ra2 studio - Fotolia

Enterprise shadow cloud usage eclipses authorized cloud services

New research by CipherCloud shows that majority of enterprises don't know extent of unsanctioned cloud usage by their employees.

New research from CipherCloud has put a number on the usage  of shadow cloud applications and services within companies, and the numbers are far greater than enterprise leaders have anticipated.

CipherCloud, a San Jose, California-based security vendor, this week released its Cloud Adoption and Risk Report, which surveyed CipherCloud customers in North America and Europe. The report found that the average enterprise uses more than 1,100 cloud applications and that 86% of those cloud applications are unsanctioned by enterprise IT departments.

"There is very little visibility with many organizations today about the extent of shadow IT," said Will Leichter, global director of cloud security at CipherCloud.

In addition, the report also found that enterprises "vastly underestimated the extent of shadow IT cloud applications used by their organizations." Shadow cloud usage can put enterprises at greater risk for data breaches and leaks since the apps and services aren't controlled or monitored by IT departments or information security teams. Yet such cloud apps are growing in popularity within the enterprise.

"There's been a loosening of controls in general because user expectations have changed," Leichter explained. "They want things to be faster and easier. They bring their own apps in."

Shadow cloud discovery

CipherCloud's research also pinpointed the types of cloud applications and services most frequently used by enterprises, as well as the types carrying the most risk, according to the CipherCloud Risk Intelligence Lab. While marketing and collaboration cloud apps in the leaders in terms of enterprise useage, publishing  and career-cloud apps are  two of the leaders in risk factor, with a 52% risk rating and a 40% risk rating, respectively, according to the Risk Intelligence Lab's scoring data. Social cloud apps are among the top of both charts, averaging 254 applications accessed globally and carrying a 42% risk rating.

CipherCloud specializes in secure gateways that encrypt local data before the data is  transferred to cloud applications, such as Microsoft's Office 365, Box, and Salesforce.com. Earlier this year, the company also introduced CipherCloud  for Cloud Discovery, a free service to help enterprises gain visibility into shadow cloud usesage, and also developed a list of cloud products it rates as  more or less trustworthy and product that are notoriously unsafe.

"There's a balance between restricting users' ability to do things and giving them sanctioned alternatives," said David Berman, director of cloud discovery at CipherCloud.

Berman explained it makes sense for enterprises to allow some variety in cloud usage. Blocking all shadow cloud apps is difficult to do in practice, he said, and since BYOD has become prevalent in the industry, users expect more freedom.

"There's some user education involved in making employees understand what clouds are risky and that there are sanctioned alternatives," Berman said. "[But] it would make sense to block the highest risk clouds."

Leichter agreed, adding that many cloud apps and services offer productivity improvements for enterprise employees. "There are literally hundreds of apps now that make it very easy to share files with anyone," Leichter said.  "I think people are using these [programs] for legitimate reasons but they certainly represent risk … For the most part, I think this is people just trying to do their jobs and using tools that are easily available."

Leichter explained that the use of multiple file-sharing services stems from the fact that not all parties share a standard program. If an associate is sending a file via Google Drive but an employee only has Drop Box,then one of the two is likely to adapt by installing the other sharing client. While CipherCloud acknowledges the many legitimate file-sharing applications, they have found many "knockoff" brands that had poor security practices.

CipherCloud's findings are similar to those of the Cloud Security Alliance, which last month released a study regarding shadow-cloud usage in the enterprise. The CSA study found that more than 70% of executives and IT managers surveyed didn't know how many unauthorized cloud apps and services their employees were using.

Next Steps

Find out how HP and SkyHigh Networks are identifying shadow cloud apps in the enterprise

Dig Deeper on Public Cloud Computing Security