Study Finds Companies Need to Monitor Use of Big-4 Cloud Platforms

Cloud service providers Box, Dropbox, Google Drive and store a huge amount of corporate data, potentially leading to a risk of leakage, according to a Netskope study.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Cloud Security 2

Companies worried about sensitive data leaking out to the cloud should start focusing on four popular cloud-service ecosystems—those of Box, Dropbox, Google Apps and Salesforce, according to the latest data from cloud management provider Netskope.

The company analyzed data from its customers and found that more than a third of all sessions from mobile and cloud applications connected to those four services. The collection of connected apps and back-end cloud services formed ecosystems that handle a great deal of sensitive data. Because so much data is traveling between mobile apps, Web applications and these "anchor tenants," as Netskope calls them, companies need visibility into the patterns of access to the services to spot breaches.

In most cases, the services themselves are sanctioned by the business's information-technology group, but employees often connect unsanctioned applications to the back-end services, resulting in data potentially passing through insecure—or at the very least, unauthorized—applications, Rajneesh Chopra, vice president of product management at Netskope, told eWEEK.

When the company looked at the policy violations flagged by data-loss prevention technology, data going through the four ecosystems accounted for about three-quarters of all policy violations.

"These are data-specific violations—sensitive data being shared with people who it is not meant to be shared with," Chopra said. "The large majority of the applications connected to these ecosystems are unsanctioned."

Data accessed by unsanctioned applications is at risk of being leaked, or at the very least of violating compliance regulations. Many companies focus on whether data is stored in a known and vetted cloud service, such as Box or Salesforce, and not what other applications are accessing the stored data, Chopra said.

The Netskope analysis is one the first to look at the growing ecosystems in which data is shared by employees. While software and operating system ecosystems surrounding specific platforms—such as Apple's iOS and Google's Android—are better understood, the data ecosystems are beginning to have an impact on security.

While not every company sanctions the use of each of the four ecosystems, business data is often stored in the four services. The average company had 28 Box, 20 Dropbox, 19 Google Apps and 26 Salesforce ecosystem apps. Box, Dropbox and Google Apps also had a wide variety of applications types, with Box, for example, accounting for 40 of the 55 types of applications tracked by Netskope, such as marketing, collaboration and productivity apps.

Salesforce, the most mature ecosystem, accounts for 15.3 percent of all business data that's downloaded from the cloud and 13.5 percent of all data shared by employees using cloud services, according to Netskope's analysis. The Salesforce ecosystem accounts for a large portion of policy violations, about 44 percent, as determined by alerts issued by data-loss prevention technology.

"We believe this is high because the vast majority of DLP violations occur in storage and social media apps, two of the top three categories represented in the Salesforce ecosystem," the report stated. "This underscores the importance of extending data security policies beyond Salesforce—or another anchor tenant—to the entire ecosystem."

The analysis is based on anonymous usage statistics observed by Netskope based on tens of billions of events seen across millions of users during a three-month period ending March 1, 2015. Neither Apple's nor Microsoft's cloud-data ecosystems were significant enough in the enterprise to be included in the report, Netskope said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...