Cloud Adoption & Risk in EU Report Q1 2016 - Skyhigh Networks

Cloud Adoption & Risk in EU Report Q1 2016 - Skyhigh Networks

Cloud Adoption & Risk in Europe Report 2016 Q1 CLOUD ADOPTION RISK REPORT Table of Contents INTRODUCTION. . ...

1MB Sizes 0 Downloads 0 Views

Recommend Documents

cloud adoption & risk in goverment report - Skyhigh Networks
KickassTorrents. 6. Mixi. 7. 4shared. 8. Zippyshare. 9. Mega. 10. ShareBeast. Convert. JPG to PDF. Skypath-. Imageshack.

Skyhigh looks down to see competition heating up - Skyhigh Networks
New contenders Netskope and Adallom have left the cover of stealth to challenge the early bird for the worm. On the heel

Q1 2016 Report
Jan 8, 2016 - Forest, the infamous forestry company that brought Muddy Waters into the limelight in 2011. For this, we a

PWP 2016 Q1 Report
The Quarterly Report on the Public Works Programme (PWP) provides ... arrangement at junction of Shatin Pass Road and Ch

LGIM Q1 2016 report - Nest
Accept Financial Statements and Statutory Reports. For. For. Shaftesbury plc. United Kingdom. Annual. 05-Feb-16. Managem

Cloud Adoption Practices & Priorities Survey Report - Cloud Security
All rights reserved. You may download, store, display on your computer, view, print, and link to the Cloud Security. All

Cloud Adoption - Fujitsu
Acknowledgments 4. Preface 5. 1: What is Cloud? 6. 2: What Cloud Means to Business 10. 3: CIO Headaches 16. 4: Adoption

Sales Cloud Adoption - Salesforce
Help your sales team reach their sales goals faster and get the most out of. Sales Cloud. This Accelerator teams you wit

Arista Cloud Networks
No proprietary protocols or vendor lock-ins. Arista believes in open standards. Our proven reference designs show that p

Dubai - Cloud Service Networks
in a compact space. The team enlisted the help of specialist aircraft cabin designers, Priestman Goode to design and bui

Cloud Adoption & Risk in Europe Report 2016

Q1

CLOUD ADOPTION RISK REPORT

Table of Contents INTRODUCTION. . .......................................................................................................2 Increased Regulation & Compliance ...............................................................3 USAGE TRENDS.. .......................................................................................................4 Average Number of Services ............................................................................4 Security Controls Vary by Provider .. ................................................................6 Authentication and logging.. ..............................................................................7 Everyone Is Using … Trello.................................................................................8 Everyone Is Using … File Converters. . ..............................................................9 CSA SURVEY RESULTS. . ........................................................................................ 10 SHARING AND COLLABORATION . . ..................................................................... 10 File Sharing Reaches an All-Time High . . ....................................................... 11 When Sharing is Erring ................................................................................... 12 The Shadow Code Repository........................................................................ 13 SENSITIVE DATA IN THE CLOUD. . ....................................................................... 13 Storage Of Data On EU Citizens . . ................................................................... 13 Types of Sensitive Data . . ................................................................................ 15 What’s in a Name? .. ......................................................................................... 16 OUR METHODOLOGY............................................................................................ 18

CLOUD ADOPTION & RISK IN EUROPE REPORT | Q1 2016

Introduction Cloud is transforming how businesses operate. Studies have shown that businesses taking advantage of productivity-enhancing cloud services grow 19.6% faster than their counterparts that don’t. Sadly, when an airliner crashes it is a major news story, partly as it is such a rare incident, meanwhile air travel is the safest mass transit method per mile travelled with the distance travelled constantly increasing. So it is with IT and the cloud. Looking back on 2015, many of the largest IT headlines were around security headaches; employees posting data online, hackers trying to hold companies to ransom and the many inadvertent data loss incidents. Meanwhile the growth of cloud services, cloud data and cloud usage continues unabated – mostly unremarked as “everything is fine” isn’t much of a news story. Employees looking to work more efficiently are signing up to cloud services in ever larger numbers, and companies typically don’t know which ones are being used to store corporate data. Even within the cloud services purchased by a company’s IT department, there is limited visibility into user behavior and how sensitive information is accessed and shared. Similar to previous shifts in technology, such as the rise of the PC and the Internet, the cloud creates new and significant concerns among business leaders about the potential for headline-making security incidents. Happily, we see that CSPs (Cloud Service Providers) are introducing features that enterprises need to better secure this data, such as encryption, integration with corporate authentication systems and more comprehensive reporting. To better understand these trends, Skyhigh Networks publishes a Cloud Adoption & Risk Report for Europe. This report is based on anonymized data from Skyhigh’s European customers – serving over 3 million users across the region.

