Cloud adoption and risk report Europe q1 2015

CLOUD ADOPTION
& RISK IN EUROPE
REPORT
Q2 2015 Published Q3 2015

Cloud Adoption and Risk in Europe Report – Q2 2015
TABLE OF CONTENTS
INTRODUCTION
OVERVIEW OF CLOUD ADOPTION
INSIDER THREATS IN THE CLOUD
COMPROMISED CREDENTIALS
MULTI-FACTOR AUTHENTICATION
THERE’S NO TYPICAL USER
HEAD IN THE CLOUDS
SAFE STORAGE FOR EUROPEAN DATA
THE CLOUD NEVER SLEEPS
THE TOP CLOUD SERVICES
05
06
03
01
09
07
11
12
13
08

INTRODUCTION
01
1
http://www.cio.com/article/2929806/cloud-computing/the-cloud-s-game-changer-is-competitive-advantage.html
2
http://www.businesscloudnews.com/2015/05/12/cloud-adoption-nudges-past-80-per-cent-in-the-uk-survey/
3
http://www.bitkom.org/de/presse/81149_80724.aspx
4
5
http://www.v3.co.uk/v3-uk/news/2405608/g-cloud-sales-pass-gbp550m-mark
6
7
https://www.skyhighnetworks.com/cloud-security-blog/gartner-companies-spend-just-3-8-of-cloud-budgets-on-security
“The biggest impact of the cloud is the ability to accelerate the rate of innovation for the
business,” says Frank Gens, senior vice president and chief analyst at IDC1
. This is as true
in Europe as anywhere else in the world.
Cloud computing continues to grow in Europe, with a recent survey2
of UK-based IT
decision-makers showing that 84% are using cloud services today and most expect cloud
adoption to continue to grow. The German IT association BITKOM quoted growth in
enterprise cloud of 46% to 6.4B Euros in the last year3
and in Sweden currently 64% of
enterprise data is hosted in the cloud with an expectation that this will grow to 93% within
two years4
. This is not just a business phenomenon either, with the UK government
G-Cloud platform showing sales of over £500M by March 20155
.
Given the focus on winning enterprises as customers, cloud service providers (CSPs) are
increasing their investments to support industry security standards. At Skyhigh, we believe
this is important for enterprises to securely embrace the cloud. However only 2.8% of the
CSPs in our global cloud registry have achieved ISO 27001 compliance, and so far only two
vendors (Microsoft and Dropbox) have announced that they have achieved the relatively
new ISO 27018 code of practice for personal data protection in public clouds. With the
daily arrival of new services that lackproper certifications, the overall percentage of CSPs
with ISO certification is declining.
European regulators are also taking ever-stronger attitudes to data loss and unfortunately,
cloud is one of the possible conduits for data exfiltration. Our data shows that on
initial review, IT is generally aware of less than 10% of the services in use inside their
organisations and Gartner quotes that companies spend just 3.8% of their cloud budget
on security7
.

To better understand these trends and the risks in cloud adoption, Skyhigh publishes this
Cloud Adoption & Risk in Europe report.
What makes this report unique is that it’s based on actual usage data for over 2.5 million
employees in European organizations, rather than surveys that ask people to self-
report their behavior. In this quarter’s report, we explore insider threats within these
organizations and expose a worldwide black market of stolen login credentials that cyber
criminals use to gain access to sensitive information in cloud services. We also detail the
Top 20 enterprise and consumer cloud services in Europe, the top cloud services used to
connect with partners, and how prolific one employee can be in terms of cloud usage and
high-risk behavior.
02

