Skyhigh Networks released its new “Cloud Adoption & Risk in the Government Report.” The Q1 2015 report reveals that shadow IT is prevalent in government agencies.
The average public sector organization uses 742 cloud services, which is about 10-20 times more than IT departments expect. Despite the security initiatives in place, such as FedRAMP, FISMA, and FITARA, many government employees are unaware of agency rules and regulations or simply ignore them and use cloud services that drive collaboration and productivity.
As agencies grapple with how to manage shadow IT and securely enable sanctioned IT, they need visibility into the real usage and risk of cloud services as well as the ability to detect threats and seamlessly enforce security, compliance, and governance policies,” said Rajiv Gupta, CEO of Skyhigh Networks. “Skyhigh manages shadow IT and securely enables sanctioned IT, allowing public sector organizations to use hundreds of cloud services while providing robust data protection services, thereby meeting data privacy requirements and conforming to regulations
Despite clear benefits of cloud services Federal agencies are slow to migrate to the cloud due to security concerns. As a result, employees adopt cloud services on their own, creating shadow IT. Under FITARA, Federal CIOs must oversee sanctioned cloud services as well as shadow IT. This new requirement underscores the uncertainty about how employees are using cloud services within their agencies.
Understanding Shadow IT
The average public sector organization now uses 742 cloud services, which is about 10-20 times more than IT departments report. What agencies don’t know can hurt them. When asked about insider threats, just 7% of IT and IT security professionals at public sector organizations indicated their agency had experienced an insider threat. However, looking at actual anomaly data, Skyhigh Networks found that 82% of public sector organizations had behavior indicative of an insider threat.
Agencies cannot rely on the security controls offered by cloud providers alone. Analyzing more than 12,000 cloud services across more than 50 attributes of enterprise readiness developed with the Cloud Security Alliance, the report found that just 9.3% achieved the highest CloudTrust Rating of Enterprise Ready. Only 10% of cloud services encrypt data stored at rest, 15% support multi-factor authentication, and 6% have ISO 27001 certification. Skyhigh Networks helps Federal agencies address these security gaps and gain control over shadow IT by providing unparalleled visibility, comprehensive risk assessment, advanced usage and threat analytics, and seamless policy enforcement.
Compromised credentials can also mean disaster for Federal agencies. According to a study by Joseph Bonneau at the University of Cambridge, 31% of passwords are used in multiple places. This means that for 31% of compromised credentials, attackers can potentially gain access not only to all the data in that cloud service, but all the data in other cloud services as well. The average public sector employee uses more than 16 cloud services, and 37% of users upload sensitive data to cloud file sharing services. As a result, the impact of one compromised account can be immense.
The Skyhigh “Cloud Adoption & Risk in the Government Report” reveals that 96.2% of public sector organizations have users with compromised credentials and, at the average agency, 6.4% of employees have at least one compromised credential.
Cloud Services in the Public Sector
Most cloud services deployed in the public sector are collaboration tools. The average organization uses 120 distinct collaboration services, such as Microsoft Office 365, Gmail, and Cisco Webex. Other top cloud services are software development services, file sharing services, and content sharing services. The average employee uses 16.8 cloud services including 2.9 content sharing services, 2.8 collaboration service, 2.6 social media services, and 1.3 file sharing services. Shockingly, the average public sector employee’s online movements are monitored by 2.7 advertising and web analytics tracking services, the same services used by cyber criminals to inform watering hole attacks.
The report also reveals the top cloud services used in the public sector.
Top ten enterprise cloud services are:-
1. Microsoft Office 365
3. Cisco WebEx
5. SAP ERP
9. Oracle Taleo
10. SharePoint Online
Top ten consumer cloud services are:-
The “Cloud Adoption & Risk in the Government Report” is based on data from 200,000 public sector employees in the United States and Canada.