Cloud adoption and risk report Europe q1 2015

CLOUD ADOPTION & RISK IN EUROPE REPORTQ2 2015 Published Q3 2015

Cloud Adoption and Risk in Europe Report – Q2 2015

TABLE OF CONTENTS

INTRODUCTION

OVERVIEW OF CLOUD ADOPTION

INSIDER THREATS IN THE CLOUD

COMPROMISED CREDENTIALS

MULTI-FACTOR AUTHENTICATION

THERE’S NO TYPICAL USER

HEAD IN THE CLOUDS

SAFE STORAGE FOR EUROPEAN DATA

THE CLOUD NEVER SLEEPS

THE TOP CLOUD SERVICES

05

06

03

01

09

07

11

12

13

08


INTRODUCTION

01

1 http://www.cio.com/article/2929806/cloud-computing/the-cloud-s-game-changer-is-competitive-advantage.html

2 http://www.businesscloudnews.com/2015/05/12/cloud-adoption-nudges-past-80-per-cent-in-the-uk-survey/

3 http://www.bitkom.org/de/presse/81149_80724.aspx

4��KWWS��FRPSXWHUVZHGHQ�LGJ�VH��VYHQVND�IRUHWDJ�LQWH�UDGGD�IRU�DWW�ȵ\WWD�RYHU�WLOO�PROQHW

5 http://www.v3.co.uk/v3-uk/news/2405608/g-cloud-sales-pass-gbp550m-mark

6��KWWS��ZZZ�EXVLQHVVFORXGQHZV�FRP��LVR��DQG�SURWHFWLQJ�SHUVRQDO�LQIRUPDWLRQ�LQ�WKH�FORXG�D�ȴUVW�\HDU�VFRUHFDUG�

7 https://www.skyhighnetworks.com/cloud-security-blog/gartner-companies-spend-just-3-8-of-cloud-budgets-on-security

“The biggest impact of the cloud is the ability to accelerate the rate of innovation for the

business,” says Frank Gens, senior vice president and chief analyst at IDC1. This is as true

in Europe as anywhere else in the world.

Cloud computing continues to grow in Europe, with a recent survey2 of UK-based IT

decision-makers showing that 84% are using cloud services today and most expect cloud

adoption to continue to grow. The German IT association BITKOM quoted growth in

enterprise cloud of 46% to 6.4B Euros in the last year3 and in Sweden currently 64% of

enterprise data is hosted in the cloud with an expectation that this will grow to 93% within

two years4. This is not just a business phenomenon either, with the UK government

G-Cloud platform showing sales of over £500M by March 20155.

Given the focus on winning enterprises as customers, cloud service providers (CSPs) are

increasing their investments to support industry security standards. At Skyhigh, we believe

this is important for enterprises to securely embrace the cloud. However only 2.8% of the

CSPs in our global cloud registry have achieved ISO 27001 compliance, and so far only two

vendors (Microsoft and Dropbox) have announced that they have achieved the relatively

new ISO 27018 code of practice for personal data protection in public clouds. With the

daily arrival of new services that lackproper certifications, the overall percentage of CSPs

with ISO certification is declining.

European regulators are also taking ever-stronger attitudes to data loss and unfortunately,

cloud is one of the possible conduits for data exfiltration. Our data shows that on

initial review, IT is generally aware of less than 10% of the services in use inside their

organisations and Gartner quotes that companies spend just 3.8% of their cloud budget

on security7.


To better understand these trends and the risks in cloud adoption, Skyhigh publishes this

Cloud Adoption & Risk in Europe report.

What makes this report unique is that it’s based on actual usage data for over 2.5 million

employees in European organizations, rather than surveys that ask people to self-

report their behavior. In this quarter’s report, we explore insider threats within these

organizations and expose a worldwide black market of stolen login credentials that cyber

criminals use to gain access to sensitive information in cloud services. We also detail the

Top 20 enterprise and consumer cloud services in Europe, the top cloud services used to

connect with partners, and how prolific one employee can be in terms of cloud usage and

high-risk behavior.