The average European organization uses 987 cloud services, an impresive growth of
61% over the same quarter a year ago, casting aside doubt that cloud use is mainstream
throughout Europe. Another way of looking at this is that the average company is adding
more than one new cloud service per day, reminding us that this is a rapidly changing
market and the IT department needs constant updates to be able to manage both shadow
and sanctioned cloud adoption. The average European organization uploads 12.3 TB to
the cloud each month, an amount equal to around 7.6 million copies of War and Peace in
digital form (at 1.7 MB per copy).
When employees bring cloud services into the work environment for increased
productivity and efficiency without the knowledge or approval of IT, they may not
realize the risk they’re introducing to the organization. Just 7.0% of cloud services meet
enterprise security and compliance requirements, as rated by Skyhigh’s CloudTrust
Program. Only 15.4% support multi-factor authentication, 2.8% have ISO 27001
certification, and 9.4% encrypt data stored at rest. Considering how much data European
organizations upload to the cloud each month without proper controls, this data could be
at risk for exfiltration.
03
AVERAGE NUMBER OF
CLOUD SERVICES
IN USE BY EUROPEAN ORGANIZATIONS
2014 Q1 2014 Q42014 Q2 2014 Q3 2015 Q1
724
782
614588
805
2015 Q2
987
OVERVIEW OF CLOUD ADOPTION

03
-
nization uses far fewer services, it is worth noting that the minimum number of services we have
seen in Europe is 507, from a company with less than 200 employees; while the highest number
of services we have seen in Europe is greater than 3,000.
Of the 987 cloud services in use by the average European organization, the most popular cate-
gory is collaboration with 226 cloud services. This category includes services such as Microsoft
services per organization (e.g. SourceForge, GitHub, etc.), content sharing with 54 services (e.g.
with 38 services (Dropbox, Google Drive, etc.).
04
The average organization in Europe uses
many cloud services in each category
Business intelligence
Collaboration
Content sharing
Development
File sharing
Social media
Tracking
21
226
54
80
38
49
34

04
A cloud service may be secure, but employees can still use it in risky ways. While Edward
Snowden is the most well-known example of an insider threat, most insider threat incidents are
quiet and may not be uncovered by the company at the time, if at all. Consider the example of
a salesperson that leaves a company knowingly or unknowingly with customer contact informa-
tion when he or she decides to change employers. In many cases, the organization has no easy
way to detect this type of behavior.
We surveyed organizations in partnership with the Cloud Security Alliance and found that just
18% of organizations knew of an insider threat incident in the last year. However, examining
actual anomaly detection data collected across European users, we found that 87% of organiza-
tions had behavior indicative of an insider threat in the last quarter alone. While not all of these
events turn out to be malicious activity, the incidence of potentially destructive behavior by
employees is much higher than most European organizations realize.
05
of European companies
surveyed reported an
insider threat incident in
the last year
Just 18%
Have you had an
INSIDER THREAT
INCIDENT?
of European companies had
behavior indicative of an
insider threat in the last
quarter alone
But 87%
perception reality
87%
YES
NO 63%
NOT SURE 19%
YES 18%
INSIDER THREATS IN THE CLOUD

05
There were more software vulnerabilities discovered and more data breaches in 2014 than any
year on record. Following one of the largest breaches of the year, eBay prompted 145 million
users to change their passwords after cyber criminals compromised their account credentials.
University of Cambridge shows that 31% of passwords are re-used in multiple places. With the
We found that 72.1% of European organizations have exposure to compromised credentials.
While this number is lower than the overall average of 91.7% across the globe, even more
concerning is that 8.5% of employees at European companies have at least one compromised
this capability, we recommend European organizations use strong, unique passwords for each
cloud service and change them regularly to limit exposure to compromised credentials.
06
of European companies have at least
one employee whose credentials are
compromised
of employees at European
companies have at least one
credential compromised
72.1% 8.5%
The darknet is home to
millions of compromised passwords
COMPROMISED CREDENTIALS

06
The Lastpass data breach, which occurred in June 2015, brought to light the importance and
only have to KNOW something (a name and password), but also have to HAVE something (a
token or more commonly pre-authenticated a mobile device) to gain access to an account. Any
loss of just a name and password is less of a concern as multi-factor authentication requires
that any criminal will also need to get hold of, or spoof, an additional device before accessing
the compromised service.
We strongly recommend that enterprises consider multi-factor authentication as a key
component of safe cloud services. Currently only 15.4% of the 12,000+ cloud services support
multi-factor authentication, we hope that this will increase in time.
07
SUPPORT FOR
MULTI-FACTOR
AUTHENTICATION
REMAINS LOW
84.6%Not Supported
15.4%
Supported
MULTI-FACTOR AUTHENTICATION

