Cloud service providers talk a lot about their security and are beefing it up. But a new report shows that progress is painfully slow, with most not adopting best practices.
The number of cloud services that support multifactor authentication doubled in 2104, says the the latest quarterly study by Skyhigh Networks, which sells security solutions to cloud providers. But that accounted for only 17 per cent of the 10,000 cloud services tracked in the fourth quarter of 2014.
Eleven per cent of all services studied in the quarter (1,802) encrypt data at rest, a significant increase from 470 in the same period in 2013. Still, despite the large number of data breaches reported last year, that means not event half of cloud providers encrypted data by the end of the year.
Similarly, only five per cent of cloud providers studied held ISO 27001 information security management certification. That was up greatly from Q4 2013.
More significantly, the report concluded that over 89 per cent of the cloud services studied lack basic security capabilities required by enterprises.
Asked in an interview why encryption adoption is so slow Kamal Shah, Skyhigh’s vice-president of products and marketing admitted that “a lot of people don’t think it’s a priority.” The biggest challenge with encryption is the application has to be smart enough to decrypt the data, he added. It has to deal with search and sorting when data is enctrypted. The technology is only now “coming to the forefront,” he said.
The conclusions came from examining anonymized logs of Skyhigh customers, which includes 350 enterprises and 15 million users. The full report is here.
The average company used 897 cloud services in Q4, up from 626 in the same period in 2013. Development services such as GitHub, SourceForce, etc. experienced the largest rate of growth at 97 per cent. The second fastest-growing category was collaboration (like Microsoft Office 365, Gmail), which grew 53 per cent over 2013.
Thirty-seven per cent of employees upload sensitive data to file sharing services, the report also said, and 22 per cent of all files uploaded to file sharing services contained sensitive data. Beyond file sharing, four per cent of fields in other critical business applications such as CRM contain sensitive personally identifiable information health information data subject to regulatory compliance.
The vast majority of companies studied have users with at least one stolen login credential and the average company had 12 per cent of users affected. Assuming 31 per cent of passwords are reused across Web sites and applications, stolen login credentials “pose significant risk to corporate data,” the report concluded.