The transformative impact of cloud adoption
Back in 2011, entrepreneur and investor Marc Andreessen wrote about how software impacts nearly all areas of modern life. The principal platform for software applications today is not a hard drive; it’s a web browser. Software delivered over the Internet, referred to as the cloud, is not just changing how people listen to music, rent movies, and share photos. It’s also transforming how businesses operate. Studies have shown that businesses taking advantage of productivity-enhancing cloud services grow 19.6% faster than their counterparts that don’t.
Similar to previous shifts in technology, such as the rise of the PC and the Internet, the cloud creates new and significant concerns among business leaders about the potential for headline-making security incidents. Because employees often bring their own apps to work, companies typically don’t know which ones are being used to store corporate data. Even within the cloud services purchased by a company’s IT department, there is limited visibility into user behavior and how sensitive information is accessed and shared.
To better understand these trends, Skyhigh Networks publishes a Cloud Adoption & Risk Report, the first and most comprehensive report of its kind. What makes our report unique is that we base our findings on actual usage data for over 30 million users worldwide, across over 600 enterprises who use Skyhigh CASB.
When sharing is erring
Cloud-based file sharing and collaboration services such as Box, Dropbox, Google Drive, OneDrive, and SharePoint Online are popular. While they initially offered users the ability to synchronize their files across devices, many of these services are now full-fledgedx collaboration platforms that enable users to share files and edit the same file with other people around the world in real time. in the most recent quarter, the percent of files in these services that are shared hit an all-time high of 43.1%. Of the 43.1% of files that are shared, 71.5% are shared with individual users in this manner, while another 28.3% are shared with an individual at a business partner.
Internal and external threats
The number of cloud-related threats hit an all-time high last quarter. The average number of monthly incidents per organization reached 23.2, an 18.4% increase year over year. Broken down by category, these threats include insider threats (both accidental and malicious), privileged user threats, compromised accounts, and attacks that leverage the cloud as a vector for data exfiltration. Virtually every organization experiences at least one cloud-based threat each month.
The cloud threat funnel
The average organization today generates over 2.7 billion unique transactions in cloud services each month (e.g. user login, upload files, edit document, etc.). With this volume of data, it would be impossible to manually search through an audit trail of user activity to identify potential threats. In response, organizations are investing in user and entity behavior analytics (UEBA) tools, which use machine learning to identify anomalous events against the background noise of everyday activity.
More cloud services launch every week and the percentage of cloud services that are enterprise ready increased slightly this quarter. The average organization now uses 1,427 cloud services, an increase of 23.7% over the same quarter last year. The year-over-year growth in the number of services used by the average enterprise increased slightly from 21.% in the prior quarter, but it is below the historical average growth rate of 35.5%. Enterprise cloud services account for 71.3% of the services in use by the average organization, while consumer services represent 28.7% of the services in use.
Usage by industry
Broken down by industry, there are clear trends in both the variety of cloud services used by organizations and users as well as the volume of data uploaded each month. Technology companies use a wider variety of cloud services than any other industry, with the average company using 2,033 distinct cloud services. That’s followed by manufacturing (1,837 services), and business services (1,771 services). Government agencies use the fewest cloud services, on average, at just 944 per agency.
Cloud usage by category
Collaboration continues to be the category with the greatest variety of cloud services in use by a wide margin. The average organization uses 210 distinct collaboration services, followed by 76 file sharing services and 67 development services.
The IaaS Triumvirate
Enterprises are moving an increasing number of home-grown cloud services they had previously deployed in their data centers and private clouds to the public cloud. As an early pioneer in infrastructure as a service (IaaS), Amazon maintains the highest market share. However, in the past two years, Microsoft Azure has rapidly emerged as a major player in the public cloud infrastructure market.
A recent report found that 61% of large enterprises have a cloud governance policy. As enterprises begin to take control of their cloud usage, one of the steps they take is categorizing services into groups based on their risk to the organization.
Approved and permitted services
Approved services account for 5.4% of cloud services and are sanctioned by the corporate IT department and often purchased and deployed by the company. Permitted services make up 63.4% of services. They are introduced by employees and business units; however, they have business value and, with appropriate security controls, can be used without introducing an unacceptable level of risk.
The final governance category implemented by enterprises, “Not Allowed”, includes cloud services deemed too risky for corporate use. They account for 31.3% of services, which include PDF converters that claim ownership of all data uploaded to them. Since the only function of such service is to convert a file to a PDF, it would not make sense to enable the service in read-only mode.
The cloud enforcement gap
Comparing the services that are not allowed based on an enterprise cloud governance policy and actual block rates, we found there can be a wide gap between what IT thinks it’s blocking and actual blocking rates. There are three primary causes for this gap: cloud services regularly introduce new URLs and IP addresses that are not blocked by firewalls and web proxies, access policies are not standardized across global egress infrastructure, and organizations fall victim to exception sprawl.