Security Experts:

Cloud Governance Fails Could Trigger Privacy Compliance Issues: Report

On average, an enterprise now uses 1,427 cloud services. Seventy-one percent of these are enterprise services, with the remainder being consumer services. The average employee actively uses 36 cloud services, including nine collaboration services, six file sharing services, and five content sharing services (such as YouTube).

These figures come from an analysis of 30 million cloud users of the Skyhigh Networks Cloud Access Security Broker (CASB). It shows that sensitive data is increasingly being stored in cloud applications. Furthermore, a large amount of sensitive data is being uploaded to file sharing and collaboration services; and 18.1% of such files contain sensitive data.

Confidential data, such as financial records, and source code accounts for 4.4% of this. Payment information, such as card numbers and bank account numbers, accounts for 2.3%. A further 1.6% includes PHI, such as diagnoses, treatments, and medical record IDs.

Cloud Services Usage and SecurityAlthough enterprises are attempting to control their use of cloud apps, this has clearly not yet been achieved. Skyhigh uses the term 'cloud enforcement gap' to indicate the difference between what the enterprise thinks it blocks, and what it actually blocks. For example, while enterprises believe they block 36% of Gmail, they actually block only 4.9%; while they believe they block 43.7% of Instagram, they actually block just 6.4%. While this enforcement gap varies between different cloud services, it is nevertheless consistent across leading sharing apps.

With privacy laws getting more stringent -- especially those in Europe that apply to all companies in or trading with Europe -- the potential for compliance failures is obvious. Sensitive data is being stored in the cloud services that were designed for sharing and collaboration, and enterprise blocks on cloud services are not uniformly effective.

A de facto governance policy is emerging with enterprises classifying cloud apps as approved services, permitted services, and not allowed services. In reality, this is ineffective. Skyhigh's figures show that only 5.4% of cloud services being used within enterprises are actually approved services. The vast majority are 'permitted' (63.3%); but almost one-third (31.3%) of cloud apps in use are specifically not allowed under enterprise governance rules.

Key to most privacy regulations is the ability to secure personal information. In reality, many enterprises are failing to keep sensitive data out of cloud sharing apps and are consequently losing visibility over the location of that data. This will be particularly problematic for conformance with Europe's GDPR which requires that personal data be removed on demand (the so-called 'right to be forgotten'). In some cases, even if the enterprise, knows where the data is stored, it might still be unable to remove it. A massive 69.7% of cloud services do not specify whether the enterprise retains ownership of uploaded data, and fewer than 10 percent (8.7 percent) commit to not sharing data with third parties. Only 16% will delete data immediately after contract termination -- which could also be problematic if other copies are unavailable.

Adoption of cloud services cannot be prevented. Instead it should be controlled. "IT should not be a department that simply says 'no', but instead one that knows how to proactively push employees towards safe and trusted cloud services," comments Skyhigh's European spokesperson Nigel Hawthorn. This is difficult simply because of the sheer volume of available cloud services.

Auditing vendors is traditionally at least partly down to the security team. In the past this has been done via questionnaires and trusting the veracity of the vendor. Assuming that each vendor must be reassessed every three years, and that 1500 vendors are checked, that requires approximately 2 questionnaires to be produced and analyzed every working day of the three years. This is not feasible -- and is one of the reasons for enterprises to adopt CASBs for their cloud governance.

"We have some customers," commented Hawthorn, "who claim that one of our major benefits is the reduction in time and effort to audit cloud providers. Our registry reports on cloud services in around 60 different directions; that is, 60 different attributes that organizations can use to review their cloud providers. These range from technical (encryption at rest, ability to integrate with AD); to legal (who owns the intellectual property, which country's legal system controls the contract); to business and security attributes and so on."

In reality, the surprising (and sometimes shocking) figures from the latest Skyhigh Cloud Adoption & Risk Report (PDF) are likely to be worse outside of Skyhigh's own customers. All of these figures come from an analysis of customers' cloud traffic. By definition, these enterprises are taking technological steps to control their cloud usage. It would be reasonable to assume that enterprises not using a CASB would have even less control over their cloud usage. Skyhigh's customers, however, know about the issues and have the opportunity to mitigate them.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.