07
cloud services used by 175 users to determine whether people had the same or similar
patterns of usage.
What we found is that not all users have the same patterns, and that there are 31 possible
accessed it and 25 of the 31 possible combinations were regularly in use. Our results show
of the services. This goes to show that you can’t assume or predict how your users will use
services your users need.
08
CLOUD USAGE
IS NOT UNIFORM
ACROSS USERS
Box
1
5
6
3
7
3
14
9
3
4
9
8 6
12
8
11
7
4
3
6
4
1
2
26
2
Office 365
Google Drive
Dropbox
Salesforce
THERE’S NO TYPICAL USER

08
The average European employee uses 23 distinct cloud services including seven
collaboration services, four file-sharing services, three social media services, and three
content sharing services. What’s troubling is that each employee is tracked by, on average,
four marketing analytics and advertising services. These services are used to deliver
targeted ads to users across the Internet, but they are also increasingly used by cyber
criminals to determine the sites employees frequent most. Armed with this information,
criminals attempt to compromise these sites in order to ultimately compromise the
organization in what’s known as a watering hole attack.
However, there are employees whose cloud usage is even more prolific. The most
prolific cloud user across all European employees in our study uses an impressive 594
cloud services, including 101 collaboration services, 38 development services, 38 IT
management services, and 22 content sharing services. While their behavior may be
done with good intensions, unchecked cloud usage can also expose European
organizations to risk.
09
THE MOST PROLIFIC
CLOUD USER in Europe
At work this employee uses
594 cloud services
CONTENT SHARING
25
IT MANAGEMENT
31
38 DEVELOPMENT
101COLLABORATION 17.8%HIGH-RISK SERVICES
5.6%INDUSTRY AVERAGE
HEAD IN THE CLOUDS

09
10
Chances are, most of the services in use by this individual are not known by the IT
department. Out of the 594 services, 106 are high-risk, compared to 5.6% across all
cloud services globally. These services are often considered high-risk because they lack
security controls, have onerous terms and conditions that claim ownership of uploaded
data, or are hosted in high-risk countries without strong data protections. Among the
high-risk services in use by this cloud collector are CodeHaus, a service that is used to
store source code, DiffNow, a service used to highlight differences between 2 files, and
DocumentCloud, a service used to share text documents like contracts.

Cloud Adoption and Risk in Europe Report – Q2 2015 11
The European Union (EU) has taken a lead in data privacy since 1995 and every EU
member country country has a regime that defines data protection legislation for the
country. The EU is also strengthening the existing laws with expectations of a new Data
Protection Regulation being agreed upon by the end of 2015.
One of the areas covered by the existing directive and new regulation is where data on
European individuals can be transferred. Except in exceptional circumstances, data on
individuals should stay in Europe, the European Economic Area, within countries with
“equivalent data privacy regulations” or within U.S. services that have signed up for the
U.S. government’s Safe Harbor agreement.
Skyhigh’s global cloud registry tracks over 12,000 cloud services. We found that 14.3%
of cloud providers store data inside the EU, 3.6% are in countries with equivalent
data protection and 17.1% are U.S.-hosted and have signed up for the Safe Harbor
regulations—this means that 64.9% are not safe for EU data. While the gap between
European data privacy requirements and the reality of cloud services in use today is
substantial, it is shrinking. In Q4 of 2014, 74.3% of services were not suitable to host
EU data.
SAFE STORAGE FOR EUROPEAN DATA
Hosted in country with
equivalent privacy3.6%
US hosted with Safe Harbor
17.2%
14.3% Hosted in the EU
64.9% Cloud Services that
should not hold EU Data
European companies are using many
cloud services that do not meet data
residency requirements
A Safe Place for EU Personal Data

THE CLOUD NEVER SLEEPS
Flexible working has probably been one of the significant changes in the last decade,
balancing home life and work life to the benefit of both the employee and employer.
One aspect of this is the amount of work being conducted during what would normally
be considered weekends. We analyzed usage by day of the week and found European
employees are most prolific in cloud usage on Fridays, while cloud usage for their
American counterparts peaks on Tuesdays and declines the remainder of the week.
However, weekend usage did not fully drop to zero, reminding IT departments that
there may be risks happening around the clock; as risk to the organization doesn’t
stop for the weekend.
12
Mon. Tues. Wed. Thurs. Fri. Sat. Sun.
Cloud Usage by Day of Week
Percentage of cloud usage for each day of the week
14.6%
18.4%
15.0%
18.0%
19.5%
6.8%
7.8%

