Companies' Cloud Risk Assessments Are Wildly Off

low-risk cloud services are blocked 40% more than high-risk services
low-risk cloud services are blocked 40% more than high-risk services

According to Skyhigh Networks’ Cloud Adoption and Risk Report, 2,204 cloud services are in use across three million users in the financial services, healthcare, high tech, manufacturing, media and services industries. But security isn’t being applied in a commonsense way: low-risk services are blocked 40% more than high-risk services. For instance, GitHub is blocked 21% of the time but Codehaus, a high-risk service, is blocked only 1% of the time.

At 9%, tracking is the least blocked cloud service category despite the fact that it exposes organizations to watering hole attacks. And, allowing tracking offers no business benefit.

In contrast, the most-blocked services are usually consumer services that bosses just don’t want their employees using at work. The top 10 blocked services in use are Netflix, Foursquare, Apple iCloud, Gmail, Skype, Amazon Web Services, Batanga Radio, Dropbox, KISSmetrics, and PhotoBucket. With the exceptions of Skype, Amazon, KISSmetrics and Dropbox, none of these could be considered business cloud services.

In other words, corporate security measures are based on concerns related to productivity and bandwidth, or on familiarity with the service, as opposed to the actual risk of the services.

“Our cloud usage analytics suggest that enterprises are taking action on the popular cloud services they know of and not on the cloud services that pose the greatest risk to their organization. Lack of visibility into the use and risk seem to be crux of the problem,” said Rajiv Gupta, founder and CEO at Skyhigh Networks, in a statement.

That’s not to say that employees aren’t using all kinds of web-based fare: a staggering 545 cloud services are in use by an organization on average, the study found, with the highest number of cloud services is use clocking in at 1,769.

Skyhigh noted that amid the uptake, the shift to open-source cloud-based code repositories presents specific security challenges, as some sites are known to host malicious backdoors. The top 10 development services in use are MSDN, GitHub, SourceForge, Atlassian OnDemand, Apple Developer, Zend Server, HortonWorks Data Platform, CollabNet,, Apache Maven and CodeHaus.

Then there are file-sharing services: 19 file-sharing cloud services are used by an organization on average, which facilitates collaboration and increases security and compliance risks.

“File-sharing is widely used and the most misunderstood category by IT professionals,” the study noted.
Again, IT is blocking the wrong things. The top 10 file sharing services in use are Dropbox, Google Drive, SkyDrive, Box, Hightail, CloudApp, Sharefile, Rapidgator, Zippyshare and Uploaded. Box, the lowest risk file sharing service, is blocked 35% of the time, but Rapidgator, a high-risk service, is blocked only 1% of the time.

It should be noted that Microsoft is popular here: The third-most widely used file sharing cloud service is SkyDrive, and the software giant dominates in collaboration. The top 10 collaboration services in use are Office 365, Cisco WebEx, Gmail, Google Apps, Skype, Yahoo! Mail, AOL, Slideshare, Evernote and Yammer.

Overall, the picture that emerges is one of willy-nilly application of cloud service policies that seem to have no match too actual risk. “What we are seeing from this report is that there are no consistent policies in place to manage the security, compliance, governance, and legal risks of cloud services,” said Gupta.

What’s hot on Infosecurity Magazine?