cloud adoption & risk report - cirosec
TRANSCRIPT
1
CLOUD ADOPTION & RISK REPORTQ4 2014 Published Q1 2015
Cloud Adoption and Risk Report – Q4 2014
TABLE OF CONTENTS
INTRODUCTION
OVERVIEW OF CLOUD ADOPTION AND RISK
CALCULATED RISK
THE OVER-SHARING EFFECT
SENSITIVE DATA IN THE CLOUD
COMPROMISED IDENTITIES
TOP 20 ENTERPRISE CLOUD SERVICES LIST
TOP 20 CONSUMER APPS IN THE ENTERPRISE
TOP 10 FILE SHARING, COLLABORATION, AND SOCIAL MEDIA SERVICES
FASTEST GROWING CLOUD SERVICES
04
05
02
01
10
06
11
12
15
08
Cloud Adoption and Risk Report – Q4 2014 01
There are more cloud services available than ever before, and the average number of
cloud services used in the workplace reached a new high last quarter. This usage includes
both sanctioned cloud services (aka sanctioned IT) and shadow cloud services (aka shadow
IT), which typically include services adopted by the lines of business and services adopted
by individuals. Both sanctioned IT and shadow IT take advantage of the cost benefits of
the cloud as well as the feature sets not available in legacy applications. However, there
is so much hype on the capabilities of what the cloud can provide that it can be difficult
to understand how people are actually using cloud services, what data they store in them,
and what risks exist within these new platforms.
To better understand cloud usage during this period of rapid innovation and change, Skyhigh
publishes a quarterly Cloud Adoption & Risk (CAR) Report. What makes our report unique is
that we base our findings on actual usage data rather than surveys that ask people for their
opinions or best guesses. In this quarterly report, we’ve quantified for the first time how
much sensitive data is stored in which cloud services, where it is shared outside the company,
and the growing problem of compromised login credentials that are bought and sold on the
darknet. As 2014 comes to a close, we’ll also review trends that shaped cloud adoption over
the last year. We hope you enjoy the data in our 6th quarterly report!
INTRODUCTION
01
Cloud Adoption and Risk Report – Q4 2014 02
AVERAGE NUMBER OF CLOUD SERVICESIN USE BY COMPANY
2013 Q3 2014 Q22013 Q4 2014 Q1 2014 Q3
759 738
626545
831
2014 Q4
897
OVERVIEW OF CLOUDADOPTION AND RISK
The Q4 report is based on data from 15 million worldwide users at companies that
span all major industries across the Americas, EMEA, and Asia Pacific. This quarter, the
average number of cloud services in use at each company grew 8% from Q3 2014, and
43% from Q4, 2013 to 897 services. That number is 10-20 times higher than what IT
executives expect; especially considering that many of these cloud services are adopted
by employees acting on their own, without the knowledge of the IT department.
Looking back at our Q4 2013 report, we wanted to compare how usage across categories
changes. The average number of services in use increased for every category. Since
Q1 2014, the fastest growing category based on the growth in number of services is
development (e.g. GitHub, SourceForce, etc.), which grew 97% in the past year. The
second fastest growing category is collaboration (e.g. Microsoft Office 365, Gmail, etc.),
which grew 53% despite already having a high number of services in use. The table
below summarizes growth in the average number of cloud services in use per company
from Q4 2013 to Q4 2014.
02
Cloud Adoption and Risk Report – Q4 2014 03
Q4 2013 Q4 2014 GrowthCollaboration 91 139 53%Development 24 47 97%File sharing 37 45 20%Content sharing 37 39 6%Business intelligence 15 18 18%Social media 23 27 17%Tracking 23 24 4%
Looking at usage another way, the average employee now uses 27 different cloud services at
work, including six collaboration services, four social media services, and three file-sharing ser-
vices. The use of multiple services in each category shows that a single dominant player has yet
to emerge in many categories. Across categories, the market for cloud services is rapidly evolv-
ing as new players enter the market, existing companies are acquired, and companies invest in
new product capabilities.
03
The average employee uses
27 apps at workCollaboration
Social Media
Content Sharing
File Sharing
Business Intelligence
Other
Cloud Adoption and Risk Report – Q4 2014 04
The risk presented by cloud providers varies widely. Across all cloud services available, just 9.4%
achieved the highest rating of “enterprise-ready” by Skyhigh’s CloudTrust Program. The good
news is that cloud providers invested heavily in security over the last year, and a much larger
number now offer more robust security features and certifications. 1,459 services (17%) provide
offer multi-factor authentication, as opposed to 705 last year; 533 (5%) are ISO 27001 certified,
as opposed to 188 last year; and 1,082 (11%) encrypt data at rest, as opposed to 470 last year.
Clearly, there is still a long way to go as some of the biggest names in cloud computing
(including Gmail and PayPal) can store sensitive, personally identifiable information, including
payment card data and banking information, as unencrypted data. Another service that doesn’t
encrypt data stored at rest is eBay, which suffered one of the biggest data breaches of 2014
when 145 million account credentials were stolen.
CALCULATED RISK
04
1. Prezi
2. SourceForge
3. eFolder
4. Pastebin
5. myCapture
6. Placed
7. Lasso CRM
8. Shoology
9. Zapier
10. LeapFILE
TOP 10SERVICES THAT...
CLAIM OWNERSHIP OF DATA UPLOADED TO THEM
DON’T ENCRYPT AT REST
1. Facebook
2. Twitter
3. YouTube
4. TubeMogul
5. LinkedIn
6. Gmail
7. eBay
8. Paypal
9. Hotmail
10. AOL Mail
Cloud Adoption and Risk Report – Q4 2014 05
The growing popularity of file sharing services is clear – in a recent Cloud Security Alliance
survey,1 file sharing was top most-requested category of cloud services. Based on our usage
data, the average person uses three file-sharing services regularly. Many of these cloud services
offer more than just file-syncing across devices; they’re platforms for collaborating with other
people. Naturally, users share files with other people at their companies, but one concern we’ve
heard is the prevalence of files being shared via public links, which can be shared with anyone
without restriction.
THE OVER-SHARING EFFECT
05
1 Cloud Security Alliance “2015 Cloud Adoption Practices and Priorities Survey”
of documents in file sharing and collaboration services are shared outside the company
Of these, 18% were shared with personal email addresses such as Gmail, Hotmail, and Yahoo! Mail
11%
Analyzing sharing data in corporate-sanctioned file sharing and collaboration services, we found
that 11% of all documents were shared outside the company. The majority of these external
collaborators turned out to be business partners, but 18% of external collaboration requests
went to third party email addresses such as Gmail, Hotmail, and Yahoo! Mail. This could raise
some red flags given the sensitive information users upload to file-sharing services. We cross-
referenced our analysis of sensitive and confidential data in the cloud with sharing activity
and found that a small, but significant 9% of files shared externally contained sensitive or
confidential information, putting these companies at risk.
Cloud Adoption and Risk Report – Q4 2014 06
Given that many companies today run mission-critical cloud services, it shouldn’t be surprising
that sensitive or confidential information is stored in the cloud. However, this can be problemat-
ic for some companies with stringent security or regulatory requirements. These companies are
likely deployed data loss prevention solutions, such as Symantec-Vontu, Intel McAfee, and EMC
RSA to prevent sensitive information from leaving the company via email. Today, they have a
need to extend their DLP solutions to cloud services. We analyzed DLP violations in the cloud to
understand what types of sensitive data users uploaded to which cloud services.
A surprising 37% of users in Q4 uploaded at least one file to a file-sharing cloud service that
contained sensitive or confidential data, including: PII (personally identifiable information) such
as social security number, date of birth, or address; payment information, such as credit card
numbers or bank account numbers; PHI (protected health information) such as medical record
number or health plan beneficiary number. In addition, 22% of files uploaded to a file-sharing
service in that same timeframe contained sensitive or confidential data.
06
of files uploaded to file-sharing services contain sensitive data
of users have uploaded sensitive data to a file-sharing service22% 37%
SENSITIVE DATA IN THE CLOUD
Cloud Adoption and Risk Report – Q4 2014 07
Beyond file sharing, 4% of fields in CRM or IT management applications contain sensitive PII
such as policy number, driver’s license number, date of birth, or age, or PHI such as medical
record number, health plan beneficiary number, or patient account numbers.
For companies that have extended their DLP policies to the cloud, we analyzed actions triggered
due to policy violations, and 60% triggered an email alert to the violator/end-user. The next most
common action, at 31%, was to quarantine or tombstone a file uploaded containing sensitive
information. This is followed closely by changing sharing permissions – 26% of events triggered
a modification of permissions to restrict sharing with users outside the company. Lastly, 13% of
events resulted in the encryption of sensitive data.
07
Cloud Adoption and Risk Report – Q4 2014 08
In 2014, there were more software vulnerabilities discovered and more data breaches
than in any year on record. Following one of the largest breaches of the year, eBay
asked 145 million users to change their passwords after attackers stole millions of login
credentials. The theft of a username and password in the cloud era is significant because
an attacker can gain access to all the data that user has access to in that service. That
could include their own data as well as a lot of company data as well. Troublingly, a study
by Joseph Bonneau at the University of Cambridge showed that 31% of passwords are re-
used in multiple places.
The implication here is that, for 31% of compromised identities, an attacker could not
only gain access to all the data in that cloud service, but potentially all the data in the
other cloud services in use by that person as well. Considering that the average person
uses three different cloud file-sharing services, and 37% of users upload sensitive data
to cloud file-sharing services, the impact of one compromised account can be immense.
We investigated this occurrence by looking at anomaly detection data that shows an
attacker attempting to login to a compromised account and cross-referencing that with
data on user identities for sale on darknet.
COMPROMISED IDENTITIES
08
Cloud Adoption and Risk Report – Q4 2014 09
09
We found that 92% of companies have users with compromised identities. At the
average company, 12% of users have at least one account that has been compromised.
At the time of our analysis, we found that some accounts had been updated with new
passwords, while many others remained active with compromised identities. The
availability of stolen credentials online is staggering. Anecdotally, we identified one
Fortune 500 company with a staggering 10,155 compromised identities. Despite all
industries being affected, real estate, utilities, and high-tech firms were particularly at
risk. Until more cloud providers enable multi-factor authentication, we recommend users
create a unique, strong password for each cloud service and change them regularly.
Financial
Government
Healthcare
High tech
Manufacturing
Media
Pharmaceutical
Real estate
Telecommunications
Utilities
Energy
9%
6%
5%
15%
9%
14%
12%
19%
9%
18%
11%
% of employees with at least one password stolen
INDUSTRIES MOST EXPOSED TO COMPROMISED ACCOUNTS
Cloud Adoption and Risk Report – Q4 2014 10
10
The cloud has created a new wave of enterprise software that is not only faster to
develop, easier to deploy, and more cost effective, but also offers innovative features
not found elsewhere. That’s because much of the innovation today is happening in
software delivered via the cloud, and for many customers, the cloud is mainstream. These
companies don’t use Salesforce because they think it’s the best cloud-based CRM, but
rather because it’s the best CRM, period.
Amazon Web Services continues to dominate the list this quarter, followed by services
from industry giants Microsoft, Salesforce, and Cisco. Large players have bought their
way into the cloud through acquisitions, as evidenced by the number of big companies
represented by their multi-billion dollar acquisitions such as Yammer (acquired by
Microsoft for $1.2B), Concur (acquired by SAP for $8.3B), SuccessFactors (acquired by SAP
for $3.4B), and Taleo (acquired by Oracle for $1.9B). Representing a new generation of
enterprise software players, four companies in the list went public in the last 36 months
including ServiceNow, Box, Zendesk, and Workday.
TOP 20 ENTERPRISE CLOUD SERVICES LIST
TOP 20ENTERPRISE
CLOUDSERVICES
1. Amazon Web Services
2. Microsoft Office 365
3. Salesforce
4. Cisco WebEx
5. ServiceNow
6. Yammer
7. Concur
8. Box
9. Zendesk
10. LivePerson
BMC Service Management
11. SuccessFactors
12. Workday
13. GoToMeeting
14. Oracle Taleo
15. OneDrive
16. Host Analytics
17. NetSuite
18. SAS OnDemand
19.
20. OpenText BPM
Cloud Adoption and Risk Report – Q4 2014 11
TOP 20 CONSUMER APPS IN THE ENTERPRISE
In addition to the enterprise cloud services that are generally sanctioned and procured by
the IT department, employees are also bringing a wide variety of consumer apps to work
with them. Today, consumer apps frequently offer features that are as good if not better
than those found in enterprise software, reversing the long-standing trend in the software
industry where enterprise organizations had more advanced technology than the average
consumer. While employees sometimes use these apps for personal use, they frequently
use these apps for business use as well, which can put the security and compliance of
corporate data at risk.
While much has been written about the consumerization of enterprise IT, a new
phenomenon is the enterprization of consumer IT. Facebook, Dropbox, Google Drive, and
Gmail are all offered in enterprise versions that provide greater controls for businesses.
