CLOUD REPORT SUMMER 2015 WORLDWIDE EDITION sensitive data in the cloud
Report Highlights 17.9 percent of all files in enterprise-sanctioned cloud apps constitute a data policy violation. 22.2 percent of those violating files are shared publicly. More than half of all DLP violations in cloud apps violate a personally identifiable information (PII) or payment card industry information (PCI) policy. The average number of cloud apps per enterprise has declined slightly from 730 last quarter, to 715. We believe this is a direct result of IT s efforts to consolidate on sanctioned corporate apps across categories such as Collaboration and Productivity. A whopping 91.9 percent of all apps are not enterprise-ready, lacking in the areas of security, audit and certification, service-level agreement, legal, and vulnerability that enterprises require for safe enablement. Enterprises are rapidly adopting the Microsoft Office 365 suite, with a 37 and 124 percent quarter-over-quarter usage increase in the for Business (vs. personal) versions of Outlook and OneDrive, respectively. 2
EXECUTIVE SUMMARY In this Netskope Cloud Report, we ve compiled the most interesting trends on cloud app adoption and usage based on aggregated, anonymized data from the Netskope Active Platform. Report findings are based on usage seen across millions of users in hundreds of accounts in the global Netskope Active Platform, and represent usage trends from March 15-May 31, 2015. A key area of focus for this report is Data Loss Prevention (DLP) in the cloud. One of the most dramatic findings this quarter is that 17.9 percent of all files in sanctioned apps violate at least one enterprise DLP policy, such as personally identifiable information (PII), payment card industry information (PCI), protected health information (PHI), source code, profanity, and confidential or top secret information. Even more striking is that of those files, 22.2 percent are exposed publicly. Drilling deeper into DLP policy violations, we find that personally identifiable information (PII) and payment card industry information (PCI) make up more than half of all such violations in cloud apps, at 26.8 and 24.3 percent, respectively. Those are followed by custom confidential or top secret violations, at 16.7 percent. We saw the average number of cloud apps per enterprise dip slightly from 730 last quarter to 715 this quarter. This aligns with anecdotal feedback from customers that they are beginning to consolidate usage on sanctioned corporate apps and suites such as Office 365, Box, Google Apps for Work, and Dropbox for Business. While the aforementioned cloud apps are enterprise-ready according to the Netskope Cloud Confidence Index 1, 91.9 percent of the cloud apps that are in use are not enterprise-ready, lacking in the areas of security, audit and certification, service-level agreement, legal, and vulnerability that enterprises require for safe enablement. Further evidence of consolidation efforts in the enterprise can be seen through the growth we have observed in the for business (vs. personal) versions of apps within the microsoft office 365 suite. Usage in Office 365 Outlook and OneDrive for Business grew 37 and 124 percent, respectively, in the past quarter. 1 The Netskope Cloud Confidence Index is a database of thousands of cloud apps that are evaluated on 40+ objective enterprise-readiness criteria adapted from the Cloud Security Alliance, including security, audit and certification, service-level agreement, legal, and vulnerability. The results of the evaluation are normalized to a 0 100 score and mapped to five levels ranging from poor to excellent. 3
ONE OUT OF FIVE DLP-VIOLATING FILES EXPOSED PUBLICLY In this report, we drill down into Data Loss Prevention (DLP) policy violations in the cloud. In the Netskope Active Platform, we identify such violations by discovering sensitive content at-rest in sanctioned cloud apps and en route to or from a variety of sanctioned and unsanctioned ones. Enterprises discover cloud content against predefined and custom DLP profiles such as personally identifiable information (PII), payment card industry information (PCI), protected health information (PHI), source code, profanity, and confidential or top secret information. In discovering content at-rest in sanctioned cloud apps, enterprises globally found that 17.9 percent of all files violate at least one of their DLP policies. Of those DLP-violating files, 22.2 percent are exposed publicly. What kinds of DLP policy violations happen in the cloud? Among all such violations in our cloud, PII represents the highest occurrence at 26.8 percent. PCI represents the second highest at 24.3 percent, followed by custom confidential or top secret at 16.7 percent. In what app categories do cloud DLP violations occur? Our research shows that 90 percent occur in, while 7.1 percent occur in Webmail. Other categories include Customer Relationship Management and Sales Force Automation (CRM and SFA), Social, Collaboration, and Productivity. The most common activity associated with such violations is download, followed by upload and post. We believe that, as enterprises get their arms around the first-order concern about unmanaged file sharing in the cloud, they will begin to turn their attention more to detecting and protecting sensitive data in line-of-business apps like CRM and SFA, Human Resources (HR), and Finance/Accounting. SENSITIVE DATA IN THE CLOUD 17.9% 22.2% OF all files in enterprisesanctioned cloud apps constitute a data policy violation OF THOSE are shared publicly PII 27% PCI 24% Confidential 17% Source Code 16% PHI 12% Profanity 4% 4
