Cloud Data Security Still Lacking Even as Enterprises Increase Use

The average business is using more cloud services and 1 in 10 is sharing documents outside the company.

Cloud data security

Corporate employees continue to expand their use of the cloud, an overall trend that simultaneously continues to increase risks to data security, according to a quarterly look at cloud usage published by Skyhigh Networks.

In the fourth quarter of 2014, the average company used 897 cloud services, a 43 percent increase over the same quarter a year earlier. About 11 percent of all documents stored in the cloud were shared with people outside the company, while a fifth of those documents were shared with non-corporate email addresses.

Because so many companies are using file-sharing services—an average of 45 services per company—they are unable to keep up with where their data is residing, Kamal Shah, vice president of products for Skyhigh Networks, told eWEEK.

"The adoption of file sharing is increasing," he said. "I think that companies are putting in policies and putting in capabilities to do that in a secure way, but the efforts are lagging the adoption of the services. So overall, the risk to the enterprises is increasing."

Different cloud services pose different risks to companies. Depending on the business, those risks could be deemed acceptable, according to Shah. Services such as Facebook, Twitter, Youtube, Tubemogul and LinkedIn do not encrypt data at rest, one of the criteria for a cloud service to be judged enterprise-ready by Skyhigh Networks. Other services, such as Prezi, SourceForge, eFolder and Pastebin, claim ownership of data uploaded to their services.

Increasingly, companies are adopting policies and security measures to appeal to businesses. File-sharing service Box, for example, announced in early February that it now offers companies the ability to manage their own keys to encrypted content stored on the service.

Other services are following suit. By the end of 2014, 1,459 services—about 17 percent of those tracked by Skyhigh Networks—were offering multi-factor authentication, while 533 were certified using an international security standard known as ISO 27001. More than 1,000 companies encrypted customer data at rest.

The growth in adoption, however, is outpacing their efforts to manage cloud service use. The average employee uses 27 different cloud services, according to Skyhigh, including six collaboration services, four social media services, four content-sharing services and three file-sharing services.

The top services for corporate use include collaboration—with 139 different services used at an average company—and development, with 47 different services. File sharing is the third most commonly-used cloud service.

While the most popular services are often secure, the "long tail" of usage means that some employees use many other services that are insecure.

"It only takes one employee to store sensitive data on a service that is part of the long tail [of insecure services] and there could be a significant impact," Shah said.

More than a third of users uploaded a document containing sensitive information to a file-sharing service, according to Skyhigh's data. Because 12 percent of users at an average company have had at least one account compromised, such data could easily be put at risk, if security measures—such as multi-factor authentication—are not in place.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...