Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:00 PM
Connect Directly

'Shadow' Cloud Services Rampant In Government Networks

Survey finds public sector employees use unmanaged cloud services just as much as private employees.

Shadow cloud services pose nearly as much of a risk to government organizations as they do to private sector companies.

Skyhigh Networks recently conducted a study of cloud services usage among 200,000 employees at public sector organizations in the U.S and Canada. The study found that on average, there are some 721 cloud services running inside government organizations at any time, only 61 of which IT is actually aware about. In other words, there are about 10 times as many shadow cloud services being used by public sector employees at work than are being managed by the IT group.

The numbers show just how rampant the shadow cloud problem is in government networks that, in theory at least, should be better locked down than private sector networks, says Rajiv Gupta, CEO of Skyhigh.

“Government organizations tend to think of themselves as somehow different,” from private companies on the security front, Gupta says.  “What we found is there is as much risk of shadow IT in government as any other organization. People are people. They want to do things more efficiently.” In many cases, cloud services help them do that, with or without the IT organization’s help, he says.

The Skyhigh report follows a similar study by CipherCloud, which showed that a staggering 86 percent of cloud services consumed by employees at private companies were unsanctioned by IT. An earlier report by Frost & Sullivan on behalf of McAfee found that even when cloud services are formally purchased by business groups, there’s a good chance that at least 35 percent of the purchases will happen without any IT oversight.

Shadow, or unmanaged, cloud usage by employees can pose a major security problem for organizations. Many security analysts have warned about how the growing use of consumer-oriented, cloud-hosted collaboration, file sharing, storage and social media services can expose companies to inadvertent data leaks, data exfiltration campaigns, malware threats and compliance problems.

For example, when cloud security provider Elastica ran an analysis on some 100 million files being shared and stored on cloud services by employees, it found that more than 20 percent were sensitive and confidential data -- including personally identifiable information and financial data. Gupta said that Skyhigh’s analysis of cloud service usage among public sector employees showed the most popular categories to be collaboration, file sharing, content sharing and software development related sites.

Microsoft’s Office 365, Yammer and Hotmail were among the most popular collaboration services used by public sector employees, followed by services like Webex and online presentation platform Prezi. The most commonly accessed file-sharing services included Dropbox, Box, Hightail and Google Drive, while the most popular social media services included Facebook, Twitter, LiveJournal and LinkedIn. Meanwhile, services like GitHub and SourceForge were among the more popular development services being accessed by government employees

In many cases, the use of these services was approved by IT, while in many other cases they were not, Gupta said.

What was interesting is the apparent gap that exists between the perceived use of such services within public sector organizations and actual use. For instance, when IT managers were asked to estimate DropBox use within their organizations, the average number tended to be around 16 percent. Actual use was much higher at 80 percent. Similarly, the gap between perceived and actual use of Apple’s iCloud was a remarkable 42 percent.

Such numbers illustrate that government IT groups have little idea of cloud service usage by employees, Gupta said. Often, cloud policies are based on incomplete information and tend to be either overly restrictive or too permissive.

“This really is an example of ‘what you don’t know can hurt you,’” Gupta says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
2/26/2015 | 4:15:36 PM
Office 365 isn't the problem
I don't think the danger to government system intrusion comes from use of Office 365, Yammer and Hotmail. I think it comes from files being moved from government agencies across the Internet into the cloud and back again. And I'm not sure how much of 'shadow' cloud in the public sector consists of that activity.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
2/28/2015 | 9:12:10 AM
And how do you find out?
Another issue (which I recently wrote about) is the matter of what happens after there is a breach of the data in the shadow IT service?  How do you even know that your data were there?  The employee would have to self-report, but the employee might be too embarrassed -- or too fearful of retribution -- to do so.

A great piece of advice I got is to have a procedure in place for just such an occurrence and make sure employees are aware of the procedure.  Then, the employee will think, "Oh, okay, they have a procedure for it, so it must have happened before, and I probably won't be fired."

(And, of course, be judicious about firing and whatnot.  If word gets out that you fired so-and-so, don't expect much self-reporting in the future.)
User Rank: Apprentice
2/28/2015 | 9:27:57 AM
A problem is IT is behind the times
> People are people. They want to do things more efficiently."


In my shop, it takes four weeks and many meetings to arrange for something simple such as a DB server.  In the cloud, I can have a DB server set up in less than an hour. In my shop I need to spend hours creating justification for the storage needed, set up meetings with all groups that may or may not be interested in the space consumed, wait for everyone to sign off, discover problems with specific groups and find a solution to get their signature.  In the cloud, all I need a charge card.  In my shop the cost of setting up a DB is about 20 times more than the cost of that DB in the cloud. This is why people use the cloud. 


If IT want to stop Shadow CLoud, they need to becomre more like the cloud and offer cheap, fast services.
Grant C
Grant C,
User Rank: Apprentice
3/1/2015 | 9:23:33 AM
Storm Cloud!
I might coin it the Storm Cloud!  Detecting and containing north/south and east/west bound data in the cloud - especially the one off SaaS sloutions - is tricky at best is seems.  Not to mention auditing identities, access etc. for a SaaS solutions.  I'm talking about the smaller, less mature SaaS solutions that are coming out of the woodwork, that could be undetected before its too late.  Its an interesting challenge.
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
A vulnerability in the system Service Menu component of Avaya Aura Experience Portal may allow URL Redirection to any untrusted site through a crafted attack. Affected versions include 7.0 through 7.2.3 (without hotfix) and 8.0.0 (without hotfix).
PUBLISHED: 2021-06-24
Stored XSS injection vulnerabilities were discovered in the Avaya Aura Experience Portal Web management which could allow an authenticated user to potentially disclose sensitive information. Affected versions include 7.0 through 7.2.3 (without hotfix) and 8.0.0 (without hotfix).
PUBLISHED: 2021-06-24
** UNSUPPORTED WHEN ASSIGNED ** An information disclosure vulnerability was discovered in the directory and file management of Avaya Aura Utility Services. This vulnerability may potentially allow any local user to access system functionality and configuration information that should only be availab...
PUBLISHED: 2021-06-24
** UNSUPPORTED WHEN ASSIGNED ** A privilege escalation vulnerability was discovered in Avaya Aura Utility Services that may potentially allow a local user to execute specially crafted scripts as a privileged user. Affects all 7.x versions of Avaya Aura Utility Services.
PUBLISHED: 2021-06-24
** UNSUPPORTED WHEN ASSIGNED ** A privilege escalation vulnerability was discovered in Avaya Aura Utility Services that may potentially allow a local user to escalate privileges. Affects all 7.x versions of Avaya Aura Utility Services.