CLOUD APPS PER ENTERPRISE DIPS SLIGHTLY TO 715 This quarter, the average number of cloud apps in use per organization dipped slightly to 715 from 730 last quarter. Based on anecdotal customer feedback, we believe the slight decline is the result of enterprises reining in shadow IT. As IT professionals drive adoption in sanctioned apps via policy and user coaching, the effect is a decline in the number of apps. We are seeing this leveling off occur across nearly every cloud app category, especially in Collaboration and Productivity, both of which are areas of focus for enterprises as they address cloud app sprawl. In addition to the consumer and prosumer apps that organizations expect to find in use such as Twitter and Evernote line-ofbusiness apps are actually the most prevalent. Marketing remains the most prevalent app category, followed by Collaboration, Finance/ Accounting, HR, and CRM and SFA. Below are the top 10 categories in terms of number of apps per enterprise. The vast majority of these apps are not enterpriseready, with 91.9 percent scoring a medium or below in Netskope Cloud Confidence Index (CCI), an objective measure of cloud apps security, audit and certification, service-level agreement, legal, and vulnerability attributes that have been adapted from the Cloud Security Alliance. 800 700 600 550 500 450 400 461 508 WORLDWIDE 579 613 730 511 715 483 EMEA CATEGORY Marketing Collaboration Finance / Accounting Human Resources CRM / SFA Productivity Software Development Infrastructure # per ENTERPRISE 59 44 37 37 35 33 33 23 20 % that are not ENTERPRISE-READY 98% 84% 95% 97% 91% 73% 96% 93% 86% IT / Application Management 18 84% 5
DRAMATIC USAGE INCREASE IN MICROSOFT OFFICE 365 SUITE What are the top-used apps in the global Netskope Active Platform? Apps in the and Social categories dominate the top 20, with a combined 30.5 percent of usage. We define usage as number of distinct app sessions. 2 One of the most dramatic findings this quarter is the rise in usage within the for business vs. personal apps in the Microsoft Office 365 suite. Neither Office 365 Outlook nor OneDrive for Business was in the top 20 last quarter, and this quarter they occupy the number 8 and 18 spot, with usage per enterprise growing 37 and 124 percent, respectively, from last quarter. We believe that, beyond rapid adoption of the suite, the dramatic growth is owed to enterprise IT directing users to corporate-sanctioned apps via policy and user coaching. 1 Google Drive 11 Dropbox 2 Facebook Social 12 Microsoft OneDrive 3 Google Gmail Webmail 13 Salesforce CRM / SFA 4 Twitter Social 14 Evernote Productivity 5 YouTube Consumer 15 Box Storage & Collaboration 6 icloud 16 HubSpot Marketing 7 Google Docs Productivity 17 Amazon CloudDrive 8 MS Office 365 Outlook.com Webmail 18 MS OneDrive for Business 9 WebEx Collaboration 19 Slack Collaboration 10 LinkedIn Social 20 MS Live Outlook.com Webmail 2 A session is a distinct time period in which a user logs into an app, performs a series of activities, and then ceases to work in the app for a period of time. Existing usage metrics (e.g., HTTP sessions) are often inaccurate because users don t always log out following active usage. Netskope has developed a proprietary heuristic to measure a more accurate period of activity, which we define as a session. Usage is defined as number of discrete sessions. 6
Top Cloud Activities in the Netskope Active Platform The top 10 activities in the Netskope Active Platform are send, login, download, view, upload, edit, create, share, delete, and post. There was no marked difference in activities across regions, so we did not separate them. Netskope normalizes these activities across apps within categories and even across categories, so whether a user shares a file from a app or a report from a Business Intelligence one, each of those are recognized as a share activity. The activities are listed here from highest to lowest in occurrence, overall and for the top five categories. LOGIN VIEW DOWNLOAD UPLOAD EDIT CREATE SEND DELETE SHARE POST 7
TOP POLICY VIOLATIONS Beyond measuring usage and activity, we also look at policy violations within cloud apps. Policies can be enforced based on a number of factors, including user, group, location, device, browser, app, instance, category, enterprise-readiness score, DLP profile, activity, and more. Through data abstraction and normalization of those factors, we re able to discern the apps, categories, and activities surrounding a violation. Policies observed include blocking the download of PII from an HR app to a mobile device, alerting when users share documents in Cloud Storage apps with someone outside of the company, and blocking unauthorized users from modifying financial fields in Finance/ Accounting apps. The five cloud app categories with the highest volume of policy violations include, Webmail, CRM and SFA, Finance/ Accounting, Social, and CRM and SFA. The top activities that constituted a policy violation are login, download, send, view, and upload. APP CATEGORY Social Webmail CRM and SFA Application Suite Collaboration Productivity Login Upload Download Share Send 2 3 1 4 6 5 7 8 High 2 6 7 3 5 4 1 High 4 2 3 1 5 High 2 1 3 High 1 3 2 Low 1 2 High 1 2 Med View Delete Create Failed Login Post DLP Policy Sensitivity Here are the top activities globally that constituted a policy violation per cloud app category, with DLP violations noted where they apply. Just as activities can vary between apps, policy violations involving those activities can vary. For example, a policy violation involving downloading from a app can be the improper downloading of a non-public press release, whereas in a CRM/SFA app could signal theft of customer data by a departing employee. Security HR Software Development 1 Indicates highest occurrence of policyviolating activity for the category _ Activity not relevant to category 1 2 Low 1 2 Low 4 2 1 3 5 Low Policy violation included a data loss prevention profile 8
THREE QUICK WINS FOR ENTERPRISE IT Based on this quarter s findings, here are some quick wins for enterprise IT to enable cloud apps while minimizing exposure: 3 quick 1 2 3 wins FOR enterprise IT Discover sensitive content in your sanctioned apps and eliminate public access. Notify internal collaborators. Consolidate on popular apps that are also enterprise-ready. Use app discovery as a guide, and get there with user coaching. Enforce your cloud DLP policies on high-probability activities in apps containing sensitive data. Start where most violations occur: uploads and downloads in. 2015 Netskope, Inc. All rights reserved. Netskope is a registered trademark and Netskope Active, Netskope Discovery, Cloud Confidence Index, and SkopeSights are a trademarks of Netskope, Inc. All other trademarks are trademarks of their respective holders. 06/15 RS-68-1 9