CLOUD ADOPTION & RISK IN EUROPE REPORT. Q2 2015 Published Q3 2015

CLOUD ADOPTION & RISK IN EUROPE REPORT Q2 2015 Published Q3 2015

TABLE OF CONTENTS 01 03 05 06 07 08 09 11 12 13 INTRODUCTION OVERVIEW OF CLOUD ADOPTION INSIDER THREATS IN THE CLOUD COMPROMISED CREDENTIALS MULTI-FACTOR AUTHENTICATION THERE S NO TYPICAL USER HEAD IN THE CLOUDS SAFE STORAGE FOR EUROPEAN DATA THE CLOUD NEVER SLEEPS THE TOP CLOUD SERVICES

INTRODUCTION The biggest impact of the cloud is the ability to accelerate the rate of innovation for the business, says Frank Gens, senior vice president and chief analyst at IDC 1. This is as true in Europe as anywhere else in the world. Cloud computing continues to grow in Europe, with a recent survey 2 of UK-based IT decision-makers showing that 84% are using cloud services today and most expect cloud adoption to continue to grow. The German IT association BITKOM quoted growth in enterprise cloud of 46% to 6.4B Euros in the last year 3 and in Sweden currently 64% of enterprise data is hosted in the cloud with an expectation that this will grow to 93% within two years 4. This is not just a business phenomenon either, with the UK government G-Cloud platform showing sales of over 500M by March 2015 5. Given the focus on winning enterprises as customers, cloud service providers (CSPs) are increasing their investments to support industry security standards. At Skyhigh, we believe this is important for enterprises to securely embrace the cloud. However only 2.8% of the CSPs in our global cloud registry have achieved ISO 27001 compliance, and so far only two vendors (Microsoft and Dropbox) have announced that they have achieved the relatively new ISO 27018 code of practice for personal data protection in public clouds. With the daily arrival of new services that lackproper certifications, the overall percentage of CSPs with ISO certification is declining. European regulators are also taking ever-stronger attitudes to data loss and unfortunately, cloud is one of the possible conduits for data exfiltration. Our data shows that on initial review, IT is generally aware of less than 10% of the services in use inside their organisations and Gartner quotes that companies spend just 3.8% of their cloud budget on security 7. 1 http://www.cio.com/article/2929806/cloud-computing/the-cloud-s-game-changer-is-competitive-advantage.html 2 http://www.businesscloudnews.com/2015/05/12/cloud-adoption-nudges-past-80-per-cent-in-the-uk-survey/ 3 http://www.bitkom.org/de/presse/81149_80724.aspx 4 5 http://www.v3.co.uk/v3-uk/news/2405608/g-cloud-sales-pass-gbp550m-mark 6 7 https://www.skyhighnetworks.com/cloud-security-blog/gartner-companies-spend-just-3-8-of-cloud-budgets-on-security 01

To better understand these trends and the risks in cloud adoption, Skyhigh publishes this Cloud Adoption & Risk in Europe report. What makes this report unique is that it s based on actual usage data for over 2.5 million employees in European organizations, rather than surveys that ask people to selfreport their behavior. In this quarter s report, we explore insider threats within these organizations and expose a worldwide black market of stolen login credentials that cyber criminals use to gain access to sensitive information in cloud services. We also detail the Top 20 enterprise and consumer cloud services in Europe, the top cloud services used to connect with partners, and how prolific one employee can be in terms of cloud usage and high-risk behavior. 02

OVERVIEW OF CLOUD ADOPTION The average European organization uses 987 cloud services, an impresive growth of 61% over the same quarter a year ago, casting aside doubt that cloud use is mainstream throughout Europe. Another way of looking at this is that the average company is adding more than one new cloud service per day, reminding us that this is a rapidly changing market and the IT department needs constant updates to be able to manage both shadow and sanctioned cloud adoption. The average European organization uploads 12.3 TB to the cloud each month, an amount equal to around 7.6 million copies of War and Peace in digital form (at 1.7 MB per copy). When employees bring cloud services into the work environment for increased productivity and efficiency without the knowledge or approval of IT, they may not realize the risk they re introducing to the organization. Just 7.0% of cloud services meet enterprise security and compliance requirements, as rated by Skyhigh s CloudTrust Program. Only 15.4% support multi-factor authentication, 2.8% have ISO 27001 certification, and 9.4% encrypt data stored at rest. Considering how much data European organizations upload to the cloud each month without proper controls, this data could be at risk for exfiltration. 987 588 614 724 782 805 2014 Q1 2014 Q2 2014 Q3 2014 Q4 2015 Q1 2015 Q2 AVERAGE NUMBER OF CLOUD SERVICES IN USE BY EUROPEAN ORGANIZATIONS 03

nization uses far fewer services, it is worth noting that the minimum number of services we have seen in Europe is 507, from a company with less than 200 employees; while the highest number of services we have seen in Europe is greater than 3,000. Of the 987 cloud services in use by the average European organization, the most popular category is collaboration with 226 cloud services. This category includes services such as Microsoft services per organization (e.g. SourceForge, GitHub, etc.), content sharing with 54 services (e.g. with 38 services (Dropbox, Google Drive, etc.). The average organization in Europe uses many cloud services in each category Business intelligence 21 Collaboration 226 Content sharing 54 Development 80 File sharing 38 Social media 49 Tracking 34 03 04

INSIDER THREATS IN THE CLOUD A cloud service may be secure, but employees can still use it in risky ways. While Edward Snowden is the most well-known example of an insider threat, most insider threat incidents are quiet and may not be uncovered by the company at the time, if at all. Consider the example of a salesperson that leaves a company knowingly or unknowingly with customer contact information when he or she decides to change employers. In many cases, the organization has no easy way to detect this type of behavior. Have you had an INSIDER THREAT INCIDENT? perception reality Just 18% of European companies surveyed reported an insider threat incident in the last year NO 63% NOT SURE 19% YES 87% But 87% of European companies had behavior indicative of an insider threat in the last quarter alone YES 18% We surveyed organizations in partnership with the Cloud Security Alliance and found that just 18% of organizations knew of an insider threat incident in the last year. However, examining actual anomaly detection data collected across European users, we found that 87% of organizations had behavior indicative of an insider threat in the last quarter alone. While not all of these events turn out to be malicious activity, the incidence of potentially destructive behavior by employees is much higher than most European organizations realize. 04 05

COMPROMISED CREDENTIALS There were more software vulnerabilities discovered and more data breaches in 2014 than any year on record. Following one of the largest breaches of the year, ebay prompted 145 million users to change their passwords after cyber criminals compromised their account credentials. University of Cambridge shows that 31% of passwords are re-used in multiple places. With the The darknet is home to millions of compromised passwords 72.1% 8.5% of European companies have at least one employee whose credentials are compromised of employees at European companies have at least one credential compromised We found that 72.1% of European organizations have exposure to compromised credentials. While this number is lower than the overall average of 91.7% across the globe, even more concerning is that 8.5% of employees at European companies have at least one compromised this capability, we recommend European organizations use strong, unique passwords for each cloud service and change them regularly to limit exposure to compromised credentials. 05 06

MULTI-FACTOR AUTHENTICATION The Lastpass data breach, which occurred in June 2015, brought to light the importance and only have to KNOW something (a name and password), but also have to HAVE something (a token or more commonly pre-authenticated a mobile device) to gain access to an account. Any loss of just a name and password is less of a concern as multi-factor authentication requires that any criminal will also need to get hold of, or spoof, an additional device before accessing the compromised service. We strongly recommend that enterprises consider multi-factor authentication as a key component of safe cloud services. Currently only 15.4% of the 12,000+ cloud services support multi-factor authentication, we hope that this will increase in time. 15.4% Supported SUPPORT FOR MULTI-FACTOR AUTHENTICATION REMAINS LOW 84.6% Not Supported 06 07

THERE S NO TYPICAL USER cloud services used by 175 users to determine whether people had the same or similar patterns of usage. What we found is that not all users have the same patterns, and that there are 31 possible accessed it and 25 of the 31 possible combinations were regularly in use. Our results show of the services. This goes to show that you can t assume or predict how your users will use services your users need. Box 2 Office 365 26 4 9 8 6 5 1 6 3 7 CLOUD USAGE IS NOT UNIFORM ACROSS USERS 7 3 4 8 11 12 1 3 9 14 Salesforce 3 2 Google Drive 6 4 Dropbox 07 08

HEAD IN THE CLOUDS The average European employee uses 23 distinct cloud services including seven collaboration services, four file-sharing services, three social media services, and three content sharing services. What s troubling is that each employee is tracked by, on average, four marketing analytics and advertising services. These services are used to deliver targeted ads to users across the Internet, but they are also increasingly used by cyber criminals to determine the sites employees frequent most. Armed with this information, criminals attempt to compromise these sites in order to ultimately compromise the organization in what s known as a watering hole attack. However, there are employees whose cloud usage is even more prolific. The most prolific cloud user across all European employees in our study uses an impressive 594 cloud services, including 101 collaboration services, 38 development services, 38 IT management services, and 22 content sharing services. While their behavior may be done with good intensions, unchecked cloud usage can also expose European organizations to risk. THE MOST PROLIFIC CLOUD USER in Europe At work this employee uses 594 cloud services COLLABORATION 101 17.8% HIGH-RISK SERVICES 38 DEVELOPMENT 31 25 IT MANAGEMENT CONTENT SHARING 5.6% INDUSTRY AVERAGE 08 09

Chances are, most of the services in use by this individual are not known by the IT department. Out of the 594 services, 106 are high-risk, compared to 5.6% across all cloud services globally. These services are often considered high-risk because they lack security controls, have onerous terms and conditions that claim ownership of uploaded data, or are hosted in high-risk countries without strong data protections. Among the high-risk services in use by this cloud collector are CodeHaus, a service that is used to store source code, DiffNow, a service used to highlight differences between 2 files, and DocumentCloud, a service used to share text documents like contracts. 09 10