02


The average European organization uses 987 cloud services, an impresive growth of

61% over the same quarter a year ago, casting aside doubt that cloud use is mainstream

throughout Europe. Another way of looking at this is that the average company is adding

more than one new cloud service per day, reminding us that this is a rapidly changing

market and the IT department needs constant updates to be able to manage both shadow

and sanctioned cloud adoption. The average European organization uploads 12.3 TB to

the cloud each month, an amount equal to around 7.6 million copies of War and Peace in

digital form (at 1.7 MB per copy).

When employees bring cloud services into the work environment for increased

productivity and efficiency without the knowledge or approval of IT, they may not

realize the risk they’re introducing to the organization. Just 7.0% of cloud services meet

enterprise security and compliance requirements, as rated by Skyhigh’s CloudTrust

Program. Only 15.4% support multi-factor authentication, 2.8% have ISO 27001

certification, and 9.4% encrypt data stored at rest. Considering how much data European

organizations upload to the cloud each month without proper controls, this data could be

at risk for exfiltration.

03

AVERAGE NUMBER OF CLOUD SERVICESIN USE BY EUROPEAN ORGANIZATIONS

2014 Q1 2014 Q4 2014 Q2 2014 Q3 2015 Q1

724 782

614588

805

2015 Q2

987

OVERVIEW OF CLOUD ADOPTION


03

ΖI�\RX�ȴQG�WKDW�DQ�DYHUDJH�RI��VHUYLFHV�LQ�XVH�WR�EH�VXUSULVLQJ�DQG�\RX�EHOLHYH�WKDW�\RXU�RUJD-

nization uses far fewer services, it is worth noting that the minimum number of services we have

seen in Europe is 507, from a company with less than 200 employees; while the highest number

of services we have seen in Europe is greater than 3,000.

Of the 987 cloud services in use by the average European organization, the most popular cate-

gory is collaboration with 226 cloud services. This category includes services such as Microsoft

2ɝFH��*PDLO��DQG�(YHUQRWH��&ROODERUDWLRQ�VHUYLFHV�DUH�IROORZHG�E\�GHYHORSPHQW�ZLWK��

services per organization (e.g. SourceForge, GitHub, etc.), content sharing with 54 services (e.g.

<RX7XEH��/LYH/HDN��HWF��VRFLDO�PHGLD�ZLWK��VHUYLFHV��)DFHERRN��7ZLWWHU��HWF��DQG�ȴOH�VKDULQJ�

with 38 services (Dropbox, Google Drive, etc.).

04

The average organization in Europe usesmany cloud services in each category

Business intelligence

Collaboration

Content sharing

Development

File sharing

Social media

Tracking

21

226

54

80

38

49

34


04

A cloud service may be secure, but employees can still use it in risky ways. While Edward

Snowden is the most well-known example of an insider threat, most insider threat incidents are

quiet and may not be uncovered by the company at the time, if at all. Consider the example of

a salesperson that leaves a company knowingly or unknowingly with customer contact informa-

tion when he or she decides to change employers. In many cases, the organization has no easy

way to detect this type of behavior.

We surveyed organizations in partnership with the Cloud Security Alliance and found that just

18% of organizations knew of an insider threat incident in the last year. However, examining

actual anomaly detection data collected across European users, we found that 87% of organiza-

tions had behavior indicative of an insider threat in the last quarter alone. While not all of these

events turn out to be malicious activity, the incidence of potentially destructive behavior by

employees is much higher than most European organizations realize.

05

of European companies surveyed reported an

insider threat incident in the last year

Just 18%Have you had an

INSIDER THREAT INCIDENT?

of European companies had behavior indicative of an insider threat in the last

quarter alone

But 87%

perception reality

87%YES

NO 63%

NOT SURE 19%

YES 18%

INSIDER THREATS IN THE CLOUD


05

There were more software vulnerabilities discovered and more data breaches in 2014 than any

year on record. Following one of the largest breaches of the year, eBay prompted 145 million

users to change their passwords after cyber criminals compromised their account credentials.

