In its latest Cloud Adoption and risk report, cloud security vendors Skyhigh Networks reports that the use of cloud services jumped by 33% in 2015 to an average of 1038 per organisation. As big a jump as this is over the year, the increase slowed significantly in the second half to around 6%. Despite the slowdown, enterprises are still struggling to contain end-user cloud usage and ensure that all services are secure.
Who needs hackers when cloud services take your data
Concerns over the security of data in the cloud are often described as overhyped by cloud vendors. They like to point to the money they have invested and the number of international standards they are certified against. With the rise of regulation and compliance requirements it is not acceptable for a company to just look at a cloud providers site and assume that they are doing security well.
Skyhigh Networks assessed over 16,000 cloud services against its own Skyhigh CloudTrust Program. In doing so it delivered the following assessment of what cloud providers are doing from a security perspective:
- 44.4% specify that the customer owns all the data uploaded to the service: This should be a red flag to a lot of companies. As we have seen with social media once data has been uploaded into a service the service owner confers upon itself a right to use and resell data. Given the increasing stringency of data protection laws, companies must demand an unequivocal statement about data ownership before moving data. They must also urgently educate users as to the risk of moving data outside the company.
- 18% delete any data held immediately an account is terminated: This is a very low figure and will only apply to data currently sitting on servers. Unless you have a very large presence with a cloud provider and an agreement that your data will be backed up separately to their other customers, data is backed up on-masse. No cloud provider and before them hosting provider is going to go through their backups and archives to remove your data from their systems.
- 9.1% encrypt data at rest: With all the screaming and shouting from governments about the need for access to data, the vast majority is unprotected and easy for them to sweep up. Cloud providers talk a lot about data protection but it is abundantly clear from this report that its more about sales pitch and lip service than real service delivery.
- 6.9% commit to not share data with third parties: If you want a free app you have to ask where they make their money from. The irritating adverts are blockable by a range of tools today so their best way of cashing in is selling access to data. Facebook, Twitter, LinkedIn and many other sites have well established data access tools that enable people to access data for a fee. For many smaller app companies, their entire development costs are covered by selling users personal data and where that data comes from a company they make no difference. All of this, of course, is separate to the data provided to governments as highlighted by Edward Snowden and other whistleblowers.
- 0.9% encrypt data with customer managed keys: This is one of the big concerns for governments. If companies use their own keys to protect data they can then relocate those keys outside of the jurisdiction of the intelligence community and law enforcement. This means that data may never be available when required for a criminal or other legal case. Another reason for this very low number is that enabling individual customers to use their own keys in a multi-tenant environment such as cloud requires a lot of configuration which costs money. For cloud providers this is something they are not keen on.
Collaboration services still rule the cloud
The growth in apps and services offering collaboration platforms continues to lead the market. Skyhigh Networks currently reports that there are over 2254 different collaboration services in use by users across the EU. With that many services it does raise questions as to how many really have a sustainable user base, how many have the revenue to support ongoing development and how easily users can integrate the different collaboration solutions.
The latter issue is probably the biggest one for most users. Having started to use a collaboration service they don’t really want to be moving stuff out of that into another service. According to the research from Skyhigh Networks the average user is working with 8 different collaboration services. What isn’t clear is how effective and productive does that really make them as they keep moving data and relearning services?
This problem shows little sign of slowing down. There are a number of new entrants into the cloud services market which is growing so fast that the only real way to begin tracking them is through someone such as Skyhigh Networks. Enterprise security teams have bigger concerns such as How much sensitive data is being loaded into these collaboration services? How is it secured? How many users are reusing their enterprise credentials for access?
Anonymity disappearing from cloud services
Cloud service providers are beginning to understand the requirements of enterprise security teams even if they don’t understand data ownership. 97% now block anonymous access to cloud services. While this may cause some issues for a small number of companies using older communications software the cost of upgrading their software is outweighed by the improved security. This is not the only good news when it comes to access control although overall the report shows a mixed bag of results.
User activity is being logged by 58% of services but only 1% provide data access logging. For companies that are trying to be proactive about security and data movements, the latter is a major disappointment. This is an area where cloud service providers need to step up but given that less than 50% are willing to accept that corporate data does not belong to them and less than 7% commit to not sharing data with third-parties this should come as no surprise. There is a real market opportunity here for some cloud services to deliver this level of protection.
The federation of identity between enterprise systems and cloud is an ongoing concern, especially in terms of shadow IT. While only 25% of service providers deliver integration with enterprise identity systems this is a significant improvement over the last year. The key will be to see how quickly this moves to beyond 50%. Support for industry wide identify federation such as OAUTH and SAML is still down at 10% which is very disappointing.
The best news for enterprises is that multi-factor authentication support is now at 19% which is a much higher figure than inside enterprise systems. While there is much to be done to make multi-factor the norm it is good to see that cloud service providers are beginning to lead the enterprise here.
Conclusion
There is a lot more in this report for IT teams to digest. As with previous versions of this report cloud services are still falling short of enterprise grade. The continued use of file sharing, the risks of sensitive data in the cloud and the fact that we are now on a countdown to 2018 when the EU General Data Protection Regulation comes fully into force are just some of the things the report addresses.
Overall however, the picture is far from a ringing endorsement of cloud services. The willingness to lay claim to customer data and the almost wholesale refusal to commit to not share that data with third-parties smacks of an industry that is far from professional. All of this points to an increasing gap between governance of internally controlled data and data used with cloud services.
IT departments must begin to work with users on how to make a difference around the way data is shared into the cloud. This is not about being seen as a blocker but about helping them understand why data security is important. If not, the only way companies will be able to protect themselves will be to change employment contracts to say that users indemnify the company when they upload data to an insecure service.
