Campbell, Calif. – June 3, 2015 – Skyhigh Networks (McAfee MVISION Cloud), the cloud security and enablement company, today released its new “Cloud Adoption & Risk in the Government Report”. The Q1 2015 report reveals that shadow IT is prevalent in government agencies – the average public sector organization uses 742 cloud services, which is about 10-20 times more than IT departments expect. Despite the security initiatives in place – such as FedRAMP, FISMA, and FITARA – many government employees are unaware of agency rules and regulations or simply ignore them and use cloud services that drive collaboration and productivity.
“As agencies grapple with how to manage shadow IT and securely enable sanctioned IT, they need visibility into the real usage and risk of cloud services as well as the ability to detect threats and seamlessly enforce security, compliance, and governance policies,” said Rajiv Gupta, CEO of Skyhigh Networks. “Skyhigh manages shadow IT and securely enables sanctioned IT, allowing public sector organizations to use hundreds of cloud services while providing robust data protection services, thereby meeting data privacy requirements and conforming to regulations.”
Despite clear benefits of cloud services – greater collaboration, agility, and cost savings – Federal agencies are slow to migrate to the cloud due to security concerns. As a result, employees adopt cloud services on their own, creating shadow IT. Under FITARA, Federal CIOs must oversee sanctioned cloud services as well as shadow IT. This new requirement underscores the uncertainty about how employees are using cloud services within their agencies.
Understanding Shadow IT
The average public sector organization now uses 742 cloud services, which is about 10-20 times more than IT departments report. What agencies don’t know can hurt them. When asked about insider threats, just 7 percent of IT and IT security professionals at public sector organizations indicated their agency had experienced an insider threat. However, looking at actual anomaly data, Skyhigh Networks found that 82 percent of public sector organizations had behavior indicative of an insider threat.
Agencies cannot rely on the security controls offered by cloud providers alone. Analyzing more than 12,000 cloud services across more than 50 attributes of enterprise readiness developed with the Cloud Security Alliance, the report found that just 9.3 percent achieved the highest CloudTrust Rating of Enterprise Ready. Only 10 percent of cloud services encrypt data stored at rest, 15 percent support multi-factor authentication, and 6 percent have ISO 27001 certification. Skyhigh Networks helps Federal agencies address these security gaps and gain control over shadow IT by providing unparalleled visibility, comprehensive risk assessment, advanced usage and threat analytics, and seamless policy enforcement.
Compromised credentials can also mean disaster for Federal agencies. According to a study by Joseph Bonneau at the University of Cambridge, 31 percent of passwords are used in multiple places. This means that for 31 percent of compromised credentials, attackers can potentially gain access not only to all the data in that cloud service, but all the data in other cloud services as well. The average public sector employee uses more than 16 cloud services, and 37 percent of users upload sensitive data to cloud file sharing services. As a result, the impact of one compromised account can be immense.
The Skyhigh “Cloud Adoption & Risk in the Government Report” reveals that 96.2 percent of public sector organizations have users with compromised credentials and, at the average agency, 6.4 percent of employees have at least one compromised credential.
Cloud Services in the Public Sector
Most cloud services deployed in the public sector are collaboration tools. The average organization uses 120 distinct collaboration services – such as Microsoft Office 365, Gmail, and Cisco Webex. Other top cloud services are software development services, file sharing services, and content sharing services. The average employee uses 16.8 cloud services including 2.9 content sharing services, 2.8 collaboration service, 2.6 social media services, and 1.3 file sharing services. Shockingly, the average public sector employee’s online movements are monitored by 2.7 advertising and web analytics tracking services – the same services used by cyber criminals to inform watering hole attacks.
The report also reveals the top cloud services used in the public sector.
Top ten enterprise cloud services are:
- Microsoft Office 365
- Cisco WebEx
- SAP ERP
- Oracle Taleo
- SharePoint Online
Top ten consumer cloud services are:
The “Cloud Adoption & Risk is Government Report” is based on data from 200,000 public sector employees in the United States and Canada.
About Skyhigh Networks (McAfee MVISION Cloud)
Skyhigh Networks, the cloud security and enablement company, helps enterprises safely adopt cloud services while meeting their security, compliance, and governance requirements. Over 400 enterprises including Aetna, Cisco, DIRECTV, HP, and Western Union use Skyhigh to gain visibility into all cloud services in use and their associated risk; analyze cloud usage to identify security breaches, compromised accounts, and insider threats; and seamlessly enforce security policies with encryption, data loss prevention, contextual access control, and activity monitoring. Headquartered in Campbell, Calif., Skyhigh Networks is backed by Greylock Partners, Sequoia, and Salesforce.com. You can follow us on Twitter @SkyhighNetworks or learn more at skyhighnetworks.com.
Director, Corporate Communications