across categories

changes. The average number of services in use increased for every category. Since

Q1 2014, the fastest growing category based on the growth in number of services is

development (e.g. GitHub, SourceForce, etc.), which grew 97% in the past year. The

second fastest growing category is collaboration (e.g. Microsoft Office 365, Gmail, etc.),

which grew 53% despite already having a high number of services in use. The table

below summarizes growth in the average number of cloud services in use per company

from Q4 2013 to Q4 2014.

02


Q4 2013 Q4 2014 GrowthCollaboration 91 139 53%Development 24 47 97%File sharing 37 45 20%Content sharing 37 39 6%Business intelligence 15 18 18%Social media 23 27 17%Tracking 23 24 4%

Looking at usage another way, the average employee now uses 27 different cloud services at

work, including six collaboration services, four social media services, and three file-sharing ser-

vices. The use of multiple services in each category shows that a single dominant player has yet

to emerge in many categories. Across categories, the market for cloud services is rapidly evolv-

ing as new players enter the market, existing companies are acquired, and companies invest in

new product capabilities.

03

The average employee uses

27 apps at workCollaboration

Social Media

Content Sharing

File Sharing

Business Intelligence

Other


The risk presented by cloud providers varies widely. Across all cloud services available, just 9.4%

achieved the highest rating of “enterprise-ready” by Skyhigh’s CloudTrust Program. The good

news is that cloud providers invested heavily in security over the last year, and a much larger

number now offer more robust security features and certifications. 1,459 services (17%) provide

offer multi-factor authentication, as opposed to 705 last year; 533 (5%) are ISO 27001 certified,

as opposed to 188 last year; and 1,082 (11%) encrypt data at rest, as opposed to 470 last year.

Clearly, there is still a long way to go as some of the biggest names in cloud computing

(including Gmail and PayPal) can store sensitive, personally identifiable information, including

payment card data and banking information, as unencrypted data. Another service that doesn’t

encrypt data stored at rest is eBay, which suffered one of the biggest data breaches of 2014

when 145 million account credentials were stolen.

CALCULATED RISK

04

1. Prezi

2. SourceForge

3. eFolder

4. Pastebin

5. myCapture

6. Placed

7. Lasso CRM

8. Shoology

9. Zapier

10. LeapFILE

TOP 10SERVICES THAT...

CLAIM OWNERSHIP OF DATA UPLOADED TO THEM

DON’T ENCRYPT AT REST

1. Facebook

2. Twitter

3. YouTube

4. TubeMogul

5. LinkedIn

6. Gmail

7. eBay

8. Paypal

9. Hotmail

10. AOL Mail


The growing popularity of file sharing services is clear – in a recent Cloud Security Alliance

survey,1 file sharing was top most-requested category of cloud services. Based on our usage

data, the average person uses three file-sharing services regularly. Many of these cloud services

offer more than just file-syncing across devices; they’re platforms for collaborating with other

people. Naturally, users share files with other people at their companies, but one concern we’ve

heard is the prevalence of files being shared via public links, which can be shared with anyone

without restriction.

THE OVER-SHARING EFFECT

05

1 Cloud Security Alliance “2015 Cloud Adoption Practices and Priorities Survey”

of documents in file sharing and collaboration services are shared outside the company

Of these, 18% were shared with personal email addresses such as Gmail, Hotmail, and Yahoo! Mail

11%

Analyzing sharing data in corporate-sanctioned file sharing and collaboration services, we found

that 11% of all documents were shared outside the company. The majority of these external

collaborators turned out to be business partners, but 18% of external collaboration requests

went to third party email addresses such as Gmail, Hotmail, and Yahoo! Mail. This could raise

some red flags given the sensitive information users upload to file-sharing services. We cross-

referenced our analysis of sensitive and confidential data in the cloud with sharing activity

and found that a small, but significant 9% of files shared externally contained sensitive or

confidential information, putting these companies at risk.


Given that many companies today run mission-critical cloud services, it shouldn’t be surprising

that sensitive or confidential information is stored in the cloud. However, this can be problemat-

ic for some companies with stringent security or regulatory requirements. These companies are

likely deployed data loss prevention solutions, such as Symantec-Vontu, Intel McAfee, and EMC

RSA to prevent sensitive information from leaving the company via email. Today, they have a

need to extend their DLP solutions to cloud services. We analyzed DLP violations in the cloud to

understand what types of sensitive data users uploaded to which cloud services.