2

CLOUD ADOPTION & RISK IN EUROPE REPORT | Q1 2016

In this report, we detail the growth of cloud use in European enterprises, the security controls that providers offer and how likely you are to be able to integrate with enterprise authentication systems and logging. We take a deeper look into one particular service and consider the widespread use of file conversion services. We investigate the types of sensitive data stored in cloud services, how that data is shared within organisations and third parties and how risky employee behavior can expose data. We share statistics on where data is stored, this shows rapid growth of cloud services holding data within the EU. The last data shows the number of files being shared that contain words likely to indicate confidential data.

INCREASED REGULATION & COMPLIANCE As cloud importance and traffic increases, so do the number of stakeholders taking an interest in its supervision. From internal audit, risk and compliance, to external auditors and through to parliaments and industry regulators – there’s a lot of places for guidance, laws and regulation. As even one data breach can be catastrophic and the ongoing brand reputation issues can haunt the organisation for years, it is to be expected that groups outside the IT department want to know the extent of cloud use, the security measures deployed and data on traffic being shared. Two examples of increased regulation in Europe are the new EU General Data Protection Regulation (GDPR) and (in the UK) the draft guidance from the Financial Conduct Authority for firms using the cloud. Both of these documents are updates to existing publications that clarify the definitions, strengthen the regulations and increase the penalties compared to previous rules. In 2016, the IT department needs to work with the risk, compliance and legal groups to understand and conform to these and other regulations.

3

CLOUD ADOPTION & RISK IN EUROPE REPORT | Q1 2016

Usage Trends More cloud services are being launched every week and most of these are aimed at the business sector. Organisations have never had more cloud apps to choose from that provide robust levels of security for enterprise data. Cloud adoption in the workplace continued to increase this quarter, albeit at a slower pace than last quarter. Companies and employees both actively use a greater variety of cloud services.

AVERAGE NUMBER OF SERVICES The average European organisation now uses 1,038 cloud services, an increase of 33% over the same quarter last year. The lowest number of cloud services in use is 573 (for a 650 person organisation) while the highest is over 6,000. Despite this we still read public statements by some CIOs that “we have no cloud use in our organisation”. Wherever we test a network, we always find hundreds of services being used, even in industries such as defense, government and highly-regulated businesses, sadly there seems to be ignorance of the breadth of enterprise cloud use at some levels in organisations.

Average Number of Cloud Services EUROPE

987 724 588 Q1

782

805

Q4

Q1

1038

614

Q2

Q3 2014

Q2

Q4

2015

4

CLOUD ADOPTION & RISK IN EUROPE REPORT | Q1 2016

Cloud services directed at the enterprise market account for 78% of the total cloud services available, while consumer-focused services represent 10% and those with solutions for both make up 12%. Collaboration continues to be the category with the greatest variety of cloud services by a wide margin. In total in Europe, 2254 different collaboration services are in use (e.g. Cisco WebEx, Evernote, etc.). The category with the second-largest number of services is cloud infrastructure (PaaS) with 1,535 different services, before we start moving to SaaS aimed at specific functions (marketing leads with 1,421 services and IT has 1,071 services available). On the one hand, the multiplying number of cloud services that companies use indicates we’re in the early days of the market as new entrants regularly emerge with better capabilities. However, companies that use many redundant services in each category can actually end up discouraging collaboration and introducing friction as users must login to different apps to work with different teams. The average employee actively uses more than 20 cloud services at work, including 8 collaboration services, 5 file sharing services, and 4 content sharing services (e.g. YouTube, Flickr, etc.). These numbers serve to remind us that using “the cloud” is much more than just cloud storage, where there are currently just under 500 different providers. The cloud market is early in its development, and while there are cloud services that stand out in terms of user count, few categories have a dominant provider. Users are still able to find unique functionality to justify using several cloud services in each category.

5

CLOUD ADOPTION & RISK IN EUROPE REPORT | Q1 2016

SECURITY CONTROLS VARY BY PROVIDER Across over 16,000 cloud services in use today, only 8.1% meet the strict data security and privacy requirements of enterprises as defined by Skyhigh’s CloudTrust Program. Digging deeper, we find that fewer than 1 in 10 providers store data at rest encrypted, and less than 1% support the ability for a customer to encrypt data using their own encryption keys. Encryption using customer-managed keys is rapidly becoming a requirement for organisations to store data in the cloud while meeting requirements dictated by industry regulations and national data privacy laws.

