Here's a multiple choice question for all IT folks who think they know the cloud storage market. Which one of the following services do you believe holds the most business data overall:
c) Microsoft SharePoint
d) Google Drive
If you chose Salesforce.com, you are on the right track. Salesforce is not a storage application per se, but in practice it certainly is, since it is a customer relationship management tool that is required to store and secure all the data needed to run an account. Although Salesforce has a secure storage layer, its information governance controls are limited.
Nearly 40 percent of businesses don't realize they have more business data stored in Salesforce than in any other approved corporate cloud file repository (including Dropbox, Box, Google Drive and Sharepoint.com).
Research Reveals Risk Issues
This factoid was contained in a recent research project by Silicon Valley-based Adallom, which will make public its report on Nov. 5. Adallom's first Cloud Risk report is an analysis of cloud application usage for more than 1 million enterprise SaaS-enabled users over four dominant SaaS platforms: Salesforce, Box, Google Apps and Office 365, between October 2013 and October 2014.
Two-year-old Adallom, which already has a substantial lineup of customers, secures enterprise software-as-a-service (SaaS) application usage, audits user activity and protects employees and digital assets from threats in real time.
"Customers use us to get an understanding of who's interacting with the data in cloud applications, where the data is going, and obviously about risk management," Adallom Vice President of Strategy Tal Klein told eWEEK.
Adallom was founded in 2012 by Assaf Rappaport, Ami Luttwak and Roy Reznik, all former members of the Israeli Intelligence Corps' Unit 8200 and alumni of the Talpiot program. The company name originates from Ad Halom, otherwise known as the “last line of defense.”
In-Depth Look at SaaS Usage
The research provides an in-depth view of SaaS usage beyond common shadow IT, and it exposes risk that exists right under IT's nose, including:
--on average, a company shares its corporate files with 393 external domains, and 5 percent of an average company's files are accessible by anyone on the Internet;
--significant portions of authorized SaaS users have full administrative access: 7 percent in Salesforce (average deployment size is 2,000 users), 4 percent in Google Apps (average deployment size is 19,000 users) and 2 percent in Box (average deployment size is 1,400 users);
--more than 5 percent of files are orphaned files (files without owners) and 2 percent of orphaned files were created by users no longer with the company (a huge data retention risk in the event of an eDiscovery event); and
--80 percent of companies have at least one corporate zombie user (suspended or terminated employee whose account has not been deleted), which also costs enterprises money.
This report is the first of its kind to detail application usage patterns and risky behaviors for the top SaaS applications used by businesses, Klein said. "The findings in this report reaffirm the need for a new approach to data governance, risk management and security in the context of cloud adoption," he said.
Perimeter and endpoint security solutions provide minimal protection against new, emerging, and largely unknown risks. Therefore, enterprises need to proactively invest in new controls like Identity and Access Management (IAM) solutions and Cloud Access Security Brokers.
Some Other Data Points
Other findings in the report included:
--In the cloud, zombies are real: 11 percent of all enterprise SaaS accounts are "zombies," inactive assigned users that are at best eating up the cost of a license, and at worst increase the attack surface of the organization.
--More admins, more problems: Every administrative account represents a real and present risk to the enterprise. In some SaaS applications, Adallom discovered an average of seven administrators out of every 100 users.
--80 percent of companies have at least one former employee whose SaaS application credentials have not been disabled: Deprovisioning continues to plague organizations, credential creep makes the problem unwieldy.
--Nineteen percent of users bypass identity and access management controls: Rebalancing the enterprise security portfolio from exclusively preventative controls to blended risk management based compensating controls is necessary.
The company has secured $4.5 million in Series A funding from Sequoia Capital and Zohar Zisapel in addition to $15 million in Series B funding led by Index Ventures with contributions from Sequoia.