:LWK�(XURSHDQ�RUJDQL]DWLRQV�XSORDGLQJ�VLJQLȴFDQW�YROXPHV�RI�GDWD�WR�WKH�FORXG��WKH�WKHIW�RI�

D�XVHUQDPH�DQG�SDVVZRUG�FDQ�KDYH�D�VLJQLȴFDQW�LPSDFW��5HVHDUFK�E\�-RVHSK�%RQQHDX�DW�WKH�

University of Cambridge shows that 31% of passwords are re-used in multiple places. With the

DYHUDJH�(XURSHDQ�HPSOR\HH�XVLQJ��GLHUHQW�FORXG�VHUYLFHV��RQH�FRPSURPLVHG�SDVVZRUG�

FRXOG�JLYH�FULPLQDOV�DFFHVV�WR�D�VLJQLȴFDQW�DPRXQW�RI�GDWD�

We found that 72.1% of European organizations have exposure to compromised credentials.

While this number is lower than the overall average of 91.7% across the globe, even more

concerning is that 8.5% of employees at European companies have at least one compromised

FUHGHQWLDO�IRU�VDOH�RQ�WKH�GDUNQHW��$QHFGRWDOO\��ZH�LGHQWLȴHG�RQH�(XURSHDQ�KHDGTXDUWHUHG�

FRPSDQ\�ZLWK��FRPSURPLVHG�FUHGHQWLDOV��-XVW��RI�FORXG�SURYLGHUV�RHU�PXOWL�IDFWRU�

DXWKHQWLFDWLRQ��ZKLFK�SURYLGHV�DQ�DGGLWLRQDO�OD\HU�RI�SURWHFWLRQ��8QWLO�PRUH�FORXG�VHUYLFHV�RHU�

this capability, we recommend European organizations use strong, unique passwords for each

cloud service and change them regularly to limit exposure to compromised credentials.

06

of European companies have at least one employee whose credentials are compromised

of employees at European companies have at least one credential compromised

72.1% 8.5%

The darknet is home to millions of compromised passwords

COMPROMISED CREDENTIALS


06

The Lastpass data breach, which occurred in June 2015, brought to light the importance and

DGGHG�EHQHȴW�RI�FORXG�VHUYLFHV�VXSSRUWLQJ�PXOWL�IDFWRU�DXWKHQWLFDWLRQ��UHTXLULQJ�WKDW�\RX�QRW�

only have to KNOW something (a name and password), but also have to HAVE something (a

token or more commonly pre-authenticated a mobile device) to gain access to an account. Any

loss of just a name and password is less of a concern as multi-factor authentication requires

that any criminal will also need to get hold of, or spoof, an additional device before accessing

the compromised service.

We strongly recommend that enterprises consider multi-factor authentication as a key

component of safe cloud services. Currently only 15.4% of the 12,000+ cloud services support

multi-factor authentication, we hope that this will increase in time.

07

SUPPORT FORMULTI-FACTOR AUTHENTICATION REMAINS LOW

84.6%Not Supported

15.4%Supported

MULTI-FACTOR AUTHENTICATION


07

ΖQ�SDUWQHUVKLS�ZLWK�RQH�RI�RXU�FXVWRPHUV��ZH�HYDOXDWHG�WKH�XVDJH�RI�ȴYH�GLHUHQW��SRSXODU�

cloud services used by 175 users to determine whether people had the same or similar

patterns of usage.

What we found is that not all users have the same patterns, and that there are 31 possible

FRPELQDWLRQV�IRU�WKH�ȴYH�VHUYLFHV�WR�EH�LQ�XVH��(YHU\�VHUYLFH�KDG�DW�OHDVW�RQH�SHUVRQ�ZKR�

accessed it and 25 of the 31 possible combinations were regularly in use. Our results show

WKDW�LW�LV�UDUH�IRU�D�XVHU�WR�RQO\�DFFHVV�RQH�VHUYLFH�DQG�VRPH�RI�WKH�XVHUV�DFFHVVHG�DOO�ȴYH�

of the services. This goes to show that you can’t assume or predict how your users will use

WKH�VDPH�VHUYLFHV�DQG�WKDW�\RXU�FORXG�SURYLVLRQV�QHHGV�WR�EH�ȵH[LEOH�LQ�RUGHU�WR�GHOLYHU�WKH�

services your users need.

