The Explosion of Apps: 27% are Risky Q2 2016 CLOUD CYBERSECURITY REPORT
Introduction Traditionally, Shadow IT refers to any application employees utilize without IT approval. And with nearly infinite apps at their disposal, Shadow IT is expanding exponentially. However, as more and more organizations adopt cloud platforms, new Shadow IT risk vectors are coming into play in the form of connected third-party apps. These apps are authorized using corporate credentials, demand extensive permission sets, and communicate with corporate SaaS platforms via OAuth connections. An organization may embrace its employees shadow exploration of innovative technology solutions and sanction a subset of these apps as Productivity IT. But it s important to closely monitor the connected third-party apps, as authorizing them gives them programmatic (API) access to corporate data on multiple Saas platforms. Because these apps (and by extension, their vendors) are able to view, delete, externalize and store corporate data, a malicious individual leveraging these connections can act on behalf of users to access, exfiltrate, and externalize data. With 22% more breaches from January to May of 2016 than during the same time period in 2015 (source: 24/7 Wall St), connected third-party apps must be managed carefully. Uncovering nearly 160,000 unique third-party applications across 10 million end users, CloudLock s report will share critical data to help organizations understand the implications of this trend. The shift to the cloud creates a new, virtual security perimeter that includes third-party apps granted access to corporate systems. Today, most employees leverage a wide variety of apps to get their jobs done efficiently, unwittingly exposing corporate data and systems to malware and the possibility of data theft. Ayse Kaya-Firat Director of Customer Insights & Analytics, CloudLock Copyright 2016 CloudLock Inc. The Explosion of Apps: 27% are Risky 01
Key Findings Third-party apps have increased 30x over the last two years. It is more important than ever to understand how apps are connecting to corporate environments, whose credentials are being leveraged, and what security implications they may have. 27% of third-party apps connected to corporate environments are high risk. Measuring risk by the combination of access scopes, community-sourced ratings, and expert-driven analytics, 27% of third-party apps are more likely to open potential pathways into your organization for cybercriminals. Over 1/2 of third-party apps are banned due to security-related concerns. While apps can be banned for any number of reasons, including concerns around productivity, a clear majority are banned because of the security vulnerabilities they introduce. Copyright 2016 CloudLock Inc. The Explosion of Apps: 27% are Risky 02
The Explosion of Third-Party Apps In the traditional notion of Shadow IT, there is a missed dimension: whether or not apps are connected to corporate environments. There s a new way that third-party apps can pose risks to your organization: OAuth connections. OAuth connections allow apps to act on behalf of users, which can be useful but is also dangerous when enabled using corporate credentials. Managing the potential risks associated with connected third-party apps means identifying those that pose the highest risk, and mitigating accordingly. The shadow IT dilemma is only becoming more challenging as usage is increasing exponentially year over year. From 2014 to 2016, we ve seen nearly a 30x increase in apps from 5,500 to 156,796 Copyright 2016 CloudLock Inc. The Explosion of Apps: 27% are Risky 03
OAuth-Connected Apps Have Extensive Access to Corporate Environments Third-party apps authorized via OAuth-connections have extensive - and at times excessive - access scopes. Because they can view, delete, externalize, and store corporate data, and even act on behalf of users, they must be managed carefully. Below is an example of what a third-party app s request for permissions may look like: Copyright 2016 CloudLock Inc. The Explosion of Apps: 27% are Risky 04
19% Increase in Third-Party Apps in Just the last 3 months Meanwhile, the number of third-party application installations has increased 11x since 2014. This means not only is the variety of applications increasing, but the usage of these apps is increasing as well. Copyright 2016 CloudLock Inc. The Explosion of Apps: 27% are Risky 05
Tech, Media, and Education are the Largest Consumers of Third-Party Apps On average, an organization s users connect 733 third-party apps to the corporate environment. As shown above on the left hand side, Retail and Manufacturing lead with well above the average, not surprising given that the average organization size is larger in these industries. But, when normalized by organization size (as shown on the right), we find that the real outliers are Tech, Media, and Educational institutions. In these industries with more tech-savvy users, applications are abundant and increasing in use at faster rates. Copyright 2016 CloudLock Inc. The Explosion of Apps: 27% are Risky 06
