Today, employees bring a wide variety of cloud services to work with them, often without the knowledge of the IT department. In doing so, they take advantage of the productivity benefits of these services to do their jobs more efficiently, but they usually skip reading the terms and conditions before uploading company data. We’ve published aggregated stats showing the average organization uses a dizzying 1,083 cloud services. Skyhigh also offers a free cloud audit showing you a snapshot of your own cloud usage. Companies often use this data to reign in shadow IT. For the first time, we wanted to do an experiment. What happens when a company allows shadow IT to grow unchecked for 2 months? We’ve partnered with a Fortune 500 company to find out.

What a difference 2 months makes

Skyhigh offers a free personalized cloud audit using our software to enterprises. We look at network activity and identify the cloud services in use and how they’re being used. Included in the audit are a list of all SaaS, IaaS, and PaaS services in use, an objective 1-10 CloudTrust Rating of each service, where sensitive data is being stored in the cloud, and potential insider threats and compromised accounts. In April, we performed an audit for a Fortune 500 customer who has given us permission to share their data anonymously. Meanwhile, they did not attempt to block any services discovered during the audit. Two months later we performed another audit.

And the results were striking.

During the initial audit, we discovered 1480 cloud services in use. The follow up audit showed 1698 cloud services in use, an increase of 15%. This isn’t surprising since we see a similar proportional increase even among our clients who’ve implemented a shadow IT solution.

Initial Audit Results


What stands out is the increase in usage of high-risk cloud services. While our seasoned clients see a drop in risky cloud usage, because they implement coaching and enforcement policies, the opposite occurred here, where shadow IT was left unchecked. Our initial audit found 105 high-risk cloud services in use. After two months, this number hit 141, a 34% increase. Even more alarming was the increase in actual usage of the high-risk services. In two months, the amount of data uploaded to and downloaded from high-risk services increased from 6.75 GB per month to 48.79 GB per month, a whopping 622% increase.

2 months later


In our initial audit, we found 45 cloud services that allow anonymous use, 24 that didn’t encrypt data in transit, 54 that didn’t encrypt data at rest and 3 services that owned your intellectual property. The follow up audit showed a startling increase in all 4 categories: 82 services allowing anonymous use, 37 services with no encryption in transit, 87 services with no encryption at rest, and 8 services that own your intellectual property.



How to bring shadow IT under control in 4 steps

Based on our experience helping over 400 enterprises take control of their cloud usage and risk, there are several steps we recommend. For many organizations, there’s a balance between permitting certain low-risk cloud services, coaching users to sanctioned cloud services, and blocking the highest-risk services. The ultimate goal for organization is to reduce risk without cutting off the cloud services that employees and business units use to drive growth and innovation.

1. Gain visibility and understand opportunities to mitigate risk

Shadow IT is ubiquitous in most employees’ day-to-day work, so understanding which services are being used and to what extent is the first step. It is usually 10x the size of sanctioned IT at any given enterprise so Skyhigh recommends reporting cloud usage on a monthly basis, with their associated risk, amount of data uploaded and number of users using it. It’s also important to understand the gaps in existing policy enforcement to mitigate risk

2. Define policies and remediation process

Companies need a plan to determine what cloud services will be allowed by their policy and then measure and close the gaps in policy enforcement. This is done by benchmarking and defining new policies that use existing network infrastructure such as firewalls and web proxies to block access, allow limited functionality such as download while disabling upload, or allow and coach users to use enterprise-approved alternatives. Remediation policies such as setting up alerts and thresholds can go a long way in ensuring breaches and policy failures are detected in real time.

A weekly meeting between the security and networking team should be scheduled where perimeter infrastructure and cloud access policies are reviewed and optimized.

3. Implement policies

Consistently enforcing policy is the single most effective means of protecting cloud data. Using remediation policies mentioned earlier can detect breaches early and stop them to limit the damage. Anomalous cloud usage should be sorted and prioritized based on service category, risk level, anomaly type and username.

4. Enablement

IT organizations are increasingly looking for ways to enable useful yet secure cloud services. This requires first assessing the risks of all cloud services, and with the use of monthly trends, promoting the enterprise-ready ones. In addition, in order to get the benefits of the cloud, organizations can reduce the cost and risk of multiple cloud services within a category. For example, the average company uses 171 cloud collaboration services, which not only impedes collaboration between teams, it also exposes the organization to unnecessary risk while fragmenting their data.

Cloud Adoption & Risk Report Q2 2015

Based on data from over 21 million users, this quarter, we examine anomalous activity within sanctioned cloud services—including the scale of sensitive data in the cloud, how data stored in the cloud is shared with third parties outside the organization, and the incidence of insider threats.

Download Now