A large U.S. cable television company recently sought to better understand how its employees were using cloud apps to stay productive. Management had an inkling that workers routinely used about a dozen or more cloud file sharing and collaboration apps.
An assessment by CipherCloud showed the employees actually were using 204 cloud services that posed a security risk: 78 cloud storage apps and 126 collaboration apps, many of which included file-sharing functions.
Emerging risk: A major concern for the cable company was that sensitive information about customers and employees could leak unnoticed beyond its network perimeter.
Free cloud file storage makes it convenient to share data quickly and widely. The company learned that sensitive files had been moved into folders accessible to people who should not have had access to the information.
Wider implications: Like many organizations, the cable company routinely stores customer transactions data as well as employee healthcare data covered by HIPAA privacy rules. The rising use of free Web apps by employees has created many more opportunities for data leakage and could lead to sanctions and fines – or, worse, an embarrassing, expensive data breach.
The cable company set up sanctioned accounts with a popular cloud storage service-Box-for employees to use. It also has begun examining other steps it can take to impose tighter controls around sensitive company records.
Excerpts are from ThirdCertainty’s interview with Willy Leichter of CipherCloud. (Answers edited for length and clarity.)
3C: Can you outline how the rising use of cloud apps in the workplace is creating security issues?
Leichter: A typical process is one person sends you something from a Dropbox account, and suddenly you become a Dropbox user. Or, often, departments will say, “OK, we’re going to use Dropbox or Hightail for this particular project,” and it kind of grows department by department. It grows virally.
The challenge is the very nature of the whole file-sharing world. It’s like Swiss cheese. It’s designed to be very easy to share and to open up public links and to let another person in.
That’s where this cable company approached us. They had about a dozen different things they knew about and wanted to standardize.
3C: You found a lot more than a dozen cloud apps in use.
Leichter: We found well over 1,000 cloud apps, what we call shadow IT apps, that they were using. We have about 20 different categories of such apps; it could be software development tools, or it could be social tools. In one category, file-sharing tools, we found more than 120 apps. This one category is probably the most actionable category because file sharing involves sending people documents.
3C: How did this discovery help the cable company?
Leichter: They were trying to do two things. They were trying to standardize on two or three different file-sharing services and use monitoring tools on them. And they also wanted to shut down the worst offenders, which you can do easily enough.
3C: In general, what kinds of malicious or worrisome activity are you seeing in shadow IT?
Leichter: It’s kind of a spectrum. Officially sanctioned apps are being scanned in real time, using tools we and others make. That’s kind of a new world. We can give you all kinds of detail about who’s using all these apps. Then there’s the other 90% of the apps in shadow IT.
Anomalies can be where someone is sending huge amounts of files to some strange apps. Or someone is downloading stuff they shouldn’t be at two in the morning. Or it could be multiple people using the same account from different IP addresses. Someone is logging in from San Jose and then an hour later they’re logging in from Beijing. You can spot a lot of these and take steps to shut them down.
3C: What else surprised the cable company?
Leichter: One of the things they learned is why people were doing this. For the most part, it was because the company wouldn’t pay for them to use an account. So they were account hopping from one freebie to the next. It was because people just did not want to pay for stuff.
So now the company is trying to steer people to use better practices through outreach and education. And it also is buying them accounts.