IT departments have only a loose handle on what types of cloud-based services are being used within their organizations, and many services are being used without the IT department's blessing. Meanwhile, in an attempt to curb this behavior, IT departments commonly block popular cloud-based services, but allow potentially more high-risk services to be used unfiltered.
Those are findings from a review of more than 300 organizations by security vendor SkyHigh Networks. CEO and co-founder Rajiv Gupta says what surprised him most was how many cloud-based services are being used and how few of the potentially dangerous ones are being blocked.
"IT organizations are still focused on sanctioning bandwidth preservation and productivity services, whereas the applications that are a higher risk to the organization are being blocked less frequently," he says.
SkyHigh Networks, a network monitoring and security company, keeps an inventory of services and websites that customers' employees track and analyzes them to determine what level of risk they pose. As part of a study of usage patterns, SkyHigh found low-risk services are blocked 40 percent more than high-risk services.
IT departments seem focused on blocking popular cloud-based file sharing and storage services, or applications that could lead to decreased productivity for employees, SkyHigh found. The problem is that they're not blocking services that could potentially be higher-risk from a security standpoint, Gupta says.
The top five most-blocked services among more than 100 SkyHigh customers and 3 million users within those organizations were Netflix, FourSquare, Apple iCloud, Gmail and Skype.
SkyHigh found that IT shops are blocking access to services like Box and DropBox, but it says those services are actually more secure and lower risk compared to services like RapidGator, SendSpace and WeTransfer, which do not have as robust security measures in place like data encryption, two-factor authentication and policy-based user credential access.
RapidGator, for example, is a high-risk service because it does not encrypt data at rest, it doesn't provide audit trails and it's hosted outside of the U.S. and Europe, Gupta says.
"Right now, cloud-based services are used in a shadow IT setting, so the knee-jerk reaction is to block them," Gupta says. "If you start blocking the services employees use to be productive, then they will find other services that can be higher risk."
Gupta says the best approach is to find out what the most used services are within an organization, then have the IT shop provide a safe way to either access those services, or give users the functionality of those services through another means.
"Based on the culture of the company, IT can decide to block, educate or encourage. Or for some cloud services they can choose to enable by wrapping additional data security capabilities, such as encryption, data loss prevention, and contextual access control, around the service and thereby make it lower risk."
SkyHigh Networks, a 2011 startup that launched its first product this year at the RSA Conference, is backed by Sequoia Capital and Greylock Ventures. The company's monitoring tool allows users to see what services employees are using, and it benchmarks normal network behavior so that it can identify when abnormal behavior occurs. It works with customers to block services that are identified using a variety of tools including data loss prevention, encryption and physical protocols.