The transformative impact of cloud adoption
Back in 2011, entrepreneur and investor Marc Andreessen wrote about how software impacts nearly all areas of modern life. The principal platform for software applications today is not a hard drive; it’s a web browser. Software delivered over the Internet, referred to as the cloud, is not just changing how people listen to music, rent movies, and share photos. It’s also transforming how businesses operate. Studies have shown that businesses taking advantage of productivity-enhancing cloud services grow 19.6% faster than their counterparts that don’t.
Similar to previous shifts in technology, such as the rise of the PC and the Internet, the cloud creates new and significant concerns among business leaders about the potential for headline-making security incidents. Because employees often bring their own apps to work, companies typically don’t know which ones are being used to store corporate data. Even within the cloud services purchased by a company’s IT department, there is limited visibility into user behavior and how sensitive information is accessed and shared.
To better understand these trends, McAfee publishes a Cloud Adoption & Risk Report, the first and most comprehensive report of its kind. What makes our report unique is that we base our findings on actual usage data for over 30 million users worldwide, across over 600 enterprises who use McAfee CASB.
Sensitive data in the cloud by file type
Across industries, organizations must protect different types of sensitive information from cyber attacks and accidental disclosure. They increasingly store this sensitive data in the cloud. All told, 18.1% of all documents uploaded to cloud-based file sharing and collaboration services contain sensitive information. Of that, 4.4% is confidential data (e.g. financial records, business plans, source code, etc.) and 3.9% contains personally identifiable information (Social Security numbers, tax ID numbers, etc.). Another 2.3% contains payment information (e.g. credit card or debit card numbers) and 1.6% contains personal health information (e.g. medical record IDs, patient diagnoses, etc.).
When sharing is erring
Cloud-based file sharing and collaboration services such as Box, Dropbox, Google Drive, OneDrive, and SharePoint Online are popular. While they initially offered users the ability to synchronize their files across devices, many of these services are now full-fledgedx collaboration platforms that enable users to share files and edit the same file with other people around the world in real time. in the most recent quarter, the percent of files in these services that are shared hit an all-time high of 43.1%. Of the 43.1% of files that are shared, 71.5% are shared with individual users in this manner, while another 28.3% are shared with an individual at a business partner.
Internal and external threats
The number of cloud-related threats hit an all-time high last quarter. The average number of monthly incidents per organization reached 23.2, an 18.4% increase year over year. Broken down by category, these threats include insider threats (both accidental and malicious), privileged user threats, compromised accounts, and attacks that leverage the cloud as a vector for data exfiltration. Virtually every organization experiences at least one cloud-based threat each month.
The cloud threat funnel
The average organization today generates over 2.7 billion unique transactions in cloud services each month (e.g. user login, upload files, edit document, etc.). With this volume of data, it would be impossible to manually search through an audit trail of user activity to identify potential threats. In response, organizations are investing in user and entity behavior analytics (UEBA) tools, which use machine learning to identify anomalous events against the background noise of everyday activity.
More cloud services launch every week and the percentage of cloud services that are enterprise ready increased slightly this quarter. The average organization now uses 1,427 cloud services, an increase of 23.7% over the same quarter last year. The year-over-year growth in the number of services used by the average enterprise increased slightly from 21.% in the prior quarter, but it is below the historical average growth rate of 35.5%. Enterprise cloud services account for 71.3% of the services in use by the average organization, while consumer services represent 28.7% of the services in use.
Usage by industry
Broken down by industry, there are clear trends in both the variety of cloud services used by organizations and users as well as the volume of data uploaded each month. Technology companies use a wider variety of cloud services than any other industry, with the average company using 2,033 distinct cloud services. That’s followed by manufacturing (1,837 services), and business services (1,771 services). Government agencies use the fewest cloud services, on average, at just 944 per agency.
Cloud usage by category
Collaboration continues to be the category with the greatest variety of cloud services in use by a wide margin. The average organization uses 210 distinct collaboration services, followed by 76 file sharing services and 67 development services.
The IaaS Triumvirate
Enterprises are moving an increasing number of home-grown cloud services they had previously deployed in their data centers and private clouds to the public cloud. As an early pioneer in infrastructure as a service (IaaS), Amazon maintains the highest market share. However, in the past two years, Microsoft Azure has rapidly emerged as a major player in the public cloud infrastructure market.
A recent report found that 61% of large enterprises have a cloud governance policy. As enterprises begin to take control of their cloud usage, one of the steps they take is categorizing services into groups based on their risk to the organization.
Approved and permitted services
Approved services account for 5.4% of cloud services and are sanctioned by the corporate IT department and often purchased and deployed by the company. Permitted services make up 63.4% of services. They are introduced by employees and business units; however, they have business value and, with appropriate security controls, can be used without introducing an unacceptable level of risk.
The final governance category implemented by enterprises, "Not Allowed", includes cloud services deemed too risky for corporate use. They account for 31.3% of services, which include PDF converters that claim ownership of all data uploaded to them. Since the only function of such service is to convert a file to a PDF, it would not make sense to enable the service in read-only mode.
The cloud enforcement gap
Comparing the services that are not allowed based on an enterprise cloud governance policy and actual block rates, we found there can be a wide gap between what IT thinks it’s blocking and actual blocking rates. There are three primary causes for this gap: cloud services regularly introduce new URLs and IP addresses that are not blocked by firewalls and web proxies, access policies are not standardized across global egress infrastructure, and organizations fall victim to exception sprawl.
Top 10 most-approved cloud services
Beyond usage, one way to look at the cloud services that are most endorsed for enterprise use is by looking at the governance policies companies implement. By analyzing the cloud services that are most frequently sanctioned and considered “approved” according to enterprises, we identified the cloud services that have been embraced by corporate IT departments.
Top 10 most-outlawed cloud services
We also looked at cloud services that have the highest percentage of enterprises that categorize them as prohibited for corporate use. Three of the top ten are PDF converters and another service resizes images. Two are BitTorrent services, which are frequently used to share pirated movies, music, and software.
Top 20 enterprise cloud services
In Q3, 71.3% of the cloud services in use by the average company were enterprise cloud services and these services accounted for 71.6% of data employees uploaded to the cloud at work. Microsoft delivers 5 of the top 20 services. From a security standpoint, the top 20 enterprise cloud services are significantly more likely to have enterprise-grade security controls than the average enterprise service (80% vs. 9.3%).
Top 20 consumer cloud services
Consumer cloud applications accounted for 28.7% of the cloud services in use in the average workplace and 28.4% of data businesses upload to the cloud. Social media, content sharing and collaboration services dominate the top 20 list. Only one service on the top 20 list delivers enterprise-grade security controls (5%) versus the overall average of 3.4% across all consumer services.
Top 10 file sharing services
OneDrive emerged as the leading file sharing service this quarter for the first time, displacing Google Drive in enterprise user count. It’s followed by Google Drive, Dropbox, and Box. This quarter, WeTransfer surpassed ShareFile to take the 5th spot on the list and MediaFire joined the top 10 for the first time.
Top 10 cloud collaboration services
Microsoft Office 365 continues to dominate the list of cloud-based collaboration platforms. Skype overtook Gmail for the second position in the rankings. Collectively, the Office 365 suite maintains a higher active enterprise user count than Google’s G Suite. Slack appears on the top 10 list for the second time, ascending to the 9th position this quarter, displacing Wunderlist.
Top 10 social media services
Facebook, Twitter, and Linkedin still dominate the social media category. Tumblr has continued to drive active users following its acquisition by Yahoo! in 2013. Several services are not based in the United States, including VK (Russia), Sina Weibo and Qzone (China), and XING (Germany).