44.4%

18 %

9.1%

Specify that customer owns all data uploaded

Delete data immediately on account termination

Encrypt data at rest

0.9 %

6.9 %

Encrypt data with customer-managed keys

Commit to not share data with 3rd parties

Concerns persist about what happens to data once uploaded to a cloud provider. Fewer than half of providers specify that customer data is owned by the customer (the rest either claim ownership over all data uploaded, or don’t legally specify who owns the data). An even smaller number of cloud providers delete data immediately on account termination, with the remainder keeping data up to one year or even claiming the right to maintain copies of data indefinitely. Very few cloud providers commit to not share customer data with third parties, such as advertisers or governments, unless under a legal order. 6

CLOUD ADOPTION & RISK IN EUROPE REPORT | Q1 2016

AUTHENTICATION AND LOGGING The cloud is constantly maturing and services aimed at businesses are regularly adding functionality to enable their solutions to be integrated into enterprise computing. Two of these areas are authentication integration and user activity and data access logging. A recent report in Business Week stated 40% of calls to corporate IT help-desks were related to password problems. As organisations roll out cloud services, they don’t want to worsen these issues by introducing yet more passwords for users to remember. In case of data loss, computer forensics may be required to ascertain data movements and individual user activity. Again, organisations may require this from any cloud service that they support. Happily, as cloud services mature, more providers are offering these types of solutions to ensure that cloud can be a trusted computing service. Skyhigh can help customers review the data logging and enterprise identity options offered by cloud service providers. Currently the statistics are as follows:

97%

58 %

1%

Do not allow anonymous access

Of services provide user activity logging

Offer data access logging

25%

19 %

10 %

Provide integration with enterprise identity

Support multi-factor authentication

Provide identity federation using SAML, OAUTH or similar services

7

CLOUD ADOPTION & RISK IN EUROPE REPORT | Q1 2016

EVERYONE IS USING … TRELLO In the cloud, winners and losers can be defined very quickly and word of mouth can be a very good way to promote a service. If a service delivers what users want, they will flock to it and if it’s a collaboration system they’ll very quickly invite their colleagues and possibly business partners. In this report, we will look more deeply at just one of these that has exploded in use in the last few years, Trello. Trello is a project management and collaboration tool that can be used individually or by teams. Launched in 2011, its user count has increased dramatically:

July 2012

500,000 users

December 2012

1,000,000 users

May 2014

4,000,000 users

October 2015

10,000,000 users

Our data shows that every one of our European customers has at least some users that use Trello. Trello has put in many of the attributes that enterprises may demand such as data encryption at rest, granular access controls and data encryption in transit. It doesn’t allow anonymous use and can be integrated with your enterprise identity using SAML, OAUTH and multifactor authentication. Trello provides logging capabilities, hasn’t been known to be compromised and has other positive attributes and is therefore, considered to be a low-risk.

8

CLOUD ADOPTION & RISK IN EUROPE REPORT | Q1 2016

However, Trello’s service is designed to share data, your data, share between your users and external parties and as such, could be a danger if one user shares something that they shouldn’t or leaves the organisation and keeps their Trello login and continues to get updates from prior colleagues. Trello is the type of service that can provide great benefits to an organisation if well-managed, integrated into the authentication services, managed and logged. On the other hand, it is quite probably in use in your organisation now, by teams who haven’t asked for approval, without corporate controls and therefore a potential data loss risk.

EVERYONE IS USING … FILE CONVERTERS It seems that ever since computing began, users have had to convert files from one format to another to manipulate the data in the way that they want to and to share with colleagues. Nowadays, many applications can save in multiple formats and yet either users don’t know this or they need something that is not supported, so a wealth of applications and services exist to convert files from/to PDF, from/to Office formats, image converters, video, HTML to Word etc. Add to that services performing online translation, online OCR readers and compression utilities and its easy to see why there are over 100 different cloud services offering file conversion capabilities. Again, our statistics show that every one of our customers has users who have used these services. Almost by definition a user is sending confidential data outside the organisation to be manipulated and returned to them, what else might the service be doing with that data? Sadly, most of these services are without much in the way of security features and so should commonly be considered high risk.

