Enterprises Apply Wrong Policies When Blocking Cloud Sites, Says Study

Firms tend to block cloud services based on productivity concerns and less for security issues, according to data collected about the cloud services blocked by firms.

For most companies, blocking a cloud service like Netflix is a no brainer, as it saps both bandwidth and productivity.

Yet, IT administrators need to think differently about cloud services to better secure their company and its data, Rajiv Gupta, co-founder and CEO of cloud security firm Skyhigh Networks, told eWEEK.

In a study released this week, the company found that customers are more likely to block popular safe services than more risky services that could compromise security or cause data leaks.

The study, based on real data from customers that use Skyhigh's network monitoring service, found that 46 percent of firms blocked Netflix, 45 percent blocked Foursquare and 39 percent blocked Apple iCloud, but no companies blocked MovShare, myCapture or FileFactory—all considered high-risk services by the firm.

"Companies are taking yesterday's approach to blocking," Gupta said. "IT is still taking a productivity- and bandwidth-based approach rather than risk-based approach to what they need to block."

As a greater variety of cloud services appear, companies need a more risk-based strategy to determine which services employees can use, he said. With workers using an average of more than 500 different cloud services, the task is not an easy one.

Moreover, if employees are not educated about the reasons why certain services are blocked nor given alternatives, they will adapt as well, Gupta said. In one instance, a company blocked backup service Carbonite for fear that data would be leaked or exfiltrated using the service. Soon after, an employee started using another service known as Elephant Backup instead. Skyhigh rates Elephant as risky.

"What you find is that our IT organization is so in the dark about what is risky that they are making the wrong decisions," Gupta said.

Two big categories that are considered high risk are tracking services and development services, according to the report. Typical Web tracking services, such as KISSmetrics and AddThis, do not deliver any value to a company but can offer attackers enough insight into employee habits to help target waterhole attacks. Such attacks find Websites visited by company employees, attempt to compromise the sites and then deliver malicious code to employees through the sites.

Development services can be used as a way of exfiltrating data or as an infection vector. Even social media sites can be used to communicate data outside the company firewall, according to Gupta. One customer found a user who sent out a million tweets in a day, but in reality, its compromised systems were exporting data 140 characters at a time via the tweets.

"This is all about shedding light on shadow IT," he said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...