And many consumer apps have professional uses including LinkedIn for sales and
recruiting, and YouTube, Twitter, Instagram, and Pinterest for social media marketing.
11
in the workplace
TOP 20CONSUMERCLOUDSERVICES
1. Facebook
2. Twitter
3. YouTube
4. Linkedin
5. Pinterest
6. Gmail
7. Flickr
8. Myspace
9. Tumblr
10. Instagram
11. Yahoo! Mail
12. Dropbox
13. Google Drive
14. Photobucket
15. Slideshare
16. Apple iCloud
17. Shutterfly
18. Sina Weibo
19. VK
20. Spotify
Cloud Adoption and Risk Report – Q4 2014 12
A recent Cloud Security Alliance survey2 asked IT professionals about requests they
receive from end-users. An overwhelming 79% of respondents said they regularly receive
requests for new cloud services. File sharing and collaboration were the most requested,
with 80% of survey respondents indicating they received requests for services in these
categories, followed by social media at 38%. In this section, we review the trends that
shaped usage in each of these categories over the last year.
12
TOP 10 FILE-SHARING, COLLABORATION, AND SOCIAL MEDIA SERVICES
2 Cloud Security Alliance “2015 Cloud Adoption Practices and Priorities Survey”
FILE-SHARINGThe average company now uses 45 file-sharing services, and individuals use three different
services in the category on average. Over the last year Dropbox and Google Drive have
remained the top services based on usage. The use of enterprise-ready Box has increased while
Yandex.Disk’s ranking, which does not encrypt data at rest, has declined relative to others. Citrix
ShareFile has risen from 8th to 5th in the last two quarters.
1. Dropbox
2. Google Drive
3. OneDrive
4. Box
5. Yandex.Disk
6. Solidfiles
7. Freak Share
8. File Factory
9. Copy
10. WeTransfer
Q4 2013 Q1 2014 Q2 2014 Q3 2014 Q4 2014
FILE SHARING SERVICES
THE TOP
101. Dropbox
2. Google Drive
3. OneDrive
4. Box
5. Yandex.Disk
6. 4shared
7. eFolder
8. File Factory
9. Solidfiles
10. GoodSync
1. Dropbox
2. Google Drive
3. Box
4. One Drive
5. eFolder
6. Yandex.Disk
7. Goodsync
8. Solidfiles
9. ShareFile
10. 4shared
1. Dropbox
2. Google Drive
3. Box
4. One Drive
5. Hightail
6. WeTransfer
7. Yandex.Disk
8. 4shared
9. ShareFile
10. Firedrive
1. Dropbox
2. Google Drive
3. Box
4. One Drive
5. ShareFile
6. Yandex.Disk
7. Hightail
8. 4shared
9. Firedrive
10. Zippyshare
Cloud Adoption and Risk Report – Q4 2014 13
COLLABORATIONThe average company uses a dizzying 139 collaboration services, and employees regularly use
6 collaboration services. Anecdotally, logging into multiple applications to collaborate across
teams introduces friction and impedes collaboration, so companies that actively consolidate
onto fewer platforms could see improvements in productivity and employee adoption.
Microsoft and Google dominate the list, accounting for 5 of the 10 services listed. Yammer
usage increased this year relative to others, while Prezi declined in the rankings.
13
1.
2. Gmail
3. Google Docs
4. Cisco WebEx
5. Yahoo! Mail
6. Yammer
7. Prezi
8. Evernote
9. Skype
10. AOL
Q4 2013 Q1 2014 Q2 2014 Q3 2014 Q4 2014
COLLABORATION SERVICES
THE TOP
10Microsoft Office 365 1. Gmail
2.
3. Google Docs
4. Cisco WebEx
5. Yahoo! Mail
6. Prezi
7. Yammer
8. AOL
9. Google Drive
10. Skype
Microsoft Office 365
1.
2. Gmail
3. Cisco WebEx
4. Google Docs
5. Prezi
6. Yahoo! Mail
7. Yammer
8. Evernote
9. Intralinks
10. ClearSlide
Microsoft Office 365
1.
2. Gmail
3. Cisco WebEx
4. Yahoo! Mail
5. Google Apps
6. Evernote
7. Yammer
8. Prezi
9. Skype
10. GoToMeeting
Microsoft Office 365
1.
