CLOUD ADOPTION RISK REPORT Table of Contents INTRODUCTION...2 SENSITIVE DATA IN THE CLOUD...3 Types of Sensitive Data...4 What s in a Name?...5 Worst Employee of the Month...7 SHARING AND COLLABORATION...7 File Sharing Reaches an All-Time High...8 When Sharing is Erring...9 The Shadow Code Repository... 10 INTERNAL AND EXTERNAL THREATS... 11 Your Own Worst Enemy... 12 Compromised Accounts... 12 Data Exfiltration... 12 USAGE TRENDS... 13 Average Number of Services... 13 Security Controls Vary by Provider... 15 Usage by Platform... 16 THE TOP CLOUD SERVICES... 18 Top 20 Enterprise Cloud Services... 19 Top 20 Consumer Cloud Services... 20 Top 10 File Sharing Services... 21 Top 10 Collaboration Services... 22 Top 10 Social Media Services... 23 OUR METHODOLOGY... 24
Introduction Four years ago, entrepreneur and investor Marc Andreessen wrote about how software impacts nearly all areas of modern life. 1 The primary platform for software applications today is not a hard drive; it s a web browser. Software delivered over the Internet, referred to as the cloud, is not just changing how people listen to music, rent movies, and share photos. It s also transforming how businesses operate. Studies have shown that businesses taking advantage of productivity-enhancing cloud services grow 19.6% faster than their counterparts that don t. 2 Companies that embrace the cloud grow 19.6% faster Because employees often bring their own apps to work, companies typically don t know which ones are being used to store corporate data. Even within the cloud services purchased by a company s IT department, there is limited visibility into user behavior and how sensitive information is accessed and shared. Similar to previous shifts in technology, such as the rise of the PC and the Internet, the cloud creates new and significant concerns among business leaders about the potential for headline-making security incidents. To better understand these trends, Skyhigh Networks publishes a Cloud Adoption & Risk Report, the first and most comprehensive report of its kind. What makes our report unique is that we base our findings on actual usage data for over 23 million users worldwide, more than any other similar study. In this report, we detail the types of sensitive data stored in cloud services, how that data is shared within organizations and with third parties, and how risky employee behavior can expose data. We also examine the external threats that use the cloud to exfiltrate sensitive data pilfered from on-premises systems as well as attacks directed at sensitive data stored in cloud services. Finally, we cover general usage trends including the top most widely used cloud services. 1 Wall Street Journal Why Software is Eating the World 2 Vanson Bourne The Business Impact of the Cloud 2
Sensitive Data in the Cloud Across industries, organizations must protect a wide range of sensitive information from cyber attacks and accidental disclosure, and that data is increasingly stored in the cloud. All told, 15.8% of all documents uploaded to cloud-based file sharing services contain sensitive information, where they are just a few clicks away from being shared externally. The majority of these files, 58.4%, are Microsoft Office documents, followed by Adobe PDF files. The remaining 22.8% is compromised of over 500 different file formats ranging from CAD diagrams to Java source code. 3
TYPES OF SENSITIVE DATA Across all documents uploaded to file sharing services, the most common type of sensitive content is confidential company data (e.g. financial records, business plans, source code, trading algorithms, etc.). A total of 7.6% of documents in file sharing services contain confidential data. That s followed by personally identifiable information (e.g. Social Security numbers, tax ID numbers, phone numbers, addresses, etc.) at 4.3% of all documents. Next, 2.3% of documents contain payment data (e.g. credit card numbers, debit card numbers, bank account numbers, etc.). Finally, 1.6% of documents contain protected health information (e.g. patient diagnoses, medical treatments, medical record IDs, etc.). 4
WHAT S IN A NAME? As recent high-profile data breaches demonstrate, cyber criminals are seeking out documents containing company budgets, employee salaries, and employee Social Security numbers. Their goal is often to disrupt the operations of these companies or use this information for financial gain. It s not uncommon for employees to use words like bonus, budget, or salary in file names. The average organization stores thousands of such documents in file sharing services. Files Containing Keyword in the File Name AVERAGE PER ORGANIZATION BY FILE TYPE A surprising number of employees store passwords in Excel spreadsheets, Word documents, and other formats in the cloud. As an aside, security experts recommend against storing your passwords in an unencrypted file labeled passwords.xlsx, whether in the cloud or on your PC. People in IT security are not immune from this type of risky behavior. For example, in the Hacking Team breach, it was discovered that members of the IT security team stored critical passwords in unencrypted files that were stolen by hackers. 5
Users also upload image and PDF copies of passports, PowerPoint files with information on competitors, local database files from programs such as Microsoft Access with employee salaries, and draft press releases that could be used for insider trading. The average company has hundreds of MSG and EML format email files containing sensitive information, exported from email programs such as Outlook. When exported, their file names usually contain the email subject. In a later section we ll examine how many files are shared externally, and how many are publicly accessible to anyone on the Internet. Files Containing Keyword in the File Name AVERAGE NUMBER PER ORGANIZATION ACROSS FILE SHARING SERVICES 6
