Shadow Cloud Services a serious risk for Government Networks

Cloud Security Alliance revealed that shadow cloud service used by employees and unmanaged by IT can pose a major security problem for organizations.

Last month, Cloud Security Alliance found out that shadow cloud service used by employees and unmanaged by IT can pose a major security problem for organizations.

Based on the survey, mostly half of respondents have stated that their main fear relates to the violations of corporate data in the cloud.  The threat posed by shadow cloud services is critical, it has serious repercussions on data security, business continuity and regulatory compliance. Security analysts have warned about how the growing use of a collection of web services, including cloud-hosted collaboration, file sharing, storage and social media services, that can expose to data leakages and data breaches company data leaks. The adoption of shadow cloud services is among the causes that can result in data exfiltration, malware infections and compliance problems.

Skyhigh Networks has recently conducted a survey that involved 200,000 employees working for organizations in the public sector based in U.S and Canada.  The study found out that there is some 721 cloud service operation running inside government organizations, but the IT departments are aware only for the eight percent of them.

Shadow cloud services represent a serious risk to both government organizations and private companies.

 “The past few years have marked a paradigm shift in IT’s role, from provider to enabler. This survey, the largest of its kind, illustrates that companies are aware of the consumerization of IT but have room to more proactively address the security concerns of cloud adoption” said Rajiv Gupta, CEO of Skyhigh.

Microsoft’s Office 365, Yammer and Hotmail were among the most popular collaboration services used by the employees working in the public sector.

The most commonly accessed file-sharing services included Dropbox, Box, Hightail and Google Drive, these cloud services are used by employees to store sensitive data a behavior that enlarge surface of attack for government organizations.

The experts explain that also social media platforms and cloud-hosted collaboration platforms could expose government entities to cyber attacks id not properly managed.

According to Skyhigh the most popular social media services included Facebook, Twitter, LiveJournal and LinkedIn, meanwhile development services like GitHub and SourceForge are used by almost the totality of employees.

In some cases, the use of these services was approved by IT, but while in many other cases they were not with a significant impact on the security posture of the organizations.

“Government organizations tend to think of themselves as somehow different,” from private companies on the security front, said Rajiv Gupta.  “What we found is there is as much risk of shadow IT in government as any other organization. People are people. They want to do things more efficiently.” In many cases, cloud services help them do that, with or without the IT organization’s help, he says.

It is very interesting to note that government IT has no idea of the shadow cloud services used by employees, this assertion is confirmed by data related to the apparent gap that exists between the perceived use of such services within public sector organizations and their actual use.

“For instance, when IT managers were asked to estimate DropBox use within their organizations, the average number tended to be around 16 percent. Actual use was much higher at 80 percent. Similarly, the gap between perceived and actual use of Apple’s iCloud was a remarkable 42 percent.” reports the Dark Reading in a blog post.

The data presented demonstrates that government IT has to improve the management of internal services with a specific focus on shadow cloud services.

Pierluigi Paganini

(Security Affairs –  Shadow cloud service, Government IT)