08

CLOUD USAGE IS NOT UNIFORM ACROSS USERS

Box

15

63 7

3

14

9

3

49

8 6

12

8

11

7

4

3

64

1

2

26

2

Office 365

Google Drive

Dropbox

Salesforce

THERE’S NO TYPICAL USER


08

The average European employee uses 23 distinct cloud services including seven

collaboration services, four file-sharing services, three social media services, and three

content sharing services. What’s troubling is that each employee is tracked by, on average,

four marketing analytics and advertising services. These services are used to deliver

targeted ads to users across the Internet, but they are also increasingly used by cyber

criminals to determine the sites employees frequent most. Armed with this information,

criminals attempt to compromise these sites in order to ultimately compromise the

organization in what’s known as a watering hole attack.

However, there are employees whose cloud usage is even more prolific. The most

prolific cloud user across all European employees in our study uses an impressive 594

cloud services, including 101 collaboration services, 38 development services, 38 IT

management services, and 22 content sharing services. While their behavior may be

done with good intensions, unchecked cloud usage can also expose European

organizations to risk.

09

THE MOST PROLIFICCLOUD USER in Europe

At work this employee uses

594 cloud services

CONTENT SHARING25

IT MANAGEMENT3138 DEVELOPMENT

101COLLABORATION 17.8%HIGH-RISK SERVICES

5.6%INDUSTRY AVERAGE

HEAD IN THE CLOUDS


09

10

Chances are, most of the services in use by this individual are not known by the IT

department. Out of the 594 services, 106 are high-risk, compared to 5.6% across all

cloud services globally. These services are often considered high-risk because they lack

security controls, have onerous terms and conditions that claim ownership of uploaded

data, or are hosted in high-risk countries without strong data protections. Among the

high-risk services in use by this cloud collector are CodeHaus, a service that is used to

store source code, DiffNow, a service used to highlight differences between 2 files, and

DocumentCloud, a service used to share text documents like contracts.

Cloud Adoption and Risk in Europe Report – Q2 2015 11

The European Union (EU) has taken a lead in data privacy since 1995 and every EU

member country country has a regime that defines data protection legislation for the

country. The EU is also strengthening the existing laws with expectations of a new Data

Protection Regulation being agreed upon by the end of 2015.

One of the areas covered by the existing directive and new regulation is where data on

European individuals can be transferred. Except in exceptional circumstances, data on

individuals should stay in Europe, the European Economic Area, within countries with

“equivalent data privacy regulations” or within U.S. services that have signed up for the

U.S. government’s Safe Harbor agreement.

Skyhigh’s global cloud registry tracks over 12,000 cloud services. We found that 14.3%

of cloud providers store data inside the EU, 3.6% are in countries with equivalent

data protection and 17.1% are U.S.-hosted and have signed up for the Safe Harbor

regulations—this means that 64.9% are not safe for EU data. While the gap between

European data privacy requirements and the reality of cloud services in use today is

substantial, it is shrinking. In Q4 of 2014, 74.3% of services were not suitable to host

EU data.

SAFE STORAGE FOR EUROPEAN DATA

Hosted in country with equivalent privacy3.6%

US hosted with Safe Harbor17.2%

14.3% Hosted in the EU

64.9%Cloud Services that

should not hold EU Data

European companies are using many

cloud services that do not meet data

residency requirements

A Safe Place for EU Personal Data


THE CLOUD NEVER SLEEPS

Flexible working has probably been one of the significant changes in the last decade,

balancing home life and work life to the benefit of both the employee and employer.

One aspect of this is the amount of work being conducted during what would normally

be considered weekends. We analyzed usage by day of the week and found European

employees are most prolific in cloud usage on Fridays, while cloud usage for their

American counterparts peaks on Tuesdays and declines the remainder of the week.

