Cloud App Policy Violations Are a Growing Concern

The January 2015 Netskope Cloud Report shows an increasing use of cloud applications by enterprises.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

cloud app security

The race to the cloud is continuing to accelerate, with more cloud apps than ever now being used by enterprises, according to the January 2015 Netskope Cloud Report.

According to the report, the analysis was derived from "tens of billions of events seen across millions of users" in the Netskope Active Platform, a product used for monitoring cloud application usage. Netskope declined to provide eWEEK with the specific number of events and users analyzed for the January report.

The report found a number of surprising trends about enterprise cloud app usage and security risks. Netskope reported that 15 percent of business users admitted to having their access credentials compromised, which is a particularly noteworthy risk since as many as half of users reuse passwords on multiple sites.

Another cloud security trend identified by Netskope is that users violate data loss prevention (DLP) policies with increasing regularity across certain classes of applications. The top cloud app category in terms of policy violations is storage, followed by Webmail. Netskope CEO Sanjay Beri commented that he is particularly interested in some of the specific DLP trends. There are multiple types of DLP policy violations, including users logging into sites as well as uploading or downloading information.

"I find it interesting that 'login' as a policy violation has dropped from the first to the third position in this cloud report, with 'download' and 'upload' taking the one and two spots," Beri told eWEEK. "To me this shows that IT is getting more nuanced about policy controls."

Another cloud DLP statistic that Beri found interesting is the fact that 8 percent of data uploaded to the cloud constitutes a DLP violation.

"When combined with another data point from a study we conducted with the Ponemon Institute where IT estimates that 30 percent of their business-critical information is in the cloud, this becomes even more interesting," he said. "You can bet that we'll be tracking this going forward."

Overall, Netskope found that the use of cloud apps within organizations is growing, with an average of 613 apps per enterprise in the fourth quarter of 2014, up from 579 in the third quarter. From a definition standpoint, the cloud apps reported by Netskope are all third-party apps.

"Netskope does allow customers to track custom apps, but they are not included in this data," Beri said.

Included across the cloud apps in the Netskope report are popular social networking services Facebook and LinkedIn, both cloud-based services that enterprise employees can log in to share information, he said.

"While some might argue that these aren't cloud apps in the strictest software-as-a-service terms, many of our customers are required to keep track of information shared in these apps," he said. "We feel it's better to provide the option of tracking these apps for customers that require it."

According to Netskope, 88 percent of apps that are already being used by the enterprise are not actually enterprise-ready. Beri explained that at a very basic level, apps scoring "excellent" or "high" in Netskope's Cloud Confidence Index (CCI) are considered enterprise-ready. There are more than 50 unique considerations that go into an apps CCI rating, he added. The consideration criteria include audit logs, disaster recovery plans, separation of tenant data and encryption of data at rest.

"Not to overly simplify, but the fundamental difference between enterprise-readiness of a cloud app and an app an enterprise deploys in a multi-tenant data center really comes down to check-boxes and who owns what tasks," Beri said. "With a cloud app, the enterprise is counting on the vendor to make sure things are done right, while in a multi-tenant data center, the enterprise has more direct responsibility."

As an example, Beri said if an enterprise decides to use a certain cloud app and Netskope has rated the app as "excellent" in its Cloud Confidence Index, the enterprise can drill down to find out additional criteria. Within the CCI, the enterprise can click in to see that the app is backed up in a separate data center because that's an important consideration. If, on the other hand, the enterprise was deploying its own app, it would need to set up that backup on its own or work directly with a provider to ensure that this was set up.

Looking at the rest of 2015, Beri expects there to be continued focus on cloud app security.

"I think Sony changed the game," he said. "Cyber-security is now playing at a theater near you, and my sense is that the CISO now has the mandate that won't leave cloud-based apps as the unturned stone."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.