9

CLOUD ADOPTION & RISK IN EUROPE REPORT | Q1 2016

CSA SURVEY RESULTS Published simultaneously with this report is the results of a survey conducted by the Cloud Security Alliance, titled “The Cloud Balancing Act for IT: Between Promise and Peril” the full report can be downloaded from the Skyhigh web site. Key findings include: • The top barrier (~31% of respondents) to stopping data loss in the cloud is a lack of skilled security professionals – is security analyst the next hot job opportunity? • Customer relationship management (CRM) is the most widely used cloud-based system of record today, but companies have plans to move other systems to the cloud. • Cloud confidence is rising: Around 65% of IT leaders think the cloud is as secure or more secure than on-premises software. • CISOs play an important role in security – having one makes a company more likely to take steps to prepare for a cyber attack. • On average, it takes the IT security team 17.7 days to evaluate the security of a new cloud provider.

Sharing and Collaboration Cloud-based file sharing and collaboration services such as Box, OneDrive, SharePoint Online, Dropbox, ShareFile, and Google Drive are popular. While they started by offering users the ability to synchronize their files across devices, many of them are now full-fledged collaboration platforms allowing users to share files and edit the same file with other people around the world in real time. The average global company uploads 5.6 TB of data to file sharing services each month. Overall, the average organisation shares documents with 849 external domains via these services.

10

CLOUD ADOPTION & RISK IN EUROPE REPORT | Q1 2016

FILE SHARING REACHES AN ALL-TIME HIGH The percentage of files that are shared via file sharing services hit an all-time high in the last six months. Of all documents stored in file sharing services, 37.2% are shared with someone other than the document’s owner. That’s higher than this same period last year, when 27.0% of files were shared. One potential reason is that users increasingly seek to use these services for sharing data with other people rather than merely syncing files across their own devices. While enhanced collaboration between colleagues and business partners is a positive development, the ease with which sensitive data can be shared also carries the risk that a sensitive file may be unintentionally shared too broadly and outside of policy.

Sharing Within File Sharing Services PERCENT OF FILES SHARED

11

CLOUD ADOPTION & RISK IN EUROPE REPORT | Q1 2016

WHEN SHARING IS ERRING Of the 37.2% of documents that are shared, 71.6% are shared internally with select users. A noteworthy 12.9% of shared documents are shared with all employees within an organisation. Another 28.2% of these documents are shared with business partners. Of shared files, 5.4% are accessible by anyone with a link. These links are easily forwarded and can create risk since the organisation cannot audit or control who is viewing the document. Further, 2.7% of these files are actually publicly accessible and indexed by Google. Another way files can be shared externally is with personal email accounts such as Gmail, Yahoo! Mail, and Hotmail. A total of 6.0% of shared files are shared with personal emails. For files that are shared externally (with business partners, personal emails, or publicly accessible online), 9.2% contain sensitive data. That’s lower than the overall average of 15.8% across all documents, but it shows that organisations need to educate employees about the risks of sharing certain types of data and enforce policies defining how and with whom sensitive data can be shared.

Breakdown of Sharing Actions PERCENT OF SHARED FILES WITH AN ASSOCIATED SHARING ACTION

12

CLOUD ADOPTION & RISK IN EUROPE REPORT | Q1 2016

THE SHADOW CODE REPOSITORY Despite the popularity of code repositories such as GitHub and SourceForge, users also store files containing code in file sharing services and rely on these services to send large files to other users. The most common programming languages found in file sharing services include JavaScript, Objective-C, and Python. The average organisation has thousands of code-containing files stored in the cloud, and 14.8% of these files are shared externally. Many of the individuals with sharing permissions for these files are likely business partners. However, 6.1% of these files are accessible by anyone with a link, increasing the risk that source code, financial trading algorithms, and new applications under development could be exposed if these links are forwarded more broadly beyond the users who initially received them.

Sensitive Data in the Cloud Across industries, organisations must protect a wide range of sensitive information from cyber attacks and accidental disclosure, and that data is increasingly stored in the cloud. All told, 15.8% of all documents uploaded to cloud-based file sharing services contain sensitive information, where they are just a few clicks away from being shared externally.

STORAGE OF DATA ON EU CITIZENS The EU countries have strict data protection laws around the collection, use and storage of personal data and these are to be strengthened further when the EU GDPR comes into force in 2018. In addition, the ruling from the EU Department of Justice in October 2015 that invalidated the US Safe Harbor agreement means that anyone with data on EU individuals (the Data Controller) needs to be careful about transferring that data outside the EU as they can be subject to court cases from individuals and investigation (and fines) by the appropriate data regulator.

13

CLOUD ADOPTION & RISK IN EUROPE REPORT | Q1 2016

The laws do not say that data cannot be transferred outside the EU, however they do put in regulations that need to be followed, so it is very useful to IT, legal and compliance departments to know where data is stored by cloud providers. The EU currently has three categories of country that they consider have appropriate data protection laws; the 28 countries of the EU itself, the three countries inside the European Economic Area that are not in the EU (Norway, Liechtenstein and Iceland) and eleven countries considered by the EU to have “adequate” data protection laws (Switzerland, Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Uruguay). It is clear that cloud providers have realized the difficulty this places on their customers and many providers who used to offer data storage only outside the EU have introduced options in recent month to store that data inside the EU (if requested). In the previous European Cloud Adoption Report, only 14.3% of services stored data inside the EU, this has now increased to 27% of services.

27% EU

69% Elsewhere

A SAFE PLACE FOR EU DATA

0% EEA 4% “adequate”country

14

CLOUD ADOPTION & RISK IN EUROPE REPORT | Q1 2016

Again, it is worth stating that there’s no law forbidding data being transferred to other countries, however legally there needs to be in place a commitment on behalf of the data processor (the cloud provider) to the data controller in those cases using mechanisms such as EU Model Clauses or Binding Corporate Rules. It is the responsibility of the data controller to ensure that these are in place, and that users do not transfer data to cloud services outside these countries unless with the appropriate legal basis.

TYPES OF SENSITIVE DATA Across all documents uploaded to file sharing services, the most common type of sensitive content is confidential company data (e.g. financial records, business plans, source code, trading algorithms, etc.). A total of 7.6% of documents in file sharing services contain confidential data. That’s followed by personally identifiable information (e.g. Social Security numbers, tax ID numbers, phone numbers, addresses, etc.) at 4.3% of all documents. Next, 2.3% of documents contain payment data (e.g. credit card numbers, debit card numbers, bank account numbers, etc.). Finally, 1.6% of documents contain protected health information (e.g. patient diagnoses, medical treatments, medical IDs, etc.).

15

CLOUD ADOPTION & RISK IN EUROPE REPORT | Q1 2016

WHAT’S IN A NAME? As recent high-profile data breaches demonstrate, cyber criminals are seeking out documents containing company budgets, employee salaries, and employee Social Security numbers. Their goal is often to disrupt the operations of these companies or use this information for financial gain. It’s not uncommon for employees to use words like “bonus”, “budget”, or “salary” in file names. The average organisation stores thousands of such documents in file sharing services.

Files Containing Keyword in the File Name AVERAGE PER ORGANISATION BY FILE TYPE

A surprising number of employees store passwords in Excel spreadsheets, Word documents, and other formats in the cloud. Of course, security experts recommend against storing your passwords in an unencrypted file labeled “passwords.xlsx”, whether in the cloud or on your PC. People in IT security are not immune from this type of risky behavior. For example, in the Hacking Team breach, it was discovered that members of the IT security team stored critical passwords in unencrypted files that were stolen by hackers.

16

CLOUD ADOPTION & RISK IN EUROPE REPORT | Q1 2016

Users also upload image and PDF copies of passports, PowerPoint files with information on competitors, local database files from programs such as Microsoft Access with employee salaries, and draft press releases that could be used for insider trading. The average company has hundreds of MSG and EML format email files containing sensitive information, exported from email programs such as Outlook. When exported, their file names usually contain the email subject.

Files Containing Keyword in the File Name AVERAGE NUMBER PER ORGANISATION ACROSS FILE SHARING SERVICES

17

CLOUD ADOPTION & RISK IN EUROPE REPORT | Q1 2016

Our Methodology To bring you these findings, we analyzed aggregated, anonymized cloud usage data for over 3 million users in Europe and 23 million worldwide (for global figures) at companies across all major industries including financial services, healthcare, public sector, education, retail, high tech, manufacturing, energy, utilities, legal, real estate, transportation, and business services. Collectively, these users generate over 2 billion unique transactions in the cloud each day. We compiled their usage in an extensive cloud activity graph, revealing trends in usage against behavioral baselines across time. Our cloud service registry tracks over 50 attributes of enterprise readiness and allows us to analyze behavior using detailed data signatures for over 16,000 cloud services.

18

To gain visibility and control over the cloud, contact us today.

1.866.727.8383 • skyhighnetworks.com