As more and more services become available on the internet, controlling so-called shadow IT — the use of unapproved applications within an organization — becomes more challenging. Cloud services are consumed through browsers, so employees need no longer install rogue software on their own work computers to do damage.
Certainly organizations can forbid employees to access certain sites. According to a new study from cloud-security firm Skyhigh Networks, among the services most frequently banned are three PDF converters, an image resizer, two BitTorrent services (frequently used to share pirated movies, music and software) and a service for anonymous sharing of files.
Conversely, OneDrive, Salesforce and SharePoint Online are the three cloud-based services most frequently approved by corporate IT departments.
Forbidding apps is one thing, and blocking their use is a step beyond that. But even blocking, through a firewall or a proxy infrastructure, doesn’t work reliably. That’s because cloud services frequently introduce new URLs and IP addresses, access policies aren’t consistent within an organization and exceptions are too numerous. For example, surveyed IT security staffers said they thought their blocking rate for anonymous content-sharing service Pastebin was 66.7 percent, but it was really only 7.1 percent.
Among organizations, the five most-used online services were OneDrive, Exchange Online, Salesforce, SharePoint Online and Yammer. For individuals, they were Facebook, Twitter, YouTube, LinkedIn and Pinterest. Those growing fastest in usage were grammar-checker Grammarly, business-software guide Capterra and travel site Boxever.
Fewer than half of cloud-service providers specify that customers own the data they upload. The rest either claim ownership over all data uploaded or don’t refer to data ownership in their terms and conditions. An even smaller number delete data immediately on account termination, with the remainder keeping data up to one year or even claiming the right to maintain copies of data indefinitely. Very few cloud-service providers commit to refrain from sharing data with third parties, such as advertisers or governments, unless under a legal order.
Skyhigh says it analyzed aggregated, anonymized cloud-usage data for over 30 million users worldwide to produce its study.