Apps and Installs Per Organization Up 600% in Two Years When taking a closer look into third-party apps at the organization level, there are similar trends. Over the past two years, the number of apps per average organization has increased from 130 to 733. There are even organizations with more than 18,500 applications, all with the potential to become backdoors through which hackers can easily infiltrate their environments. Currently, the average organization has 733 third-party apps and more than 7,500 total installs. Copyright 2016 CloudLock Inc. The Explosion of Apps: 27% are Risky 07
27% of Apps Are Risky Defining Risk On a daily basis, employees are utilizing apps without notifying IT, and authorizing OAuth connections through their corporate credentials. If these apps are malicious by design, or the connected application s vendor is compromised, this opens the door to cybercriminals deleting accounts, externalizing or transferring information, provisioning and deprovisioning users, changing users passwords, modifying administrator s settings, performing email log searches, and more. CloudLock s Cloud Application Risk Index (CARI) evaluates risk across three dimensions - access scopes, community trust ratings, and application threat intelligence - to assign a well-rounded application risk value and help security teams make informed decisions on which apps are trustworthy and which should be monitored, banned and revoked. Taking into account both static attributes (e.g. past breaches, security certifications, etc.) and dynamic ones (e.g. community sourced intelligence), CARI is the first risk index that aims to map and measure cloud-to-cloud risk. Across CloudLock s entire app catalog of 156,000 unique apps, the average CARI value is 3.21. Ideally, this score would be zero, so organizations need to focus on implementing plans to mitigate risks posed by third-party apps. Copyright 2016 CloudLock Inc. The Explosion of Apps: 27% are Risky 08
Cloud Application Risk Index (CARI) CARI Data Access Requirements Community Trust Rating Application Cyber- Threat Intelligence DIMENSIONS Data Access Permissions Granted Peer-Driven, Crowd-Sourced Evaluations Research-Based Vulnerability Ratings SPECIFIC INDICATORS Risk calculation based on permissions required to Trust ratings by 750 corporate security teams for Comprehensive background check run authorize an app over 20,000 unique apps by CloudLock s cybersecurity Granting data access to an app gives it programmatic (API) access to corporate SaaS platforms via OAuth connections Classifications in combination with the organization size impact the reputation score of an app experts based on a variety of security attributes for an app, such as: Past breaches The app (and by extension, the vendor) is able to act on behalf of the user (the CEO, CFO, superadmin, etc.) and can view, store, delete, externalize corporate data and identity-related Ratings are segmented by industry and geography as well as classification reason More reliable than vendor based risk ratings Security Certifications Analyst Reviews App Category Multifactor Authentication, etc. information. Copyright 2016 CloudLock Inc. The Explosion of Apps: 27% are Risky 09
27% of Third-Party Apps Classified as High-Risk In some ways, a connected application s risk level is in the eye of the beholder, and any application can become risky in the right (or wrong) circumstances. Of all the apps granted access to corporate systems in 2016, 27% were classified as high risk by security teams. Using CARI, security teams can gain an understanding of what applications users are authorizing and formulate actionable strategies around which ones should be banned, trusted, or automatically revoked due to their risk level. Percent of Installs by Risk 15% 27% LOW RISK 58% MEDIUM RISK 156,796 THIRD-PARTY APPS HIGH RISK Copyright 2016 CloudLock Inc. The Explosion of Apps: 27% are Risky 10
No Industry is Immune Overwhelming Majority of Third-Party Apps are Medium to High Risk Interestingly, no matter what the organization size, all industries and regions tend to have a relatively even distribution of low, medium, and high risk applications. The percentage of risky apps is slightly higher in financial institutions, which is surprising given their strict compliance regulations and high levels of oversight in IT over information sharing. Copyright 2016 CloudLock Inc. The Explosion of Apps: 27% are Risky 11
All Regions Are at Risk Regulations Cannot Mitigate All Risk Our hypothesis was that due to stricter compliance regulations, European organizations would have a lower percentage of high risk apps. But it turns out that s not the case. Corporations in the EMEA region (Europe, the Middle East, and Africa) actually have a slightly higher concentration of risky apps compared to North America. This goes to show compliance regulations need to be taken beyond data and applied to applications as well. Regulations clearly are not the answer to mitigating all risk. Copyright 2016 CloudLock Inc. The Explosion of Apps: 27% are Risky 12
Top 10 Risky Apps To identify the top risky applications, we zero in on the top installed apps rated as such. It s important to note that apps on this list do not have to be risky by nature. But, when authorized by a high number of privileged users, and/or when they require excessive access into corporate environments with no legitimate business case, these applications could be detrimental if compromised. Malicious users who compromise such risky apps can act on behalf of users and put expose sensitive data. Clash Royale Goobric Web App My Talking Tom Evermusic Music Player Pingboard 8 ball pool Gunslugs 2 ZigZag Fruit Ninja Copyright 2016 CloudLock Inc. The Explosion of Apps: 27% are Risky 13