From the perspective of a software company, developing a cloud service is very different
from software installed by the customer. The cloud has freed developers to reimagine
enterprise software with delightful user experiences, innovative new features, and access
from mobile devices. With faster release cycles and updates that occur immediately
across all customers, cloud applications are not only more cost effective to manage,
they’re often first to market with innovative features. That’s why an increasing number
of European organizations are deploying the top enterprise cloud services – not because
they’re the best cloud version available but because they are the best software available,
period. That’s also why we wanted to look at the top services based on user count.
13
THE TOP CLOUD SERVICES
TOP 20
ENTERPRISE
CLOUD
SERVICES
1. Microsoft Office 365
2. Salesforce
3. Oracle RightNow
4. Cisco Webex
5. ServiceNow
6. Oracle Taleo
7. Box
8. Jive
9. Concur
10. Zendesk
11. Workday
12. ADP
13. SAP Human Capital
Management
14. SAS OnDemand
15. SuccessFactors
16. Yammer
17. GoToMeeting
18. Blue Jeans
19. NetSuite
20t. OpenText BPM
in Europe

Consumer-grade cloud services today are so good that they can easily rival enterprise
software. It’s no wonder then, that employees bring cloud services to work in order to do
their jobs better. However, these services can also increase organizational risk. In order to
exfiltrate sensitive data undetected, cyber criminals deploy an array of sophisticated kill
chains that leverage consumer cloud services. Skyhigh has detected attacks using Twitter
to exfiltrate data 140 characters at a time and another that encoded stolen data into
videos that were uploaded to YouTube.
14
TOP 20
CONSUMER
CLOUD
SERVICES
1. Facebook
2. Linkedin
3. Flickr
4. YouTube
5. Twitter
6. Dropbox
7. Pinterest
8. Gmail
9. Vimeo
10. StumbleUpon
11. Tumblr
12. Instagram
13. Google Drive
14. Yahoo! Mail
15. VK
16. SlideShare
17. Spotify
18. Evernote
19. Skype
20. Xing
at work
in Europe

ABOUT SKYHIGH NETWORKS
Skyhigh Networks, the cloud security and enablement company, helps enterprises
safely adopt cloud services while meeting their security, compliance, and governance
requirements. Over 400 enterprises including Aetna, Cisco, DIRECTV, HP, and Western
Union use Skyhigh to gain visibility into all cloud services in use and their associated
risk; analyze cloud usage to identify security breaches, compromised accounts, and
insider threats; and seamlessly enforce security policies with encryption, data loss
prevention, contextual access control, and activity monitoring. Headquartered in
Campbell, Calif., Skyhigh Networks is backed by Greylock Partners, Sequoia Capital,
and Salesforce.com. For more information, visit us at www.skyhighnetworks.com,
and follow us on Twitter @skyhighnetworks.
15

REQUEST COMPLIMENTARY
CLOUD AUDIT
“With Skyhigh we
discovered a wide
range of services,
allowing us to
understand their
associated risks
and put in place
policies to protect
corporate data.”
Steve Martino
VP Information Security
If you’d like to learn the
scope of Shadow IT at your
company, including detailed
statistics profiled in this
report, sign up for a
complimentary cloud audit
bit.ly/ComplimentaryCloudAudit
UNCOVER SHADOW IT

Cloud adoption and risk report Europe q1 2015

Cloud adoption and risk report Europe q1 2015

Cloud adoption and risk report Europe q1 2015

Recommandé

Contenu connexe

Tendances

Tendances(20)

Similaire à Cloud adoption and risk report Europe q1 2015

Similaire à Cloud adoption and risk report Europe q1 2015(20)

Plus de Prayukth K V

Plus de Prayukth K V(20)

Dernier

Dernier(20)

Cloud adoption and risk report Europe q1 2015