A surprising 37% of users in Q4 uploaded at least one file to a file-sharing cloud service that

contained sensitive or confidential data, including: PII (personally identifiable information) such

as social security number, date of birth, or address; payment information, such as credit card

numbers or bank account numbers; PHI (protected health information) such as medical record

number or health plan beneficiary number. In addition, 22% of files uploaded to a file-sharing

service in that same timeframe contained sensitive or confidential data.

06

of files uploaded to file-sharing services contain sensitive data

of users have uploaded sensitive data to a file-sharing service22% 37%

SENSITIVE DATA IN THE CLOUD


Beyond file sharing, 4% of fields in CRM or IT management applications contain sensitive PII

such as policy number, driver’s license number, date of birth, or age, or PHI such as medical

record number, health plan beneficiary number, or patient account numbers.

For companies that have extended their DLP policies to the cloud, we analyzed actions triggered

due to policy violations, and 60% triggered an email alert to the violator/end-user. The next most

common action, at 31%, was to quarantine or tombstone a file uploaded containing sensitive

information. This is followed closely by changing sharing permissions – 26% of events triggered

a modification of permissions to restrict sharing with users outside the company. Lastly, 13% of

events resulted in the encryption of sensitive data.

07


In 2014, there were more software vulnerabilities discovered and more data breaches

than in any year on record. Following one of the largest breaches of the year, eBay

asked 145 million users to change their passwords after attackers stole millions of login

credentials. The theft of a username and password in the cloud era is significant because

an attacker can gain access to all the data that user has access to in that service. That

could include their own data as well as a lot of company data as well. Troublingly, a study

by Joseph Bonneau at the University of Cambridge showed that 31% of passwords are re-

used in multiple places.

The implication here is that, for 31% of compromised identities, an attacker could not

only gain access to all the data in that cloud service, but potentially all the data in the

other cloud services in use by that person as well. Considering that the average person

uses three different cloud file-sharing services, and 37% of users upload sensitive data

to cloud file-sharing services, the impact of one compromised account can be immense.

We investigated this occurrence by looking at anomaly detection data that shows an

attacker attempting to login to a compromised account and cross-referencing that with

data on user identities for sale on darknet.

COMPROMISED IDENTITIES

08


09

We found that 92% of companies have users with compromised identities. At the

average company, 12% of users have at least one account that has been compromised.

At the time of our analysis, we found that some accounts had been updated with new

passwords, while many others remained active with compromised identities. The

availability of stolen credentials online is staggering. Anecdotally, we identified one

Fortune 500 company with a staggering 10,155 compromised identities. Despite all

industries being affected, real estate, utilities, and high-tech firms were particularly at

risk. Until more cloud providers enable multi-factor authentication, we recommend users

create a unique, strong password for each cloud service and change them regularly.

Financial

Government

Healthcare

High tech

Manufacturing

Media

Pharmaceutical

Real estate

Telecommunications

Utilities

Energy

9%

6%

5%

15%

9%

14%

12%

19%

9%

18%

11%

% of employees with at least one password stolen

INDUSTRIES MOST EXPOSED TO COMPROMISED ACCOUNTS


10

The cloud has created a new wave of enterprise software that is not only faster to

develop, easier to deploy, and more cost effective, but also offers innovative features

not found elsewhere. That’s because much of the innovation today is happening in

software delivered via the cloud, and for many customers, the cloud is mainstream. These

companies don’t use Salesforce because they think it’s the best cloud-based CRM, but

rather because it’s the best CRM, period.

Amazon Web Services continues to dominate the list this quarter, followed by services

from industry giants Microsoft, Salesforce, and Cisco. Large players have bought their

way into the cloud through acquisitions, as evidenced by the number of big companies

represented by their multi-billion dollar acquisitions such as Yammer (acquired by

Microsoft for $1.2B), Concur (acquired by SAP for $8.3B), SuccessFactors (acquired by SAP

for $3.4B), and Taleo (acquired by Oracle for $1.9B). Representing a new generation of

enterprise software players, four companies in the list went public in the last 36 months

including ServiceNow, Box, Zendesk, and Workday.

TOP 20 ENTERPRISE CLOUD SERVICES LIST

TOP 20ENTERPRISE

CLOUDSERVICES

1. Amazon Web Services

2. Microsoft Office 365

3. Salesforce

4. Cisco WebEx

5. ServiceNow

6. Yammer

7. Concur

8. Box

9. Zendesk

10. LivePerson

BMC Service Management

11. SuccessFactors

12. Workday

13. GoToMeeting

14. Oracle Taleo

15. OneDrive

16. Host Analytics

17. NetSuite

18. SAS OnDemand

19.

