Cloud study exposes a lack of readiness for EU data

In Europe, the number of cloud services in use by the average company increased 23 percent, rising from 588 in Q1 to 724 in Q3. However, not all of these services are ready for the enterprise. Developed in conjunction with the Cloud Security Alliance, Skyhigh’s Cloud Trust Program tracks the attributes of cloud services and ranks them according to risk. The report found that only 9.5 percent of all services met the most stringent security requirements including strong password policies and data encryption.

The report also revealed a worrying lack of conformance to the EU Data Protection Directive, particularly with regards to the transfer of personally identifiable information outside Europe. Skyhigh found that nearly three quarters (74.3%) of the cloud services used by European organisations do not meet the requirements of the current privacy regulations, with data being sent to countries without adequate levels of data protection. With stricter policies and harsher penalties set to come into force soon, organisations have just a short window to address these issues.

“The growth in cloud services being used in Europe shows the benefits users see in the services on offer,” said Rajiv Gupta, CEO, Skyhigh Networks. “On the other hand, the IT department needs to make sure that these services don’t put the organisation’s intellectual property at risk. This report provides real-world traffic data to shine a light on the extent of shadow cloud usage.”

Echoing the last report, much of the adoption of cloud services still remains under the radar of IT departments, with 76 percent of IT professionals not knowing the scope of Shadow IT at their companies but want to know. As such, a key problem that IT teams face is the enforcement of an acceptable use policy. The report found that IT personnel are often surprised when it is discovered that cloud services that they believe to have been blocked are actually being used by employees. As part of the study, Skyhigh surveyed IT professionals to understand their expected block rates for certain cloud services, and then compared this to actual block rates measured in the wild. The resulting ‘cloud enforcement gap’ was surprising, for example 89 percent of IT professionals intended to block Dropbox, but only 1 percent of organisations blocked the service comprehensively.

In terms of trends, the report found that 80 percent of all corporate data uploaded to the cloud is sent to just 15 percent of cloud services, which makes it easier for IT teams to prioritise security and risk analysis. The top destination for corporate data in Europe is Microsoft Office 365, followed by Salesforce. However, there’s a long tail of services below these top 15 and this is where 72.5% of the compromised accounts, insider threats and malware originate.

“The gap between perception and reality uncovered by this study is worrying, as so much corporate data is being uploaded to cloud services that IT teams believe they have blocked,” continued Gupta. “It only takes one misstep to cause a serious security or compliance threat to an organisation. As such, mechanisms should be in place not only to discover which cloud services are being used, but also to analyse the risk profile of these services and understand the true implications for enterprise data security.”

Finally, by digging deeper into the statistics, the report has for the first time revealed the behaviour of the most ‘dangerous’ cloud user in Europe. This person accessed 71 high-risk cloud services and uploaded greater than 17.5GB of data in a three month period, the equivalent of 8,750 copies of War and Peace. This highlights the threat a single rogue user could pose to an organisation and its data.