WORST EMPLOYEE OF THE MONTH Across all users, 28.1% of employees have uploaded a file containing sensitive data to the cloud. Depending on the sensitivity of the data and the company s industry, this may be permitted, however, many companies have compliance requirements that may be violated when data is stored unencrypted in the cloud. These files may also be publicly disclosed with the wrong collaboration settings. Illustrating how much damage a single person can do, we ranked users by the number of sensitive files they uploaded to the cloud this quarter. The worst offender uploaded 284 unencrypted documents containing credit card numbers to a file sharing service. In second place, a user uploaded 46 documents labeled private and 60 documents labeled restricted based on the company s document classification system. Another user uploaded 88 documents containing Social Security numbers. All three did so in violation of their respective companies policies. Just one of these files could ignite a wave of lawsuits and investigations if accidently shared publicly, highlighting the potential risk of unmanaged file sharing Sharing and Collaboration Cloud-based file sharing and collaboration services such as Box, OneDrive, SharePoint Online, Dropbox, ShareFile, and Google Drive are popular. While they started by offering users the ability to synchronize their files across devices, many of them are now full-fledged collaboration platforms allowing users to share files and edit the same file with other people around the world in real time. The average company uploads 5.6 TB of data to file sharing services each month. Overall, the average organization shares documents with 849 external domains via these services. 7
FILE SHARING REACHES AN ALL-TIME HIGH The percentage of files that are shared via file sharing services hit an all-time high in Q3, 2015. Of all documents stored in file sharing services, 37.2% are shared with someone other than the document s owner. That s higher than this same period last year, when 27.0% of files were shared. One potential reason is that users increasingly seek to use these services for sharing data with other people rather than merely syncing files across their own devices. While enhanced collaboration between colleagues and business partners is a positive development, the ease with which sensitive data can be shared also carries the risk that a sensitive file may be unintentionally shared too broadly and outside of policy. Sharing Within File Sharing Services PERCENT OF FILES SHARED 8
WHEN SHARING IS ERRING Of the 37.2% of documents that are shared, 71.6% are shared internally with select users. A noteworthy 12.9% of shared documents are shared with all employees within an organization. Another 28.2% of these documents are shared with business partners. Of shared files, 5.4% are accessible by anyone with a link. These links are easily forwarded and can create risk since the organization cannot audit or control who is viewing the document. Further, 2.7% of these files are actually publicly accessible and indexed by Google. Another way files can be shared externally is with personal email accounts such as Gmail, Yahoo! Mail, and Hotmail. A total of 6.0% of shared files are shared with personal emails. For files that are shared externally (with business partners, personal emails, or publicly accessible online), 9.2% contain sensitive data. That s lower than the overall average of 15.8% across all documents, but it shows that organizations need to educate employees about the risks of sharing certain types of data and enforce policies defining how and with whom sensitive data can be shared. Breakdown of Sharing Actions PERCENT OF SHARED FILES WITH AN ASSOCIATED SHARING ACTION 9
THE SHADOW CODE REPOSITORY Despite the popularity of code repositories such as GitHub and SourceForge, users also store files containing code in file sharing services and rely on these services to send large files to other users. The most common programming languages found in file sharing services include JavaScript, Objective-C, and Python. The average organization has thousands of code-containing files stored in the cloud, and 14.8% of these files are shared externally. Many of the individuals with sharing permissions for these files are likely business partners. However, 6.1% of these files are accessible by anyone with a link, increasing the risk that source code, financial trading algorithms, and new applications under development could be exposed if these links are forwarded more broadly beyond the users who initially received them. Most Common Programming Languages AVERAGE NUMBER OF CODE-CONTAINING FILES IN FILE SHARING SERVICES PER ORGANIZATION 10
Internal and External Threats Owing to the scale of corporate data stored in the cloud today, security incidents are no longer isolated to PCs and applications on the network. The average organization experiences 19.6 cloud-related security incidents each month. These events include insider threats (both accidental and malicious), privileged user threats, compromised accounts, and attacks that leverage the cloud as a vector for data exfiltration. Data Under Siege PERCENT OF ORGANIZATIONS EXPERIENCING THREATS BY THREAT TYPE 11
