Enterprises are still overwhelmingly using medium and high-risk cloud services en masse
Data from Skyhigh’s latest cloud adoption and risk report in Europe, which collates data from 1.4 million users, suggests cloud adoption has clearly accelerated rapidly this year, but less than one in ten cloud services used in enterprises today are considered low-risk. Kamal Shah, Skyhigh’s vice president of products and Nigel Hawthorn, Skyhigh’s marketing director for EMEA told BCN that while enterprises are embracing cloud services of questionable data security and privacy standards, the fastest growing cloud services today are less risky in this regard.
The massive growth in the average number of cloud services used by enterprises in Europe, from 588 in Q1 to 724 in Q3 (just below the global average of 831), an increase of 23 per cent, is telling, and shows that adoption of cloud services is pervasive and growing. The average company in Europe now uses 37 different file sharing services and 125 collaboration services.
But much of this, according to Skyhigh, happens unbeknownst to IT. The company said 76 per cent of IT pros it surveyed didn’t know the scope of shadow IT occurring within their companies.
“This speaks to the fact that the IT organisation needs to understand what is being used internally in order to both secure the services being used, and to understand how they can better provide those services to internal users,” Shah said. “It’s also about cost savings and efficiency – how are employees supposed to collaborate and share content effectively when they use so many different services?”
Unfortunately, the mix of cloud services being used by enterprises in Europe today still overwhelmingly favours what the company considers to be medium or high-risk services. Skyhigh measures each cloud service it comes across against a myriad of factors – do they encrypt data at rest? Do they allow users to sign in with their enterprise identity? Who owns the IP? What happens to a user’s data when they close their account? – to determine the level of risk – low, medium or high – associated with each.
Of all the cloud services being used, only 9.5 per cent of all services were low-risk or enterprise-grade services, around the same proportion found in the previous quarter.
“We’re adding a hundred or more services to our list every week, so with more than 8,000 we can see that if the ratio of low-risk to medium and high-risk services in use is staying the same, the number of risky services is increasing, which is particularly worrying,” Hawthorn said.
While European enterprises are still using a fairly high percentage of risky cloud services, data on the fastest growing services today seems to suggest that providers are getting better at mitigating that risk. Of the ten fastest growing cloud applications out there, four are enterprise-grade – meaning they satisfy the most stringent requirements for data protection, identity verification, service security, business practice and legal protection. This exceeds the industry average of 9.5 per cent.
Still, it may be some time before these providers become embedded within the enterprise. According to the latest report 80 per cent of European corporate data in the cloud today goes to just 15 cloud services (Office 365, Salesforce, Gmail, and Dropbox are the top four), with the remaining 20 per cent going to services Hawthorn said most are not even aware of.
“What enterprises need to worry about is, where is the 20 per cent of that data going? And what can they do to mitigate that risk?,” Hawthorn said. “Enterprises think they have policies to handle these major services, but of course it’s everything else, the long tail. And with people running over 700 services on average, you’ve got 700 or more that you can’t necessarily know or worry about.”
There are two ways to look at the 80/20 ratio here. While the long tail Hawthorn pointed out is worrying, it’s equally clear that 80 per cent of data sitting with just 15 cloud providers creates a situation in which great responsibility to secure and protect data lies with so few. A great deal of data could be compromised by cracking just a handful of these 15 providers.
Three quarters of the cloud services enterprises are using today also store data that is not in the EU, or hosted in countries with equivalent privacy laws, or kept in the US with organisations that have signed up to the Safe Harbour agreement, which is also worrying.
“They are certainly making good progress on developing security capabilities, but enterprises are moving away from blocking services and becoming more permissive, placing more trust in their employees to handle data in the correct way. And that means enterprise users need to be educated,” Shah said.