Over Half of Third-Party Apps Banned due to Security Concerns While enterprise SaaS vendors typically offer a marketplace of third-party applications that have been vetted and undergone security reviews, users have no shortage of additional means of enabling third-party apps, raising issues around trustworthiness and security. Over half of third-party apps assessed in 2016 are banned due to security-related concerns, with security professionals citing excessive access scopes in 24% of bans, and subpar vendor trustworthiness (applications of questionable origin or intent) in 19% of bans. Copyright 2016 CloudLock Inc. The Explosion of Apps: 27% are Risky 14
WhatsApp Messenger Zoho Accounts TOP 10 BANNED APPS SoundCloud Sunrise Calendar In order to run a secure enterprise, potentially dangerous third-party apps need to be managed carefully. Employees can still leverage these apps using their personal credentials, but if they violate internal policies, require excessive access, come from a vendor that is not deemed trustworthy, or have overlapping functionality with a more secure and widely used app, organizations may ban them from being used. These are the apps most commonly banned by organizations. Power Tools Free Rider HD Madden NFL Mobile Pinterest Airbnb Code Combat Copyright 2016 CloudLock Inc. The Explosion of Apps: 27% are Risky 15
Slack Linkedin TRUSTED APPS Most businesses require an Application Use Policy and a legitimate business case to approve the usage of third party apps that connect to corporate systems. Security teams carefully evaluate risk levels and approve the use of apps that increase productivity, are required for work, or have proven to be a useful tool, for example. These are the apps most commonly trusted by organizations. Asana Turnitin Lucidchart Smartsheet Zoom Zendesk Hubspot Quizlet Copyright 2016 CloudLock Inc. The Explosion of Apps: 27% are Risky 16
CyberLab Customer Case Study Company: UK-based Retailer, over 90,000 Users What Happened: In just one year, the number of unique third-party apps increased from 2,107 to 5,262, with more than 50,000 installs. With thousands of backdoors opening into their corporate environment, the security team knew they needed to identify, classify and make decisions about these apps to prevent breaches. The company looked to develop a high level strategy to whitelist or ban apps based on criteria such as application category (business, social, entertainment, etc.), level of usage (number of installs), type of user (super admin vs. regular user), access scopes, etc. In a large enterprise with both in-house and remote users, the lines between work and personal use is blurred, and it s challenging for IT to understand the specific needs of each and every department. With the number of apps increasing 2.5x over the course of a year, it was very difficult to come up with a scalable and realistic Acceptable Application Use Policy. The senior executive team made a decision that any high risk app should be revoked unless whitelisted based on CloudLock s CARI evaluation, effectively decreasing the unique number of apps by 34% right away, significantly decreasing the associated risk level. Copyright 2016 CloudLock Inc. The Explosion of Apps: 27% are Risky 17
Recommendations Cloud application providers are making great strides in securing access at the infrastructure level and have never been more secure. But, neglecting the extension of the perimeter introduced by third-party cloud applications can lead to great risk. A few best practices CloudLock recommends in order to manage third-party applications: Understand what applications your users are authorizing with a strong focus on the ones that connect into your corporate environment. Create a classification and decision hierarchy specific to your organization s needs. Create protocol around which apps should be allowed, reviewed, or automatically revoked. Focus on apps that have the most installs, or most users attached to them. Keep a close eye on admin accounts. A super admin account should never be used to grant access to a third-party app due to the possible enterprise-wide implications. Evaluate the types of apps users are enabling for productivity and consider rolling them out enterprise or department wide. Consolidate apps where needed, and standardize based on the highest level of adoption. Continuously monitor your cloud environments at the application, platform, and infrastructure layer to surface any suspicious occurrences indicating a possible breach. Copyright 2016 CloudLock Inc. The Explosion of Apps: 27% are Risky 18
Methodology CloudLock based findings on anonymized usage data across: 150,000+ Unique Apps 1 Billion 10 Million Files Users
CloudLock offers the cloud security fabric enabling enterprises to protect their data in the cloud, reduce risk, achieve compliance, manage threats and increase productivity. By analyzing 1 billion files for more than 10 million end users daily, CloudLock delivers the only complete, risk-appropriate and people-centric approach to cloud security. www.cloudlock.com info@cloudlock.com (781) 996-4332