YOUR OWN WORST ENEMY The average organization experiences 9.3 insider threat incidents each month The average organization experiences 9.3 insider threat incidents each month, and 89.6% of organizations experience at least one per month on average. Insider threats include behaviors that unintentionally expose an organization to risk, such as mistakenly sharing a spreadsheet with employee Social Security numbers externally. They also include malicious activity, such as exfiltration proprietary data. Privileged user threats, such as administrators or privileged users accessing data they should not, occur monthly at 55.6% of organizations with the average company experiencing 2.8 each month. COMPROMISED ACCOUNTS Slightly more than two thirds of organizations experience account compromises each month. On average, organizations experience 5.1 incidents each month in which an unauthorized third party exploits stolen account credentials to gain access to corporate data stored in a cloud service. Earlier research by Skyhigh has shown that 92% of companies have cloud credentials for sale on the Darknet. Many business-critical cloud services support multi-factor authentication, and companies can reduce their exposure to account compromise by enabling this feature. DATA EXFILTRATION In order to extfiltrate stolen data from on-premises systems of record hackers are increasingly turning to public cloud services which are often unmonitored. The average organization experiences 2.4 cloudenabled data exfiltration events each month and the average incident involves 410.0 MB of data. One example we ve uncovered is a cyber attack in which malware that infected an employee s laptop used Twitter to exfiltrate the stolen data, 140 characters at a time, across 86,000 tweets. The average data exfiltration incident involves 410.0 MB of data 12
Usage Trends More cloud services are being launched every week and the percentage of cloud services that are enterprise-ready increased this quarter. Put together, organizations have never had more cloud apps to choose from that provide robust levels of security for enterprise data. Cloud adoption in the workplace continued to increase this quarter, albeit at a slower pace than last quarter. Companies and employees both actively use a greater variety of cloud services. AVERAGE NUMBER OF SERVICES The average organization now uses 1,154 cloud services, an increase of 6.6% over last quarter. Enterprise cloud services account for 72.9% of the services in use by the average company, while consumer services represent 27.1%. Cloud Usage Over Time AVERAGE NUMBER OF CLOUD SERVICES IN USE PER ORGANIZATION BY TYPE 13
Collaboration continues to be the category with the greatest variety of cloud services in use by a wide margin. The average organization uses 174 distinct collaboration services (e.g. Cisco WebEx, Evernote, etc.) followed by 61 file sharing services (e.g. Dropbox, Google Drive, etc.) and 57 development services (e.g. SourceForge, GitHub, etc.). On the one hand, the multiplying number of cloud services that companies use in each category indicates we re in the early days of the market as new entrants regularly emerge with better capabilities. However, companies that use many redundant services in each category can actually end up discouraging collaboration and introducing friction as users must login to different apps to work with different teams. Cloud Usage by Category AVERAGE NUMBER OF CLOUD SERVICES IN USE PER ORGANIZATION BY CATEGORY 14
The average employee uses 30 cloud services at work The average employee actively uses 30 cloud services at work, including 8 collaboration services, 5 file sharing services, and 4 content sharing services (e.g. YouTube, Flickr, etc.). The cloud market is early in its development, and while there are cloud services that stand out in terms of user count (which we ll see later in the report), few categories have a dominant provider. Users are still able to find unique functionality to justify using several cloud services in each category. SECURITY CONTROLS VARY BY PROVIDER Across over 16,000 cloud services in use today, only 8.1% meet the strict data security and privacy requirements of enterprises as defined by Skyhigh s CloudTrust Program. Digging deeper, we find that fewer than 1 in 10 providers store data at rest encrypted, and even fewer support the ability for a customer to encrypt data using their own encryption keys. Encryption using customer-managed keys is rapidly becoming a requirement for organizations to store data in the cloud while meeting requirements dictated by industry regulations and national data privacy laws. 15
Concerns persist about what happens to data once uploaded to a cloud provider. Fewer than half of providers specify that customer data is owned by the customer (the rest either claim ownership over all data uploaded, or don t legally specify who owns the data). An even smaller number of cloud providers delete data immediately on account termination, with the remainder keeping data up to one year or even claiming the right to maintain copies of data indefinitely. Very few cloud providers commit to not share customer data with third parties, such as advertisers or governments, unless under a legal order. USAGE BY PLATFORM Windows desktop users, on average, use a greater variety of cloud services than any other platform. The average Windows PC accessed 18.3 distinct cloud services in September 2015. That s 47.6% higher than September 2014. Cloud Usage by Platform AVERAGE NUMBER OF CLOUD SERVICES IN USE BY DEVICE TYPE 16