However, weekend usage did not fully drop to zero, reminding IT departments that

there may be risks happening around the clock; as risk to the organization doesn’t

stop for the weekend.

12

Mon. Tues. Wed. Thurs. Fri. Sat. Sun.

Cloud Usage by Day of Week

Percentage of cloud usage for each day of the week

14.6%18.4%

15.0%18.0% 19.5%

6.8% 7.8%


From the perspective of a software company, developing a cloud service is very different

from software installed by the customer. The cloud has freed developers to reimagine

enterprise software with delightful user experiences, innovative new features, and access

from mobile devices. With faster release cycles and updates that occur immediately

across all customers, cloud applications are not only more cost effective to manage,

they’re often first to market with innovative features. That’s why an increasing number

of European organizations are deploying the top enterprise cloud services – not because

they’re the best cloud version available but because they are the best software available,

period. That’s also why we wanted to look at the top services based on user count.

13

THE TOP CLOUD SERVICES

TOP 20ENTERPRISECLOUDSERVICES

1. Microsoft Office 365

2. Salesforce

3. Oracle RightNow

4. Cisco Webex

5. ServiceNow

6. Oracle Taleo

7. Box

8. Jive

9. Concur

10. Zendesk

11. Workday

12. ADP

13. SAP Human Capital Management

14. SAS OnDemand

15. SuccessFactors

16. Yammer

17. GoToMeeting

18. Blue Jeans

19. NetSuite

20t. OpenText BPM

in Europe


Consumer-grade cloud services today are so good that they can easily rival enterprise

software. It’s no wonder then, that employees bring cloud services to work in order to do

their jobs better. However, these services can also increase organizational risk. In order to

exfiltrate sensitive data undetected, cyber criminals deploy an array of sophisticated kill

chains that leverage consumer cloud services. Skyhigh has detected attacks using Twitter

to exfiltrate data 140 characters at a time and another that encoded stolen data into

videos that were uploaded to YouTube.

14

TOP 20CONSUMERCLOUDSERVICES

1. Facebook

2. Linkedin

3. Flickr

4. YouTube

5. Twitter

6. Dropbox

7. Pinterest

8. Gmail

9. Vimeo

10. StumbleUpon

11. Tumblr

12. Instagram

13. Google Drive

14. Yahoo! Mail

15. VK

16. SlideShare

17. Spotify

18. Evernote

19. Skype

20. Xing

at work

in Europe


ABOUT SKYHIGH NETWORKS Skyhigh Networks, the cloud security and enablement company, helps enterprises

safely adopt cloud services while meeting their security, compliance, and governance

requirements. Over 400 enterprises including Aetna, Cisco, DIRECTV, HP, and Western

Union use Skyhigh to gain visibility into all cloud services in use and their associated

risk; analyze cloud usage to identify security breaches, compromised accounts, and

insider threats; and seamlessly enforce security policies with encryption, data loss

prevention, contextual access control, and activity monitoring. Headquartered in

Campbell, Calif., Skyhigh Networks is backed by Greylock Partners, Sequoia Capital,

and Salesforce.com. For more information, visit us at www.skyhighnetworks.com,

and follow us on Twitter @skyhighnetworks.

15

www.cloudsecurityalliance.org

https://twitter.com/cloudsa

REQUEST COMPLIMENTARY

CLOUD AUDIT

“With Skyhigh we discovered a wide range of services,

allowing us to understand their associated risks and put in place

policies to protect corporate data.”

Steve Martino

VP Information Security

If you’d like to learn the scope of Shadow IT at your company, including detailed statistics profiled in this report, sign up for a complimentary cloud audit

bit.ly/ComplimentaryCloudAudit

UNCOVER SHADOW IT

http://bit.ly/ComplimentaryCloudAudit

http://bit.ly/ComplimentaryCloudAudit

Date post:	14-Aug-2015
Category:	Technology
Upload:	prayukth-k-v
View:	76 times
Download:	1 times

Cloud adoption and risk report Europe q1 2015

Technology