Brian Pennington

A blog about Cyber Security & Compliance



Shadow Cloud Services 20 Times More Prevalent than Sanctioned Cloud

Skyhigh Networks released its new “Cloud Adoption & Risk in the Government Report.” The Q1 2015 report reveals that shadow IT is prevalent in government agencies.

The average public sector organization uses 742 cloud services, which is about 10-20 times more than IT departments expect. Despite the security initiatives in place, such as FedRAMP, FISMA, and FITARA, many government employees are unaware of agency rules and regulations or simply ignore them and use cloud services that drive collaboration and productivity.

As agencies grapple with how to manage shadow IT and securely enable sanctioned IT, they need visibility into the real usage and risk of cloud services as well as the ability to detect threats and seamlessly enforce security, compliance, and governance policies,” said Rajiv Gupta, CEO of Skyhigh Networks. “Skyhigh manages shadow IT and securely enables sanctioned IT, allowing public sector organizations to use hundreds of cloud services while providing robust data protection services, thereby meeting data privacy requirements and conforming to regulations

Despite clear benefits of cloud services Federal agencies are slow to migrate to the cloud due to security concerns. As a result, employees adopt cloud services on their own, creating shadow IT. Under FITARA, Federal CIOs must oversee sanctioned cloud services as well as shadow IT. This new requirement underscores the uncertainty about how employees are using cloud services within their agencies.

Understanding Shadow IT
The average public sector organization now uses 742 cloud services, which is about 10-20 times more than IT departments report. What agencies don’t know can hurt them. When asked about insider threats, just 7% of IT and IT security professionals at public sector organizations indicated their agency had experienced an insider threat. However, looking at actual anomaly data, Skyhigh Networks found that 82% of public sector organizations had behavior indicative of an insider threat.

Agencies cannot rely on the security controls offered by cloud providers alone. Analyzing more than 12,000 cloud services across more than 50 attributes of enterprise readiness developed with the Cloud Security Alliance, the report found that just 9.3% achieved the highest CloudTrust Rating of Enterprise Ready. Only 10% of cloud services encrypt data stored at rest, 15% support multi-factor authentication, and 6% have ISO 27001 certification. Skyhigh Networks helps Federal agencies address these security gaps and gain control over shadow IT by providing unparalleled visibility, comprehensive risk assessment, advanced usage and threat analytics, and seamless policy enforcement.

Password Insecurity
Compromised credentials can also mean disaster for Federal agencies. According to a study by Joseph Bonneau at the University of Cambridge, 31% of passwords are used in multiple places. This means that for 31% of compromised credentials, attackers can potentially gain access not only to all the data in that cloud service, but all the data in other cloud services as well. The average public sector employee uses more than 16 cloud services, and 37% of users upload sensitive data to cloud file sharing services. As a result, the impact of one compromised account can be immense.

The Skyhigh “Cloud Adoption & Risk in the Government Report” reveals that 96.2% of public sector organizations have users with compromised credentials and, at the average agency, 6.4% of employees have at least one compromised credential.

Cloud Services in the Public Sector
Most cloud services deployed in the public sector are collaboration tools. The average organization uses 120 distinct collaboration services, such as Microsoft Office 365, Gmail, and Cisco Webex. Other top cloud services are software development services, file sharing services, and content sharing services. The average employee uses 16.8 cloud services including 2.9 content sharing services, 2.8 collaboration service, 2.6 social media services, and 1.3 file sharing services. Shockingly, the average public sector employee’s online movements are monitored by 2.7 advertising and web analytics tracking services, the same services used by cyber criminals to inform watering hole attacks.

The report also reveals the top cloud services used in the public sector.

Top ten enterprise cloud services are:-
1. Microsoft Office 365
2. Yammer
3. Cisco WebEx
4. ServiceNow
6. Salesforce
7. DocuSign
8. NetSuite
9. Oracle Taleo
10. SharePoint Online

Top ten consumer cloud services are:-
1. Twitter
2. Facebook
3. YouTube
4. Pinterest
5. LinkedIn
6. Reddit
7. Flickr
8. Instagram
9. StumbleUpon
10. Vimeo

The “Cloud Adoption & Risk in the Government Report” is based on data from 200,000 public sector employees in the United States and Canada.

Customers are demanding suppliers prove their security credentials

IT Governance surveyed 260 board level individuals across a variety of industries and countries to establish perceptions and knowledge of their organisations IT Security position.

The findings of the survey are below:

Do you believe the greatest threat to your company’s data and IT systems results from:

  • Criminals           26.9%
  • Competitors      7.7%    
  • State -sponsored cyber-attacks 11.9%
  • Your own employees     53.5%

Has your business received a concerted cyber-attack in the past 12 months?

  • Yes      25%
  • No        54.2%
  • Do not know     20.8%

Does your organisation have any method of detecting and reporting cyber-attacks or cyber-incidents?

  • Yes      76.9%
  • No        16.5%
  • Do not know     6.5%

Do your company’s board directors receive regular reports on the status of your company’s IT security?

  • Yes      58.1%
  • No        29.6%
  • Do not know     12.3%

If yes, are these reports received:

  • Daily     4.6%
  • Weekly 10.8%
  • Monthly            32.7%
  • Annually            17.3%
  • Less than annually         34.6%

My knowledge of IT governance is adequate given today’s cyber threats.

  • Agree   69.6%
  • Disagree           30.4%

For our size of business, we are making the right level of investment in information security.

  • Agree   57.3%
  • Disagree           30.8%
  • Do not know     11.9%

I have lost sleep in the past 12 months because of worries about my company’s IT security.

  • Agree   25.8%
  • Disagree           4.2%

Do your customers prefer to deal with suppliers with proven IT security credentials?

  • Yes      74.2%
  • No        7.3%
  • Do not know     18.5%

Have any of your customers enquired about your company’s IT security measures in the past 12 months?

  • Yes      50.4%
  • No        34.6%
  • Do not know     15%

Do you know what ISO 27001 is?

  • Yes      87.3%
  • No        9.2%
  • Unsure  3.5%

Is your business compliant with ISO 27001?

  • Yes      34.6%
  • No        45.8%
  • Unsure  19.6%

The survey can be found here.

Blog at

Up ↑

%d bloggers like this: