Brian Pennington

A blog about Cyber Security & Compliance



Shadow Cloud Services 20 Times More Prevalent than Sanctioned Cloud

Skyhigh Networks released its new “Cloud Adoption & Risk in the Government Report.” The Q1 2015 report reveals that shadow IT is prevalent in government agencies.

The average public sector organization uses 742 cloud services, which is about 10-20 times more than IT departments expect. Despite the security initiatives in place, such as FedRAMP, FISMA, and FITARA, many government employees are unaware of agency rules and regulations or simply ignore them and use cloud services that drive collaboration and productivity.

As agencies grapple with how to manage shadow IT and securely enable sanctioned IT, they need visibility into the real usage and risk of cloud services as well as the ability to detect threats and seamlessly enforce security, compliance, and governance policies,” said Rajiv Gupta, CEO of Skyhigh Networks. “Skyhigh manages shadow IT and securely enables sanctioned IT, allowing public sector organizations to use hundreds of cloud services while providing robust data protection services, thereby meeting data privacy requirements and conforming to regulations

Despite clear benefits of cloud services Federal agencies are slow to migrate to the cloud due to security concerns. As a result, employees adopt cloud services on their own, creating shadow IT. Under FITARA, Federal CIOs must oversee sanctioned cloud services as well as shadow IT. This new requirement underscores the uncertainty about how employees are using cloud services within their agencies.

Understanding Shadow IT
The average public sector organization now uses 742 cloud services, which is about 10-20 times more than IT departments report. What agencies don’t know can hurt them. When asked about insider threats, just 7% of IT and IT security professionals at public sector organizations indicated their agency had experienced an insider threat. However, looking at actual anomaly data, Skyhigh Networks found that 82% of public sector organizations had behavior indicative of an insider threat.

Agencies cannot rely on the security controls offered by cloud providers alone. Analyzing more than 12,000 cloud services across more than 50 attributes of enterprise readiness developed with the Cloud Security Alliance, the report found that just 9.3% achieved the highest CloudTrust Rating of Enterprise Ready. Only 10% of cloud services encrypt data stored at rest, 15% support multi-factor authentication, and 6% have ISO 27001 certification. Skyhigh Networks helps Federal agencies address these security gaps and gain control over shadow IT by providing unparalleled visibility, comprehensive risk assessment, advanced usage and threat analytics, and seamless policy enforcement.

Password Insecurity
Compromised credentials can also mean disaster for Federal agencies. According to a study by Joseph Bonneau at the University of Cambridge, 31% of passwords are used in multiple places. This means that for 31% of compromised credentials, attackers can potentially gain access not only to all the data in that cloud service, but all the data in other cloud services as well. The average public sector employee uses more than 16 cloud services, and 37% of users upload sensitive data to cloud file sharing services. As a result, the impact of one compromised account can be immense.

The Skyhigh “Cloud Adoption & Risk in the Government Report” reveals that 96.2% of public sector organizations have users with compromised credentials and, at the average agency, 6.4% of employees have at least one compromised credential.

Cloud Services in the Public Sector
Most cloud services deployed in the public sector are collaboration tools. The average organization uses 120 distinct collaboration services, such as Microsoft Office 365, Gmail, and Cisco Webex. Other top cloud services are software development services, file sharing services, and content sharing services. The average employee uses 16.8 cloud services including 2.9 content sharing services, 2.8 collaboration service, 2.6 social media services, and 1.3 file sharing services. Shockingly, the average public sector employee’s online movements are monitored by 2.7 advertising and web analytics tracking services, the same services used by cyber criminals to inform watering hole attacks.

The report also reveals the top cloud services used in the public sector.

Top ten enterprise cloud services are:-
1. Microsoft Office 365
2. Yammer
3. Cisco WebEx
4. ServiceNow
6. Salesforce
7. DocuSign
8. NetSuite
9. Oracle Taleo
10. SharePoint Online

Top ten consumer cloud services are:-
1. Twitter
2. Facebook
3. YouTube
4. Pinterest
5. LinkedIn
6. Reddit
7. Flickr
8. Instagram
9. StumbleUpon
10. Vimeo

The “Cloud Adoption & Risk in the Government Report” is based on data from 200,000 public sector employees in the United States and Canada.

Role of the Board of Directors in Information Security and Compliance

Guest Blogger Barry Schrager.