20. OpenText BPM


TOP 20 CONSUMER APPS IN THE ENTERPRISE

In addition to the enterprise cloud services that are generally sanctioned and procured by

the IT department, employees are also bringing a wide variety of consumer apps to work

with them. Today, consumer apps frequently offer features that are as good if not better

than those found in enterprise software, reversing the long-standing trend in the software

industry where enterprise organizations had more advanced technology than the average

consumer. While employees sometimes use these apps for personal use, they frequently

use these apps for business use as well, which can put the security and compliance of

corporate data at risk.

While much has been written about the consumerization of enterprise IT, a new

phenomenon is the enterprization of consumer IT. Facebook, Dropbox, Google Drive, and

Gmail are all offered in enterprise versions that provide greater controls for businesses.

And many consumer apps have professional uses including LinkedIn for sales and

recruiting, and YouTube, Twitter, Instagram, and Pinterest for social media marketing.

11

in the workplace

TOP 20CONSUMERCLOUDSERVICES

1. Facebook

2. Twitter

3. YouTube

4. Linkedin

5. Pinterest

6. Gmail

7. Flickr

8. Myspace

9. Tumblr

10. Instagram

11. Yahoo! Mail

12. Dropbox

13. Google Drive

14. Photobucket

15. Slideshare

16. Apple iCloud

17. Shutterfly

18. Sina Weibo

19. VK

20. Spotify


A recent Cloud Security Alliance survey2 asked IT professionals about requests they

receive from end-users. An overwhelming 79% of respondents said they regularly receive

requests for new cloud services. File sharing and collaboration were the most requested,

with 80% of survey respondents indicating they received requests for services in these

categories, followed by social media at 38%. In this section, we review the trends that

shaped usage in each of these categories over the last year.

12

TOP 10 FILE-SHARING, COLLABORATION, AND SOCIAL MEDIA SERVICES

2 Cloud Security Alliance “2015 Cloud Adoption Practices and Priorities Survey”

FILE-SHARINGThe average company now uses 45 file-sharing services, and individuals use three different

services in the category on average. Over the last year Dropbox and Google Drive have

remained the top services based on usage. The use of enterprise-ready Box has increased while

Yandex.Disk’s ranking, which does not encrypt data at rest, has declined relative to others. Citrix

ShareFile has risen from 8th to 5th in the last two quarters.

1. Dropbox

2. Google Drive

3. OneDrive

4. Box

5. Yandex.Disk

6. Solidfiles

7. Freak Share

8. File Factory

9. Copy

10. WeTransfer

Q4 2013 Q1 2014 Q2 2014 Q3 2014 Q4 2014

FILE SHARING SERVICES

THE TOP

101. Dropbox

2. Google Drive

3. OneDrive

4. Box

5. Yandex.Disk

6. 4shared

7. eFolder

8. File Factory

9. Solidfiles

10. GoodSync

1. Dropbox

2. Google Drive

3. Box

4. One Drive

5. eFolder

6. Yandex.Disk

7. Goodsync

8. Solidfiles

9. ShareFile

10. 4shared

1. Dropbox

2. Google Drive

3. Box

4. One Drive

5. Hightail

6. WeTransfer

7. Yandex.Disk

8. 4shared

9. ShareFile

10. Firedrive

1. Dropbox

2. Google Drive

3. Box

4. One Drive

5. ShareFile

6. Yandex.Disk

7. Hightail

8. 4shared

9. Firedrive

10. Zippyshare


COLLABORATIONThe average company uses a dizzying 139 collaboration services, and employees regularly use

6 collaboration services. Anecdotally, logging into multiple applications to collaborate across

teams introduces friction and impedes collaboration, so companies that actively consolidate

onto fewer platforms could see improvements in productivity and employee adoption.

Microsoft and Google dominate the list, accounting for 5 of the 10 services listed. Yammer

usage increased this year relative to others, while Prezi declined in the rankings.

13

1.

2. Gmail

3. Google Docs

4. Cisco WebEx

5. Yahoo! Mail

6. Yammer

7. Prezi

8. Evernote

9. Skype

10. AOL

Q4 2013 Q1 2014 Q2 2014 Q3 2014 Q4 2014

COLLABORATION SERVICES

THE TOP

10Microsoft Office 365 1. Gmail

2.

3. Google Docs

4. Cisco WebEx

5. Yahoo! Mail

6. Prezi

7. Yammer

8. AOL

9. Google Drive

10. Skype

Microsoft Office 365

1.

2. Gmail

3. Cisco WebEx

4. Google Docs

5. Prezi

6. Yahoo! Mail

7. Yammer

8. Evernote

9. Intralinks

10. ClearSlide


1.

