Share

Related Stories

  • Building the Next-gen Security Team Requires Big Transitions
    It’s no secret that the security landscape has been impacted in the last 18 months by a few seachanges in the way that companies do business: the rise of mobile computing and tablets, the anytime office, the ongoing race to ubiquity for smartphones in the enterprise, the bring your own device trend and the move to cloud services have all pushed company boundaries into new, porous (if not borderless) configurations. And that has changed the overall requirements for success for information security teams.
  • Comment: Encryption is Critical for IaaS
    When organizations move their data to the cloud, traditional security measures may not be effective. With some basic knowledge, Bill Hackenberger of HighCloud Security says companies can take advantage of Infrastructure-as-a-Service, while keeping their data private
  • Dropbox Hackable; Well, in a Way
    Two researchers have demonstrated that they can reverse engineer the Dropbox client and gain access to the user’s cloud storage. But first they have to own the user’s computer – and if they do that, they’ve probably got the files locally.
  • Prism Fall-Out Could Cost the US its Domination of Cloud Services
    Last week the Information Technology & Innovation Foundation predicted that the US cloud computing industry stands to lose $22 to $35 billion over the next three years as a result of the recent revelations about the NSA's surveillance programs.
  • Most Companies Think Government Spies on Cloud Data
    Even though the revelation of the US National Security Agency’s widespread electronic surveillance program has heightened discussions over personal and corporate privacy, it turns out that well over half of IT professionals within large corporations were sure that the government was snooping on their data even before Operation PRISM hit the news.

Top 5 Stories

News

Companies' Cloud Risk Assessments Are Wildly Off

26 September 2013

Even as headlines focus on the security of one’s internet-based cloud communications, at least one study shows that organizations lack the information to understand and mitigate the broader set of risks posed by the use of cloud services. In fact, their assumptions about which services are risky to use tend to be significantly off.

According to Skyhigh Networks’ Cloud Adoption and Risk Report, 2,204 cloud services are in use across three million users in the financial services, healthcare, high tech, manufacturing, media and services industries. But security isn’t being applied in a commonsense way: low-risk services are blocked 40% more than high-risk services. For instance, GitHub is blocked 21% of the time but Codehaus, a high-risk service, is blocked only 1% of the time.

At 9%, tracking is the least blocked cloud service category despite the fact that it exposes organizations to watering hole attacks. And, allowing tracking offers no business benefit.

In contrast, the most-blocked services are usually consumer services that bosses just don’t want their employees using at work. The top 10 blocked services in use are Netflix, Foursquare, Apple iCloud, Gmail, Skype, Amazon Web Services, Batanga Radio, Dropbox, KISSmetrics, and PhotoBucket. With the exceptions of Skype, Amazon, KISSmetrics and Dropbox, none of these could be considered business cloud services.

In other words, corporate security measures are based on concerns related to productivity and bandwidth, or on familiarity with the service, as opposed to the actual risk of the services.

“Our cloud usage analytics suggest that enterprises are taking action on the popular cloud services they know of and not on the cloud services that pose the greatest risk to their organization. Lack of visibility into the use and risk seem to be crux of the problem,” said Rajiv Gupta, founder and CEO at Skyhigh Networks, in a statement.

That’s not to say that employees aren’t using all kinds of web-based fare: a staggering 545 cloud services are in use by an organization on average, the study found, with the highest number of cloud services is use clocking in at 1,769.

Skyhigh noted that amid the uptake, the shift to open-source cloud-based code repositories presents specific security challenges, as some sites are known to host malicious backdoors. The top 10 development services in use are MSDN, GitHub, SourceForge, Atlassian OnDemand, Apple Developer, Zend Server, HortonWorks Data Platform, CollabNet, Force.com, Apache Maven and CodeHaus.

Then there are file-sharing services: 19 file-sharing cloud services are used by an organization on average, which facilitates collaboration and increases security and compliance risks.

“File-sharing is widely used and the most misunderstood category by IT professionals,” the study noted.
Again, IT is blocking the wrong things. The top 10 file sharing services in use are Dropbox, Google Drive, SkyDrive, Box, Hightail, CloudApp, Sharefile, Rapidgator, Zippyshare and Uploaded. Box, the lowest risk file sharing service, is blocked 35% of the time, but Rapidgator, a high-risk service, is blocked only 1% of the time.

It should be noted that Microsoft is popular here: The third-most widely used file sharing cloud service is SkyDrive, and the software giant dominates in collaboration. The top 10 collaboration services in use are Office 365, Cisco WebEx, Gmail, Google Apps, Skype, Yahoo! Mail, AOL, Slideshare, Evernote and Yammer.

Overall, the picture that emerges is one of willy-nilly application of cloud service policies that seem to have no match too actual risk. “What we are seeing from this report is that there are no consistent policies in place to manage the security, compliance, governance, and legal risks of cloud services,” said Gupta.

This article is featured in:
Application Security  •  Cloud Computing  •  Compliance and Policy  •  Industry News  •  Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×