2. Gmail
3. Yammer
4. Yahoo! Mail
5. Cisco WebEx
6. Google Apps
7. Skype
8. Evernote
9. Prezi
10. GoToMeeting
Microsoft Office 365
Cloud Adoption and Risk Report – Q4 2014 14
SOCIAL MEDIAThe average company uses 27 different social media services, and the average user regularly
uses four social media services. While Facebook, Twitter, and LinkedIn have held the top three
spots consistently, there is more movement from the international social networks.
13
1. Facebook
2. Twitter
3. LinkedIn
4. Sina Weibo
5. Tumblr
6. VK
7. Badoo
8. Ning
9. Renren
10. Foursquare
Q4 2013 Q1 2014 Q2 2014 Q3 2014 Q4 2014
SOCIAL MEDIA SERVICES
THE TOP
101. Facebook
2. Twitter
3. LinkedIn
4. Sina Weibo
5. VK
6. Tumblr
7. Badoo
8. Foursquare
9. LiveJournal
10. Renren
1. Facebook
2. Twitter
3. LinkedIn
4. Sina Weibo
5. Tumblr
6. Badoo
7. VK
8. LiveJournal
9. Renren
10. Foursquare
1. Facebook
2. Twitter
3. LinkedIn
4. Sina Weibo
5. VK
6. Tumblr
7. LiveJournal
8. Badoo
9. Foursquare
10. Renren
1. Facebook
2. Twitter
3. LinkedIn
4. Tumblr
5. Sina Weibo
6. VK
7. Foursquare
8. Badoo
9. LiveJournal
10. Renren
Cloud Adoption and Risk Report – Q4 2014 15
From an entrepreneur’s standpoint, launching a new service in the cloud and acquiring
customers is very different from building on-premise software. From idea to launch,
cloud-enabling entrepreneurs can reach a global market in weeks or months instead
of years. From the perspective of the end-user, there is an unprecedented amount of
choice, and people are inclined to use things that help them while discontinuing their use
of things that either don’t help them or are inferior to other solutions. It is this idea that
led us to think that, by measuring usage patterns across thousands of cloud services,
we could help identify the up-and-coming solutions that are on the path to mainstream
adoption based on their growth rates.
14
FASTEST GROWING CLOUD SERVICES
Todoist
Loggly
ToutApp
ONTRAPORT
Projectplace
146%
119%
94%
69%
58%
The fastest-growing apps of Q4 2014Quarterly growth rate in users
join.me
CloudSponge
Lumosity
Behance
Waze
53%
47%
43%
40%
38%
Cloud Adoption and Risk Report – Q4 2014 16
We calculated growth rates for all cloud services, based on the number of active users from
Q3 to Q4 of 2014 and ranked them by their quarterly growth rate. The fastest-growing cloud
services have doubled the number of users in a single quarter, and if they continue their
growth, they could rival more established players in the years to come. Todoist and ToutApp
have now appeared on the fastest growing list two quarters in a row. Demonstrating that a
company can deliver features in high-demand by end-users while also investing in security,
Projectplace made the list and also received a rating of Skyhigh Enterprise-Ready because it
satisfies the most stringent security and compliance requirements.
14
Cloud Adoption and Risk Report – Q4 2014 17
ABOUT SKYHIGH NETWORKS Skyhigh Networks, the cloud security and enablement company, helps enterprises safely
adopt cloud services while meeting their security, compliance, and governance requirements.
Over 350 enterprises including Aetna, Cisco, DIRECTV, HP, and Western Union use Skyhigh
to gain visibility into all cloud services in use and their associated risk; analyze cloud usage
to identify security breaches, compromised accounts, and insider threats; and seamlessly
enforce security policies with encryption, data loss prevention, contextual access control,
and activity monitoring. Headquartered in Cupertino, Calif., Skyhigh Networks is backed by
Greylock Partners, Sequoia Capital, and Salesforce.com. For more information, visit us at
www.skyhighnetworks.com or follow us on Twitter @skyhighnetworks.
15
20
REQUEST COMPLIMENTARY CLOUD AUDIT
“With Skyhigh we discovered a wide range of services,
allowing us to understand their associated risks and put in place
policies to protect corporate data.”
Steve MartinoVP Information Security
If you’d like to learn the scope of Shadow IT at your company, including detailed statistics profiled in this report, sign up for a complimentary cloud audit
bit.ly/ComplimentaryCloudAudit
UNCOVER SHADOW IT