The vast majority of cloud services are insecure
In the Skyhigh Networks Cloud Adoption and Risk Report (registration required) it says there are over 16,000 unique cloud services that its user base accesses. Of these just 8.1% meet the criteria laid out in the Skyhigh Networks CloudTrust Program. One of the major failures which is topical given the recent TalkTalk attack is that data at rest is NOT encrypted.
Fewer than 10% of companies encrypt customer data that they are holding. This is not just about PII data but any data. When the customer wants to use their own encryption which allows them to retain the encryption key, the number of cloud services supporting customer drops further. To be fair to cloud service providers (CSPs) it is not always easy to provide customers with the ability to apply their own encryption when they are using a shared public cloud service.
It will be interesting next year to see how quickly the European numbers change. This will be due to the introduction of the European General Data Protection Regulation. It will require all data related to customer privacy to be encrypted. It is not alone, national regulators are also beginning to enforce this and are in favour of it happening with customers owning the encryption key. This means a lot of vendors will have to spend money solving the problem.
The top 20 Enterprise Cloud Services
Among the top 20 enterprise cloud services are many that you expect to see. Microsoft Office 365, Salesforce and Cisco Webex make up the top three. A couple of the top 20 will raise eyebrows such as SilkRoad, the underground service for buying drugs or hiring hitmen comes in at 17. Quite what this says about the boardroom is anyone’s guess!
[Since going live Skyhigh have clarified this and said it relates to an HR service. Our mistake – Ian Murphy (Editor)]
Cloud storage and collaboration vendors feature well in the top 20 with Box (10th), SharePoint Online (14th) and Hightail (15th). Despite its attempt to move up the enterprise stack, Dropbox is still rated as a consumer service by Skyhigh Networks. Other collaboration vendors include Cisco WebEx (3rd), Yammer (5th), GoToMeeting (11th) and BlueJeans (20th).
The inclusion of NetSuite at 19th will please the born on the cloud vendor but it comes a long way behind Workday (9th).
From an enterprise ready and security perspective it is interesting to note that Skyhigh Networks says that the top 20 enterprise cloud services are more secure than the rest of the enterprise services. The comparison is 85% v 9.9%. This still means that three of the top 20 applications fail the Skyhigh Networks CloudTrust program test. They are not identified in the report which, quite frankly, is a poor admission.
The top 20 Consumer Cloud Services.
A look at this list shows what Hawthorn was talking about when he said: “One of the problems here is that you could argue that some of those services should be seen as enterprise rather than consumer given their usage.” The list is dominated by social media companies and file sharing vendors. In an age where companies are beginning to realise they need to use social media it would be interesting to have this broken out to see how much is user checking social media and how much is related to corporate use.
The top three cloud services are Facebook, Twitter and YouTube. The inclusion of YouTube is interesting here because there has been a significant move to take advantage of YouTube by corporate marketing and technical support teams.
Services that are also in this group and are also easy to see as enterprise services are LinkedIn (4th), Gmail (6th), Flickr (8th), Google Drive (10th), Google Plus (11th), Tumblr (13th), DropBox (15th), Evernote (19th) and SlideShare (20th).
The last two are very interesting. Evernote seems to have overtaken Microsoft OneNote in terms of note taking applications. Of course, with Microsoft Office 365 listed in the top 20 enterprise cloud services it could be OneNote usage is bundled there. SlideShare is often used by people to make their presentations public and its inclusion shows that there is an increasing interest in what happens at events, even when people cannot get there.
Security is a major problem here. The Cloud Adoption and Risk Report makes it clear that only ONE service is enterprise ready and declines to name it. This means that the top 20 get a rating of 5% meeting CloudTrust requirements while the average for consumer services is just 3.5%. With 313 consumer grade services in use in the average enterprise, it means that large amounts of data is being left poorly secured, breaching compliance and other requirements.
Getting it right
There is a vast amount of work to be done here by IT security teams. Hawthorn believes there are two steps that need to be taken quickly:
- “Accept that cloud services provide users with a service they want to use. Companies need to look around themselves and chose the service that they need. They should be looking at security, Terms & Conditions, Quality of Service and Service Level Agreement. They cannot stop users accessing cloud services so pick one or more that are trustworthy and provide those to the users.
- Put controls on that service. Data Loss Prevention, logging and encryption to control what can be shared outside the organisation. Users don’t realise that they can forget what they have shared. It is too easy to create a large shared area and then accidentally have a partner share a confidential document into that shared space. Often those invited have no idea what the controls are or exactly who has access to the collaboration environment.”
These two steps from Hawthorn are just two of several actions that can be taken to secure data without stopping or interfering with the use of cloud services. Users believe that IT wants to take control in order to make things hard to use and are therefore resistant to using the services suggested. By working with rather than against each other it is possible to have a secure cloud service environment that does not risk data.
Conclusion
This is, as usual, an interesting report from Skyhigh Networks. We have looked at just part of it here and we look at the rest of the report in a feature on file names and hackers.
There is a lot for companies to absorb but the most important thing is to look at how secure cloud services are and see what can be done to increase security. It is also time that Skyhigh Networks went that extra step and identified which companies in the top 20 enterprise and consumer cloud services fail the CloudTrust standards.
