Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:00 PM
Connect Directly

'Shadow' Cloud Services Rampant In Government Networks

Survey finds public sector employees use unmanaged cloud services just as much as private employees.

Shadow cloud services pose nearly as much of a risk to government organizations as they do to private sector companies.

Skyhigh Networks recently conducted a study of cloud services usage among 200,000 employees at public sector organizations in the U.S and Canada. The study found that on average, there are some 721 cloud services running inside government organizations at any time, only 61 of which IT is actually aware about. In other words, there are about 10 times as many shadow cloud services being used by public sector employees at work than are being managed by the IT group.

The numbers show just how rampant the shadow cloud problem is in government networks that, in theory at least, should be better locked down than private sector networks, says Rajiv Gupta, CEO of Skyhigh.

“Government organizations tend to think of themselves as somehow different,” from private companies on the security front, Gupta says.  “What we found is there is as much risk of shadow IT in government as any other organization. People are people. They want to do things more efficiently.” In many cases, cloud services help them do that, with or without the IT organization’s help, he says.

The Skyhigh report follows a similar study by CipherCloud, which showed that a staggering 86 percent of cloud services consumed by employees at private companies were unsanctioned by IT. An earlier report by Frost & Sullivan on behalf of McAfee found that even when cloud services are formally purchased by business groups, there’s a good chance that at least 35 percent of the purchases will happen without any IT oversight.

Shadow, or unmanaged, cloud usage by employees can pose a major security problem for organizations. Many security analysts have warned about how the growing use of consumer-oriented, cloud-hosted collaboration, file sharing, storage and social media services can expose companies to inadvertent data leaks, data exfiltration campaigns, malware threats and compliance problems.

For example, when cloud security provider Elastica ran an analysis on some 100 million files being shared and stored on cloud services by employees, it found that more than 20 percent were sensitive and confidential data -- including personally identifiable information and financial data. Gupta said that Skyhigh’s analysis of cloud service usage among public sector employees showed the most popular categories to be collaboration, file sharing, content sharing and software development related sites.

Microsoft’s Office 365, Yammer and Hotmail were among the most popular collaboration services used by public sector employees, followed by services like Webex and online presentation platform Prezi. The most commonly accessed file-sharing services included Dropbox, Box, Hightail and Google Drive, while the most popular social media services included Facebook, Twitter, LiveJournal and LinkedIn. Meanwhile, services like GitHub and SourceForge were among the more popular development services being accessed by government employees

In many cases, the use of these services was approved by IT, while in many other cases they were not, Gupta said.

What was interesting is the apparent gap that exists between the perceived use of such services within public sector organizations and actual use. For instance, when IT managers were asked to estimate DropBox use within their organizations, the average number tended to be around 16 percent. Actual use was much higher at 80 percent. Similarly, the gap between perceived and actual use of Apple’s iCloud was a remarkable 42 percent.

Such numbers illustrate that government IT groups have little idea of cloud service usage by employees, Gupta said. Often, cloud policies are based on incomplete information and tend to be either overly restrictive or too permissive.

“This really is an example of ‘what you don’t know can hurt you,’” Gupta says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Grant C
Grant C,
User Rank: Apprentice
3/1/2015 | 9:23:33 AM
Storm Cloud!
I might coin it the Storm Cloud!  Detecting and containing north/south and east/west bound data in the cloud - especially the one off SaaS sloutions - is tricky at best is seems.  Not to mention auditing identities, access etc. for a SaaS solutions.  I'm talking about the smaller, less mature SaaS solutions that are coming out of the woodwork, that could be undetected before its too late.  Its an interesting challenge.
User Rank: Apprentice
2/28/2015 | 9:27:57 AM
A problem is IT is behind the times
> People are people. They want to do things more efficiently."


In my shop, it takes four weeks and many meetings to arrange for something simple such as a DB server.  In the cloud, I can have a DB server set up in less than an hour. In my shop I need to spend hours creating justification for the storage needed, set up meetings with all groups that may or may not be interested in the space consumed, wait for everyone to sign off, discover problems with specific groups and find a solution to get their signature.  In the cloud, all I need a charge card.  In my shop the cost of setting up a DB is about 20 times more than the cost of that DB in the cloud. This is why people use the cloud. 


If IT want to stop Shadow CLoud, they need to becomre more like the cloud and offer cheap, fast services.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
2/28/2015 | 9:12:10 AM
And how do you find out?
Another issue (which I recently wrote about) is the matter of what happens after there is a breach of the data in the shadow IT service?  How do you even know that your data were there?  The employee would have to self-report, but the employee might be too embarrassed -- or too fearful of retribution -- to do so.

A great piece of advice I got is to have a procedure in place for just such an occurrence and make sure employees are aware of the procedure.  Then, the employee will think, "Oh, okay, they have a procedure for it, so it must have happened before, and I probably won't be fired."

(And, of course, be judicious about firing and whatnot.  If word gets out that you fired so-and-so, don't expect much self-reporting in the future.)
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
2/26/2015 | 4:15:36 PM
Office 365 isn't the problem
I don't think the danger to government system intrusion comes from use of Office 365, Yammer and Hotmail. I think it comes from files being moved from government agencies across the Internet into the cloud and back again. And I'm not sure how much of 'shadow' cloud in the public sector consists of that activity.
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now this is the worst micromanagment I've seen.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address allows attackers in the local network to access multiple quagga VTYs. Attackers can...
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.