On average, Windows desktop users access 77.7% more cloud services than the average Mac desktop user. Mac users accessed 10.3 services on average at the end of the quarter. Meanwhile, cloud usage on ios is soaring. The average number of cloud services in use on each ios device surpassed Mac computers for the first time this quarter. In the last 12 months, the number of services in use on an average ios device surged 88.1% to 11.1 distinct services accessed per device per month. Android users access fewer cloud services. The average Android device accesses 10.0 cloud services, an increase of 81.8% over this time last year. Across mobile platforms, cloud usage grew 62.9% year over year. Another way to look at usage by platform is to examine the volume of data users upload to the cloud. From this perspective, the average Windows desktop user uploads more data than users of any other device type. On mobile, Android users are much more prolific uploaders than ios or Windows Phone users. Users of Android devices upload on average over three times as much data to the cloud compared with the average ios user. Data Uploaded to the Cloud AVERAGE AMOUNT OF DATA UPLOADED PER MONTH BY DEVICE TYPE (MB) 17
The Top Cloud Services In The Wisdom of Crowds, James Surowiecki explores the idea that a large group of individuals are better at making decisions than an elite few. While this assertion can be certainly be challenged, it led us to look at the cloud services that attract the most active users as a proxy measurement for the cloud services that have real-world utility for a broad range of businesses. 18
TOP 20 ENTERPRISE CLOUD SERVICES In Q3, 72.9% of the cloud services in use by the average company were enterprise cloud services and these services accounted for 71.8% of data employees uploaded to the cloud at work. Office 365 is the top enterprise cloud service by user count, followed by Salesforce and Cisco WebEx. From a security standpoint, the top 20 enterprise cloud services are significantly more likely to have enterprise-class security controls than the average enterprise cloud service (85% vs 9.9%). Top 20 Enterprise Cloud Services GLOBAL 19
TOP 20 CONSUMER CLOUD SERVICES Consumer cloud applications accounted for 27.1% of the cloud services in use in the average workplace and 28.2% of data businesses upload to the cloud. Social media, content sharing, and collaboration services dominate the top 20 list. Only one service on the top 20 list is enterprise ready (5%) versus the overall average of 3.5% across all consumer services. It s clear security isn t a strong factor in the cloud service selection process for consumer services compared with enterprise services. Top 20 Consumer Cloud Services GLOBAL 20
TOP 10 FILE SHARING SERVICES Google Drive continues to occupy the top spot on our ranking of file sharing services by number of active users for the third quarter in a row. It s followed by Dropbox, Box, and OneDrive. This quarter, WeTransfer surpassed 4shared to take the 8th spot on the list and Amazon FireDrive returned to the top 10 list. We included both personal and business users for each file sharing services in our use count. Top 10 File Sharing Services RANKED BY USER ACTIVE USER COUNT 21
TOP 10 COLLABORATION SERVICES Microsoft Office 365, Gmail, and Cisco WebEx continue to take the first three spots on the list of collaboration services this quarter. Yammer has reclaimed the 5th position, overtaking Yahoo! Mail in user count. GoToMeeting moved slightly down to the 7th position, however it is still solidly higher in the rankings than this time last year. Prezi continued its slide in ranking, dropping to the 10th position this quarter.. Top 10 Collaboration Services RANKED BY USER ACTIVE USER COUNT 22
TOP 10 SOCIAL MEDIA SERVICES The triumvirate of Facebook, Twitter, and LinkedIn still dominate the social media category. Tumblr has continued to drive active users following its acquisition by Yahoo! in 2013. Russian social media service VK and Chinese site Sina Weibo round out the top 6. Myspace overtook Foursquare for the 7th position this quarter. Top 10 Social Media Services RANKED BY USER ACTIVE USER COUNT 23
Our Methodology To bring you these findings, we analyzed aggregated, anonymized cloud usage data for over 23 million users worldwide at companies across all major industries including financial services, healthcare, public sector, education, retail, high tech, manufacturing, energy, utilities, legal, real estate, transportation, and business services. Collectively, these users generate over 2 billion unique transactions in the cloud each day. We compiled their usage in an extensive cloud activity graph, revealing trends in usage against behavioral baselines across time. Our cloud service registry tracks over 50 attributes of enterprise readiness and allows us to analyze behavior using detailed data signatures for over 16,000 cloud services. 24
Get a free, personalized audit of your cloud usage today We ll analyze your usage of shadow and sanctioned cloud services free of charge and deliver a findings report summarizing: All cloud services in use and their associated risk Sensitive data stored in the cloud and who has access Collaboration and sharing with third parties Potential insider threats and compromised accounts Anomalous events indicating potential data exfiltration Excessive user permissions and dormant accounts Skyhigh allows us to have more control over data security by adding an additional layer of protection beyond the typical cloud service provider can offer. Jenai Marinkovic Chief Security Officer Request a Complimentary Cloud Audit http://bit.ly/q32015auditoffer
To gain visibility and control over the cloud, contact us today. 1.866.727.8383 skyhighnetworks.com