SAFE STORAGE FOR EUROPEAN DATA The European Union (EU) has taken a lead in data privacy since 1995 and every EU member country country has a regime that defines data protection legislation for the country. The EU is also strengthening the existing laws with expectations of a new Data Protection Regulation being agreed upon by the end of 2015. One of the areas covered by the existing directive and new regulation is where data on European individuals can be transferred. Except in exceptional circumstances, data on individuals should stay in Europe, the European Economic Area, within countries with equivalent data privacy regulations or within U.S. services that have signed up for the U.S. government s Safe Harbor agreement. A Safe Place for EU Personal Data 14.3% Hosted in the EU Hosted in country with 3.6% equivalent privacy 17.2% US hosted with Safe Harbor 64.9% Cloud Services that should not hold EU Data European companies are using many cloud services that do not meet data residency requirements Skyhigh s global cloud registry tracks over 12,000 cloud services. We found that 14.3% of cloud providers store data inside the EU, 3.6% are in countries with equivalent data protection and 17.1% are U.S.-hosted and have signed up for the Safe Harbor regulations this means that 64.9% are not safe for EU data. While the gap between European data privacy requirements and the reality of cloud services in use today is substantial, it is shrinking. In Q4 of 2014, 74.3% of services were not suitable to host EU data. 11

THE CLOUD NEVER SLEEPS Flexible working has probably been one of the significant changes in the last decade, balancing home life and work life to the benefit of both the employee and employer. One aspect of this is the amount of work being conducted during what would normally be considered weekends. We analyzed usage by day of the week and found European employees are most prolific in cloud usage on Fridays, while cloud usage for their American counterparts peaks on Tuesdays and declines the remainder of the week. However, weekend usage did not fully drop to zero, reminding IT departments that there may be risks happening around the clock; as risk to the organization doesn t stop for the weekend. Cloud Usage by Day of Week 14.6% 18.4% 15.0% 18.0% 19.5% 6.8% 7.8% Mon. Tues. Wed. Thurs. Fri. Sat. Sun. Percentage of cloud usage for each day of the week 12

THE TOP CLOUD SERVICES From the perspective of a software company, developing a cloud service is very different from software installed by the customer. The cloud has freed developers to reimagine enterprise software with delightful user experiences, innovative new features, and access from mobile devices. With faster release cycles and updates that occur immediately across all customers, cloud applications are not only more cost effective to manage, they re often first to market with innovative features. That s why an increasing number of European organizations are deploying the top enterprise cloud services not because they re the best cloud version available but because they are the best software available, period. That s also why we wanted to look at the top services based on user count. 1. Microsoft Office 365 11. Workday 2. Salesforce 12. ADP 3. Oracle RightNow 13. SAP Human Capital Management TOP 20 ENTERPRISE CLOUD SERVICES in Europe 4. Cisco Webex 5. ServiceNow 6. Oracle Taleo 7. Box 8. Jive 9. Concur 14. SAS OnDemand 15. SuccessFactors 16. Yammer 17. GoToMeeting 18. Blue Jeans 19. NetSuite 10. Zendesk 20t. OpenText BPM 13

Consumer-grade cloud services today are so good that they can easily rival enterprise software. It s no wonder then, that employees bring cloud services to work in order to do their jobs better. However, these services can also increase organizational risk. In order to exfiltrate sensitive data undetected, cyber criminals deploy an array of sophisticated kill chains that leverage consumer cloud services. Skyhigh has detected attacks using Twitter to exfiltrate data 140 characters at a time and another that encoded stolen data into videos that were uploaded to YouTube. 1. Facebook 11. Tumblr 2. Linkedin 12. Instagram 3. Flickr 13. Google Drive 4. YouTube 5. Twitter 6. Dropbox 7. Pinterest 8. Gmail 9. Vimeo 10. StumbleUpon 14. Yahoo! Mail 15. VK 16. SlideShare 17. Spotify 18. Evernote 19. Skype 20. Xing TOP 20 CONSUMER CLOUD SERVICES at work in Europe 14

ABOUT SKYHIGH NETWORKS Skyhigh Networks, the cloud security and enablement company, helps enterprises safely adopt cloud services while meeting their security, compliance, and governance requirements. Over 400 enterprises including Aetna, Cisco, DIRECTV, HP, and Western Union use Skyhigh to gain visibility into all cloud services in use and their associated risk; analyze cloud usage to identify security breaches, compromised accounts, and insider threats; and seamlessly enforce security policies with encryption, data loss prevention, contextual access control, and activity monitoring. Headquartered in Campbell, Calif., Skyhigh Networks is backed by Greylock Partners, Sequoia Capital, and Salesforce.com. For more information, visit us at www.skyhighnetworks.com, and follow us on Twitter @skyhighnetworks. 15

UNCOVER SHADOW IT If you d like to learn the scope of Shadow IT at your company, including detailed statistics profiled in this report, sign up for a complimentary cloud audit REQUEST COMPLIMENTARY CLOUD AUDIT With Skyhigh we discovered a wide range of services, allowing us to understand their associated risks and put in place policies to protect corporate data. bit.ly/complimentarycloudaudit Steve Martino VP Information Security