How many cloud services do you think your employees are using? CIOs guess their firm is exposed to, on average, 30-42 cloud application. The actual number averages 662.
Despite having the highest blocking rate of the industries, financial services alone averages 548. Although one international financial firm's recently hit 1,616. This is according SkyHigh Networks, a cloud visibility and enablement company dedicated to shedding light on cloud security and compliance.
Surely CIOs have a suspicion that employees are using unapproved services, but how does the number get so high?
The breach of mobile policy and high adoption of unapproved apps is hardly malicious, explains Rajiv Gupta, CEO and founder of Skyhigh Networks. Taking notes in a meeting with EverNote may not be an enterprise-approved method but the employee is only trying to be more productive. Block the use of EverNote and the employee will just find an alternative application, which may be even less secure.
"Some folks think the cloud is something they can somehow avoid, but the genie is out of bottle," says Gupta. "Security is the one thing that will slow down adoption and prevent companies from harnessing the power of cloud. And if they do not address it, they will continue to be hurt from inappropriate use of cloud services."
Irrespective of what's happening in the news about security breaches, cloud is important to business. Gupta argues CIOs have an obligation to enable employees and business to leverage cloud and stay relevant in the market. To do so properly, they need to better understand the exposure.
Unexpected Services & Risks
There are three main categories of cloud services that unexpectedly drive up a firm's exposure: storage, backup, and tracking.
Cloud storage services, such as DropBox and Hightail are frequently blocked on existing infrastructure over security concern. "What we find is that [employees] are just going to stop using services that are well known and using other ones that are not well known, like WeTransfer, SendSpace and RapidGator."
"In the other category, backup, the same thing happened," continues Gupta. "There's a service called Carbonite, which is actually a reasonably good service, and we showed customers that when their IT blocked it employees just started to use CloudElephant. There are similar services that employees and IT are aware of in the tracking space." Tracking apps, like AddThis and Google Analytics, are categorized as apps that track the internet user with the intent of selling more targeted ads in the browser. "So you can start to see different categories, and in each the different services employees are using and how that builds up to 646 applications."
It only takes one person to use a service for it to become a big problem. According to Gupta, while the average number of cloud services used in financial services is 548, the average number of high risk applications in use is currently 98. Examples of high risk attributes in an application that gives the user the ability to use it anonymously and when terms and conditions say, quite literally, that any data you store with us belong to us.
"By the way," he adds, "This discovery of cloud exposure and risk is not a one time thing. The number of services employees are using is changing with time. Last March we showed one customer their employees were using 260 services (they had approved only 40). That number was 600 by November and more recently it was 1,248. So even the number of services the employees are using is changing with time, and so are the risks."
Know Your Exposure - Discover, Analyze, Secure
Following the belief that trust in cloud security will encourage adoption, Gupta founded SkyHigh to helps firms discover the extent of a service's use within the organization and potential risk to the enterprise. "We do independent and objective risk assessment of these 5,000+ service providers, so we can tell you that, hey, SendSpace is higher risk than DropBox, and for the following reasons."
Even if one employee is using an application it is counted towards the total, but what's more interesting is the distribution of use - is it used by all of the C-suite of 52 percent of the entire organization?
Ralph Loura, CIO of Clorox, uses SkyHigh to keep track of what services employees are using to be more productive so he can be a strategic enabler. If, for example, he sees more than 10 percent of employees are using a particular cloud storage service he can find the lowest risk and enterprise-ready option and arrange an offering on track with the provider and integrated with internal services. His approach, explains Gupta, is to make it relevant or get it out of the way.
Another customer's CIO, based on SkyHigh analysis, saw that employees were using 29 different cloud storage services. "She wondered how they were possibly collaborating with each other," recalls Gupta. "Box, DropBox, OneDrive, and others. She realized Box was enterprise-ready, and standardized it across the firm. It thereby improved productivity of employees, and they were happy because instead of the CIO trying to prevent them being productive, she was helping them be more productive. Control and lower risk, it's a win for everybody."
Enterprise Ready Apps: A Seal of Approval
To help companies identify safe applications SkyHigh created CloudTrust, a seal that enterprise-ready cloud services can add to their website. Evaluation is based on more than 50 attributes across data risk, user risk, device, legal and service risk in connection with the Cloud Security Alliance. Some of the approved cloud services like Adobe EchoSign, Zuora and Cisco have already added it to their website in the privacy section.
Gupta compares the seal's potential to VeriSign in the eCommerce economy, and the FICO scores on the credit economy, which both incidentally spiked shortly after their debut. "We believe this seal can have same impact in terms of cloud economy take off."
On Wednesday morning SkyHigh announced the CloudRisk enterprise risk dashboard, which provides executives with an objective and "data-driven approach to measuring and reducing cloud risk," and "shows changes to overall CloudRisk Score over time as well as trends in user, service and data risk," according to the press release. The CloudRisk is scored 1-10 score with in the 1-3 category deemed enterprise ready.
"The cloud holds promise and peril," says Gupta. "Enterprises really need to protect themselves."