2. Gmail

3. Cisco WebEx

4. Yahoo! Mail

5. Google Apps

6. Evernote

7. Yammer

8. Prezi

9. Skype

10. GoToMeeting


1.

2. Gmail

3. Yammer

4. Yahoo! Mail

5. Cisco WebEx

6. Google Apps

7. Skype

8. Evernote

9. Prezi

10. GoToMeeting



SOCIAL MEDIAThe average company uses 27 different social media services, and the average user regularly

uses four social media services. While Facebook, Twitter, and LinkedIn have held the top three

spots consistently, there is more movement from the international social networks.

13

1. Facebook

2. Twitter

3. LinkedIn

4. Sina Weibo

5. Tumblr

6. VK

7. Badoo

8. Ning

9. Renren

10. Foursquare

Q4 2013 Q1 2014 Q2 2014 Q3 2014 Q4 2014

SOCIAL MEDIA SERVICES

THE TOP

101. Facebook

2. Twitter

3. LinkedIn

4. Sina Weibo

5. VK

6. Tumblr

7. Badoo

8. Foursquare

9. LiveJournal

10. Renren

1. Facebook

2. Twitter

3. LinkedIn

4. Sina Weibo

5. Tumblr

6. Badoo

7. VK

8. LiveJournal

9. Renren

10. Foursquare

1. Facebook

2. Twitter

3. LinkedIn

4. Sina Weibo

5. VK

6. Tumblr

7. LiveJournal

8. Badoo

9. Foursquare

10. Renren

1. Facebook

2. Twitter

3. LinkedIn

4. Tumblr

5. Sina Weibo

6. VK

7. Foursquare

8. Badoo

9. LiveJournal

10. Renren


From an entrepreneur’s standpoint, launching a new service in the cloud and acquiring

customers is very different from building on-premise software. From idea to launch,

cloud-enabling entrepreneurs can reach a global market in weeks or months instead

of years. From the perspective of the end-user, there is an unprecedented amount of

choice, and people are inclined to use things that help them while discontinuing their use

of things that either don’t help them or are inferior to other solutions. It is this idea that

led us to think that, by measuring usage patterns across thousands of cloud services,

we could help identify the up-and-coming solutions that are on the path to mainstream

adoption based on their growth rates.

14

FASTEST GROWING CLOUD SERVICES

Todoist

Loggly

ToutApp

ONTRAPORT

Projectplace

146%

119%

94%

69%

58%

The fastest-growing apps of Q4 2014Quarterly growth rate in users

join.me

CloudSponge

Lumosity

Behance

Waze

53%

47%

43%

40%

38%


We calculated growth rates for all cloud services, based on the number of active users from

Q3 to Q4 of 2014 and ranked them by their quarterly growth rate. The fastest-growing cloud

services have doubled the number of users in a single quarter, and if they continue their

growth, they could rival more established players in the years to come. Todoist and ToutApp

have now appeared on the fastest growing list two quarters in a row. Demonstrating that a

company can deliver features in high-demand by end-users while also investing in security,

Projectplace made the list and also received a rating of Skyhigh Enterprise-Ready because it

satisfies the most stringent security and compliance requirements.

14


ABOUT SKYHIGH NETWORKS Skyhigh Networks, the cloud security and enablement company, helps enterprises safely

adopt cloud services while meeting their security, compliance, and governance requirements.

Over 350 enterprises including Aetna, Cisco, DIRECTV, HP, and Western Union use Skyhigh

to gain visibility into all cloud services in use and their associated risk; analyze cloud usage

to identify security breaches, compromised accounts, and insider threats; and seamlessly

enforce security policies with encryption, data loss prevention, contextual access control,

and activity monitoring. Headquartered in Cupertino, Calif., Skyhigh Networks is backed by

Greylock Partners, Sequoia Capital, and Salesforce.com. For more information, visit us at

www.skyhighnetworks.com or follow us on Twitter @skyhighnetworks.

15

https://twitter.com/SkyhighNetworks

20

REQUEST COMPLIMENTARY CLOUD AUDIT

“With Skyhigh we discovered a wide range of services,

allowing us to understand their associated risks and put in place

policies to protect corporate data.”

Steve MartinoVP Information Security

If you’d like to learn the scope of Shadow IT at your company, including detailed statistics profiled in this report, sign up for a complimentary cloud audit

bit.ly/ComplimentaryCloudAudit

UNCOVER SHADOW IT

http://bit.ly/ComplimentaryCloudAudit

http://bit.ly/ComplimentaryCloudAudit

cloud adoption & risk report - cirosec

Documents