Third-party partners who handle data are increasingly deemed a security risk, but companies do not often weigh the risks of sharing data in the cloud with these partners, according to a report by cloud-management firm Skyhigh Networks.
The average company connects with more than 1,500 business partners via the cloud, according to anonymized data collected by the firm, which helps customers track their use of cloud services.
Yet, nearly 8 percent of partners—that have access to 29 percent of the data—are considered “high risk” by Skyhigh, which evaluated the companies using public information, such as whether compromised accounts were for sale online, evidence of malware infections and vulnerabilities in public-facing services.
“If you are interacting with partners that are high risk—partners that are connected to your enterprise through the cloud—then you need to worry about the security of that information,” Kamal Shah, vice president of products for Skyhigh Networks, told eWEEK.
In its Cloud Adoption and Risk Report for Q1 2015, the company found that a third of all data is uploaded to media and entertainment partners, a fifth to manufacturing partners and a sixth to high-tech partners. The company did not classify the degree to which the data shared could be breached if the third party was compromised.
The average company used 923 cloud services in the first quarter of 2015, up 22 percent from the same quarter a year ago, the report stated. Information-technology managers underestimate their company’s use of cloud services by a factor of 10, according to Skyhigh, which tracks more than 10,000 different services.
Typically, companies are using 123 different collaboration services, 51 development services, 49 file-sharing services and 42 content-sharing services.
The recent announcement by collaboration service Slack underscores the danger that cloud services pose. On March 27, Slack announced that hackers had accessed the company’s database servers, including information on user names, email addresses and hashed passwords.
“We have notified the individual users and team owners who we believe were impacted and are sharing details with their security teams,” Slack stated in a March 27 blog post on the breach. “Unless you have been contacted by us directly about a password reset or been advised of suspicious activity in your team’s account, all the information you need is in this blog post.”
Slack is one of the 58 cloud services considered by Skyhigh to be a “hyperconnector”—a cloud hub linking more than half of Skyhigh’s clients to each other. Each hyper-connected service poses such a treasure trove to hackers that they will eventually be targeted, similar to the way that ubiquitous software—such as Oracle’s Java and Adobe’s Flash—has been targeted.
“You can no longer turn a blind eye toward cloud,” Shah said. “Cloud is being used aggressively within the enterprise, and for the right reasons … it helps employees to get their jobs done faster and collaborate. But, at the same time, employees are not being educated in the risks inherent in the use of the cloud.”
Shah cautioned companies against deciding to simply block cloud services. Instead, the best time to educate employees about the potential risks is when they try to use cloud services in a business context, especially if the cloud service is considered risky, Shah said.