Skyrocketing Cloud App Use Raises Enterprise Security Risks

Businesses must deal with the proliferation of cloud services inside their networks, and most of these services are not approved, a new study finds.

cloud risks

The number of cloud services used by corporate employees has dramatically increased in the past quarter, with most of the services not approved by business management, according to data released May 7 by cloud-management firm Skyhigh Networks.

The average large company used 759 cloud services as of April 2014, a jump of 21 percent from the previous quarterly measurement. The total number of services used by the Skyhigh's clients jumped to 3,571, from 2,251 the previous quarter, with most of the increase coming from services not meeting enterprise standards of security, according to the company's Cloud Adoption & Risk Report Q2 2014.

An increase of 133 cloud services for the average company is not surprising, Kamal Shah, co-founder and vice president of product marketing for Skyhigh told eWEEK."Users are constantly embracing new types of cloud services," he said.

Skyhigh tracked trends using anonymized data from its customer base of 250 companies consisting of 8.3 million users. Using its data, the company found that a third of cloud services were initially vulnerable to the Heartbleed Secure Sockets Layer encryption bug, but that number has now dropped to less than 1 percent. The firm also found that 18 percent of its customers had at least 1,000 PCs running Windows XP, which Microsoft stopped supporting in early April.

The most significant cloud trend is that workers are increasingly bringing the cloud with them on the mobile devices that they carry to work every day.

For the most part, workers used consumer-grade services, which outstripped the meager addition of a few enterprise-ready cloud services over the past 90 days, according to Skyhigh. The absolute number of enterprise-ready cloud services slightly increased to 250, from 247 the previous quarter, but dropped significantly as a fraction of the total number of services, to 7 percent from 11 percent.

"Consistently across every organization, the number of unapproved services is 10 to 12 times the number of approved services," Shah said.

Skyhigh considers a cloud service to be "enterprise-ready" if it meets a number of criteria, including a design that protects data, the ability to verify identity and a focus on safe business practices.

While the majority of services used by employees are consumer-grade, companies should not attempt to ban access to the service without a plan for offering employees more secure options, said Shah.

"The days of saying that you cannot use a cloud service are behind us; it does not work," he said. "So now companies have to figure out what services employees are demanding, and find ways to make those services securely available."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...