Live data used to highlight cloud-based risks

Later this week, SaaS security firm Adallom will release a report based on data collected from their own customers.

The research covers an entire year, from October 2013 to 2014, and highlights a number of risks, including some directly attributable to the spooky-sounding scenario called Shadow IT.

The data is interesting, because it highlights a number of common issues within IT. They’re small things on their own, but when combined these problems can fuel headaches and heartburn.

For the record, Adallom based their report on data collected for more than one million SaaS users of Google Apps, Salesforce, Box, and Office 365, which helps put some perspective on the figures.

One of the first things in the report to stand out is the data point that 11 percent of the SaaS accounts Adallom monitors are assigned to inactive users. The impact is simple; firms that are paying per-seat on a given account are simply wasting money.

It’s easy to dismiss this observation, until you consider the Salesforce1 Platform is $25 per user. In that case, waste related to that 11 percent translates into roughly $2.75 million per month. On Office 365, the waste would translate to $1.52 million per month, assuming the user was tied to the Business Premium plan.

Wasted financial resources aren’t the only stat from the report related to idle accounts.

Of the clients monitored by Adallom, 80 percent of them have at least one former employee with valid SaaS credentials.

This problem has existed for years. While the perfect scenario would see access revoked the day a person leaves the company, the reality is that IT has other things to do, so credentials remain active for weeks or months, sometimes they’re never revoked.

Adding to this is the fact that for every 100 users on a SaaS account, seven of them were administrators. Adallom didn’t comment on how many of those admin accounts were idle or no longer with the company, but the odds are good that some of them are.

Moreover, when IT provisions people as Admins on an account, they often lose the ability to monitor the things they do (most admin accounts are exempt from various levels of monitoring), which enables unknown or unauthorized tasks and functions – otherwise known as Shadow IT.

The point being, it’s best to limit user access controls and access to the functions needed by the individual and avoid blanket settings.

Not too long ago, I wrote a story about an FBI memo warning organizations about unintentional data leaks due to creative Google searches.

The FBI’s concern focused on sensitive information that was available on not only the organization’s own network, but also related documents that could be found off their network as well.

Adallom, discovered some things that are related in their user group, including the fact that they share files with 393 external domains on average, and that five percent of an organization’s files are publicly available.

Adding to that is the point that nearly 30 percent of the employees that were part of the research shared an average of 98 corporate files with a personal email account.

Inadvertent data leaks are always going to be a problem in one for or another as organizations leverage public clouds. However, this problem can be managed, but only if security teams address it.

According to a recent Forrester study, most of the participants said that existing security controls were effective in protecting digital assets.

The problem is, that the participants named their Firewall is the control that best supported their reasoning, and if the user is granted access to the application, a firewall isn’t going to stop many of the problematic actions they’re likely to take.