Shadow IT is prevalent in government agencies

Despite clear benefits of cloud services – greater collaboration, agility, and cost savings – federal agencies are slow to migrate to the cloud due to security concerns. As a result, employees adopt cloud services on their own, creating shadow IT.

The average public sector organization uses 742 cloud services, which is about 10-20 times more than IT departments expect, say the results of Skyhigh Networks’ Q1 2015 “Cloud Adoption & Risk in the Government Report.”

Despite the security initiatives in place – such as FedRAMP, FISMA, and FITARA – many government employees are unaware of agency rules and regulations or simply ignore them and use cloud services that drive collaboration and productivity.

Under FITARA, Federal CIOs must oversee sanctioned cloud services as well as shadow IT. This new requirement underscores the uncertainty about how employees are using cloud services within their agencies.

Understanding shadow IT

The average public sector organization now uses 742 cloud services, which is about 10-20 times more than IT departments report. What agencies don’t know can hurt them. When asked about insider threats, just 7 percent of IT and IT security professionals at public sector organizations indicated their agency had experienced an insider threat. However, looking at actual anomaly data, Skyhigh Networks found that 82 percent of public sector organizations had behavior indicative of an insider threat.

Agencies cannot rely on the security controls offered by cloud providers alone. Analyzing more than 12,000 cloud services across more than 50 attributes of enterprise readiness developed with the Cloud Security Alliance, the report found that just 9.3 percent achieved the highest CloudTrust Rating of Enterprise Ready. Only 10 percent of cloud services encrypt data stored at rest, 15 percent support multi-factor authentication, and 6 percent have ISO 27001 certification.

Password insecurity

Compromised credentials can also mean disaster for Federal agencies. According to a study by Joseph Bonneau at the University of Cambridge, 31 percent of passwords are used in multiple places. This means that for 31 percent of compromised credentials, attackers can potentially gain access not only to all the data in that cloud service, but all the data in other cloud services as well. The average public sector employee uses more than 16 cloud services, and 37 percent of users upload sensitive data to cloud file sharing services. As a result, the impact of one compromised account can be immense.

The report – based on data from 200,000 public sector employees in the United States and Canada – reveals that 96.2 percent of public sector organizations have users with compromised credentials and, at the average agency, 6.4 percent of employees have at least one compromised credential.

Cloud services in the public sector

Most cloud services deployed in the public sector are collaboration tools. The average organization uses 120 distinct collaboration services – such as Microsoft Office 365, Gmail, and Cisco Webex. Other top cloud services are software development services, file sharing services, and content sharing services. The average employee uses 16.8 cloud services including 2.9 content sharing services, 2.8 collaboration service, 2.6 social media services, and 1.3 file sharing services. Shockingly, the average public sector employee’s online movements are monitored by 2.7 advertising and web analytics tracking services – the same services used by cyber criminals to inform watering hole attacks.

The report also reveals the top cloud services used in the public sector.

Top ten enterprise cloud services are:

1. Microsoft Office 365
2. Yammer
3. Cisco WebEx
4. ServiceNow
5. SAP ERP
6. Salesforce
7. DocuSign
8. NetSuite
9. Oracle Taleo
10. SharePoint Online

Top ten consumer cloud services are:

1. Twitter
2. Facebook
3. YouTube
4. Pinterest
5. LinkedIn
6. Reddit
7. Flickr
8. Instagram
9. StumbleUpon
10. Vimeo

“As agencies grapple with how to manage shadow IT and securely enable sanctioned IT, they need visibility into the real usage and risk of cloud services as well as the ability to detect threats and seamlessly enforce security, compliance, and governance policies,” said Rajiv Gupta, CEO of Skyhigh Networks. “Skyhigh manages shadow IT and securely enables sanctioned IT, allowing public sector organizations to use hundreds of cloud services while providing robust data protection services, thereby meeting data privacy requirements and conforming to regulations.”