Cloud access security brokers (CASBs) provide a critical control point for the secure and compliant use of many Software-as-a-Service (SaaS) applications. By virtue of their position between end users and cloud services, CASB service providers get a first-hand view of exactly what SaaS applications the people within an organization are using, and how they are using those applications. This includes having the visibility to see what data workers are putting into various cloud applications and whether that data is adequately secured. What’s more, these vendors can assess the risk to enterprises from the use of various cloud applications.
Netskope and Skyhigh Networks are two of the leading providers of CASB solutions. Both companies recently published their quarterly reports in which they summarize the status of cloud applications based on the aggregated usage information of their customers worldwide. These reports are eye-openers, showing that most organizations have a way to go in terms of choosing truly enterprise-ready applications that can properly secure sensitive information going into the cloud.
So many applications in use!
Both vendors report the average number of cloud applications per enterprise has crossed into the thousands: Netskope reports 1,031 per enterprise, while Skyhigh’s customers use 1,427. These numbers demonstrate the importance of setting and enforcing standards for cloud application use. With more than a thousand applications in use, it’s impractical to think that an organization can fully ensure the security and privacy of its data and compliance with regulatory mandates.
Making matters worse, many cloud applications don’t meet the CASB vendors’ strict standards for being “enterprise-ready.” Netskope uses a proprietary Cloud Confidence Index and Skyhigh has its own standards called the CloudTrust Program. Both programs measure a cloud application’s ability to minimize risk to the enterprise customer by having implemented a rigorous set of security measures. Skyhigh Networks, for example, measures dozens of attributes around data security, users and devices, legal protections and more.
In Netskope’s measurements, 94.8 percent of the applications it assesses are not enterprise-ready, earning a rating of “medium” or below in the Netskope Cloud Confidence Index. Skyhigh came to a similar conclusion: Across more than 20,000 cloud services in use today, only 8.1 percent meet the strict data security and privacy requirements of enterprises as defined by Skyhigh’s CloudTrust Program. Skyhigh has learned that fewer than 1 in 10 cloud application providers store data at rest encrypted, and even fewer support the ability for a customer to encrypt data using their own encryption keys. Encryption using customer-managed keys is rapidly becoming a requirement for organizations to store data in the cloud while meeting requirements dictated by industry regulations and national data privacy laws.
Sensitive data and file sharing in the cloud
Skyhigh reports that file sharing and collaboration services are among the most popular cloud applications in use today. While they initially offered users the ability to synchronize their files across devices, many of these services are now full-fledged collaboration platforms that enable users to share files and edit the same file with other people around the world in real time. By mid-2016, the percentage of files in these services that are shared hit an all-time high of 43.1 percent. The question is, are the files being shared responsibly?
According to the Skyhigh report, 5.4 percent of the shared files are accessible by anyone with a link. These links are easily forwarded and can create risk, since the organization cannot audit or control who is viewing the document. Sometimes files are accessible without inviting or sharing at all. Within file sharing services, 17.7 percent of files have access permissions that allow anyone within the organization to view or download them. Moreover, 2.7 percent of files have access permissions that make them publicly accessible, which is to say that they can be found and downloaded by anyone via an Internet search engine.
Skyhigh reveals that 18.1 percent of files uploaded to cloud-based file sharing and collaboration services contain sensitive data. This includes confidential information such as financial records and source code; personally identifiable information (PII); protected health information (PHI); payment information; and other types of sensitive information that could put an organization at risk if breached.
For files that are shared externally (with business partners, through personal emails, or publicly accessible online), 9.3 percent contain sensitive data. This shows that organizations need to educate employees about the risks of sharing certain types of data and enforce policies defining how and with whom it is appropriate to share sensitive content.
GDPR compliance concerns
Netskope evaluates cloud services in their ability to meet the strict data privacy requirements of the European Union General Data Protection Regulation (GDPR). In the latest quarterly report, Netskope noted that two-thirds of all cloud services lack the proper security and privacy controls and industry certifications to be considered ready to comply with the requirements of GDPR. For example, 66.4 percent of cloud services do not specify in the terms of service that their customers own the data, and 42.0 percent don’t allow admins to enforce password controls.
- Read: An Interview with Giovanni Buttarelli, European Data Protection Supervisor
- Read Cloud Apps Failing EU GDPR Privacy Regulation Compliance So Far
Enterprise security in the cloud is improving overall
Vendors like Skyhigh Networks, Netskope and others in the CASB space have spent years measuring their customers’ usage of SaaS applications. All indications are that cloud application data security and privacy measures are improving but there is still a way to go to reduce risks to an acceptable level. Organizations have a responsibility to perform due diligence on the cloud applications they sanction for employee use, and to create and enforce policies that will provide the highest possible level of data protections.
For more information about enterprise cloud application usage, see the January 2017 Netskope Cloud Report, Worldwide Edition and the Skyhigh Networks Cloud Adoption & Risk Report, Q4 2016.