Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

2/26/2015
03:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

'Shadow' Cloud Services Rampant In Government Networks

Survey finds public sector employees use unmanaged cloud services just as much as private employees.

Shadow cloud services pose nearly as much of a risk to government organizations as they do to private sector companies.

Skyhigh Networks recently conducted a study of cloud services usage among 200,000 employees at public sector organizations in the U.S and Canada. The study found that on average, there are some 721 cloud services running inside government organizations at any time, only 61 of which IT is actually aware about. In other words, there are about 10 times as many shadow cloud services being used by public sector employees at work than are being managed by the IT group.

The numbers show just how rampant the shadow cloud problem is in government networks that, in theory at least, should be better locked down than private sector networks, says Rajiv Gupta, CEO of Skyhigh.

“Government organizations tend to think of themselves as somehow different,” from private companies on the security front, Gupta says.  “What we found is there is as much risk of shadow IT in government as any other organization. People are people. They want to do things more efficiently.” In many cases, cloud services help them do that, with or without the IT organization’s help, he says.

The Skyhigh report follows a similar study by CipherCloud, which showed that a staggering 86 percent of cloud services consumed by employees at private companies were unsanctioned by IT. An earlier report by Frost & Sullivan on behalf of McAfee found that even when cloud services are formally purchased by business groups, there’s a good chance that at least 35 percent of the purchases will happen without any IT oversight.

Shadow, or unmanaged, cloud usage by employees can pose a major security problem for organizations. Many security analysts have warned about how the growing use of consumer-oriented, cloud-hosted collaboration, file sharing, storage and social media services can expose companies to inadvertent data leaks, data exfiltration campaigns, malware threats and compliance problems.

For example, when cloud security provider Elastica ran an analysis on some 100 million files being shared and stored on cloud services by employees, it found that more than 20 percent were sensitive and confidential data -- including personally identifiable information and financial data. Gupta said that Skyhigh’s analysis of cloud service usage among public sector employees showed the most popular categories to be collaboration, file sharing, content sharing and software development related sites.

Microsoft’s Office 365, Yammer and Hotmail were among the most popular collaboration services used by public sector employees, followed by services like Webex and online presentation platform Prezi. The most commonly accessed file-sharing services included Dropbox, Box, Hightail and Google Drive, while the most popular social media services included Facebook, Twitter, LiveJournal and LinkedIn. Meanwhile, services like GitHub and SourceForge were among the more popular development services being accessed by government employees

In many cases, the use of these services was approved by IT, while in many other cases they were not, Gupta said.

What was interesting is the apparent gap that exists between the perceived use of such services within public sector organizations and actual use. For instance, when IT managers were asked to estimate DropBox use within their organizations, the average number tended to be around 16 percent. Actual use was much higher at 80 percent. Similarly, the gap between perceived and actual use of Apple’s iCloud was a remarkable 42 percent.

Such numbers illustrate that government IT groups have little idea of cloud service usage by employees, Gupta said. Often, cloud policies are based on incomplete information and tend to be either overly restrictive or too permissive.

“This really is an example of ‘what you don’t know can hurt you,’” Gupta says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Grant C
50%
50%
Grant C,
User Rank: Apprentice
3/1/2015 | 9:23:33 AM
Storm Cloud!
I might coin it the Storm Cloud!  Detecting and containing north/south and east/west bound data in the cloud - especially the one off SaaS sloutions - is tricky at best is seems.  Not to mention auditing identities, access etc. for a SaaS solutions.  I'm talking about the smaller, less mature SaaS solutions that are coming out of the woodwork, that could be undetected before its too late.  Its an interesting challenge.
RwG524
50%
50%
RwG524,
User Rank: Apprentice
2/28/2015 | 9:27:57 AM
A problem is IT is behind the times
> People are people. They want to do things more efficiently."

 

In my shop, it takes four weeks and many meetings to arrange for something simple such as a DB server.  In the cloud, I can have a DB server set up in less than an hour. In my shop I need to spend hours creating justification for the storage needed, set up meetings with all groups that may or may not be interested in the space consumed, wait for everyone to sign off, discover problems with specific groups and find a solution to get their signature.  In the cloud, all I need a charge card.  In my shop the cost of setting up a DB is about 20 times more than the cost of that DB in the cloud. This is why people use the cloud. 

 

If IT want to stop Shadow CLoud, they need to becomre more like the cloud and offer cheap, fast services.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/28/2015 | 9:12:10 AM
And how do you find out?
Another issue (which I recently wrote about) is the matter of what happens after there is a breach of the data in the shadow IT service?  How do you even know that your data were there?  The employee would have to self-report, but the employee might be too embarrassed -- or too fearful of retribution -- to do so.

A great piece of advice I got is to have a procedure in place for just such an occurrence and make sure employees are aware of the procedure.  Then, the employee will think, "Oh, okay, they have a procedure for it, so it must have happened before, and I probably won't be fired."

(And, of course, be judicious about firing and whatnot.  If word gets out that you fired so-and-so, don't expect much self-reporting in the future.)
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
2/26/2015 | 4:15:36 PM
Office 365 isn't the problem
I don't think the danger to government system intrusion comes from use of Office 365, Yammer and Hotmail. I think it comes from files being moved from government agencies across the Internet into the cloud and back again. And I'm not sure how much of 'shadow' cloud in the public sector consists of that activity.
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26250
PUBLISHED: 2020-12-01
OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which should be transparently mapped to `Authenticator.allowed_users` with a warning, is instead ignored by ...
CVE-2020-28576
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version and build information.
CVE-2020-28577
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal server hostname and db names.
CVE-2020-28582
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal number of managed agents.
CVE-2020-28583
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version, build and patch information.