I recently read a posting “Where’s the Compliance Experience on Corporate Boards?” [i] which showed some disturbing results describing the backgrounds of the Fortune 500 Board Members in terms of Compliance.  Here are the results: 

Background No. of Board Members No. of Companies
Finance 1,583 473
Legal 391 225
Accounting 201 165
Compliance 9 9

Add to this, in the recent speech given by Security and Exchange Commissioner Luis Aguilar at the New York Stock Exchange Conference “Cyber Risks and the Boardroom”,[ii] he emphasized the importance of cybersecurity and how fast the need for cybersecurity has grown in such a short time period, pointing out that U.S. companies experienced a 42% increase between 2011 and 2012 in the number of successful cyber-attacks they incurred per week.  He cautioned,

Boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril 

Mr. Aguilar recommends that Boards institute structural changes to focus on appropriate Cyber-Risk Management. 

Companies must have someone on the board that is able to adequately understand and implement cybersecurity procedures.  Many boards lack the necessary technical expertise to be able to evaluate whether management is taking appropriate steps to address cybersecurity issues.  This responsibility often falls to the audit committee, but they may not have the expertise or skills to add cyber-risk oversight to their long list of duties.  Commissioner Aguilar recommends that boards create a separate enterprise risk committee that can provide improved risk reporting and monitoring, as well as push necessary resources and overall support to company executives responsible for risk management

Navy Admiral Michael S. Rogers, director of the National Security Agency and head of U.S. Cyber Command stated

Military commanders must ‘own’ cyber.  Networks and cyber [should be] the commanders’ business.”  Commanders operate under the “flawed” notion that they can turn over network responsibilities to the unit’s information technology experts, said Rogers. “Commanders have to own this mission and integrate it into operations.” Senior officers ought to be as knowledgeable about a unit’s network capabilities and potential vulnerabilities as they would be about its fuel and ammunition supplies, he added. “The challenge to that is as much cultural as it is technical [iii]

There is a definite pattern here.   It is clear from the survey results and statements presented above that the proper disciplines and backgrounds are not present on the Boards nor the military leadership.  This lack of knowledge and background represents a risk for these companies and investors that should not exist and can be addressed.   Additionally, these organizations have an obligation to protect the information gathered from their customers, partners and those individuals who interact with them.

If someone on the Board was knowledgeable and asked questions of the senior executives on cybersecurity and compliance then the senior management would be sure to have someone in their group who was capable of seriously addressing these issues.  This would cascade down the organization and the employees would be more focused on security and, more importantly, feel free to raise their perceived security issues up the management chain and receive appreciation for their input, and more importantly, the organization would obtain more effective cyber controls and compliance controls.

This is not just an IT problem and executives cannot just assume that this will be handled by the IT people because it usually involves budget, procedural changes that affect other departments, etc.  If the executives do not listen and understand what the IT Security and Compliance people are asking for, they will not fund the requested programs and projects until there is a data breach and then they will finally provide whatever funding is requested.  This is not the way to operate.  Organizations and people will be hurt.  

Barry Schrager 

Barry Schrager is credited as one of the people who started the concept of data security when he founded and was the first Manager of the SHARE Security Project in 1972.  The project delivered a series of requirements to IBM in 1974 including data protection by default and algorithmic grouping of users and resources.  When IBM delivered its security product, RACF, in 1976, it did not meet the requirements and IBM told him they were not achievable.  So, Barry developed his own security product, ACF2, which met the requirements and was used by customers such as General Motors, the Central Intelligence Agency, the National Security Agency, Britain’s MI-5, the Federal Reserve System and the Executive Office of the President of the United States.  When Barry sold the company, SKK, Inc., it had a 60 percent market share against IBM’s RACF and CA’s Top Secret.  Under Barry’s leadership, SKK developed the first VM operating system security product, ACF2-VM, and the first automated Operating System auditing product, Examine-MVS, now known as CA-Auditor. 

In addition to that, Barry has a variety of experiences in mainframe software development, including the Neon Systems Shadow (now Rocket Software’s Shadow z/Direct), the EKC E-SRF Access Analysis product, JME Software’s Deadbolt product, the Vanguard Integrity Professionals line of RACF security products and Xbridge Systems’ DataSniff product. Additionally, Barry has done security reviews at institutions such as the FDIC and Morgan Stanley. 

Barry’s experience covers everything from software designer/developer to executive management to consulting services. 

Barry is honored to be selected as a member of the Enterprise Executive Magazine’s Mainframe Hall of Fame. 

Barry’s contact information is: / (970) 479-9377 




Create a free website or blog at

Up ↑

%d bloggers like this: