Datacenter- and IT-security bosses have gotten over most of the knee-jerk tendency to reject and block cloud-based apps bought by end users rather than approved by IT, but that doesn’t mean they always deal rationally with the involuntary insertion of cloud into the datacenter.
Rather than investigate, security-check and approve or reject Software-as-a-Service (SaaS) or other cloud-based apps their end users actually buy, many organizations just block the SaaS apps they know about or dislike, without really knowing which pose a security risk and which don’t, according to a study released by cloud-service security vendor SkyHigh Networks.
The average number of cloud-based apps or services at SkyHigh’s large corporate customers is 545, according to the study, which was based on usage data pulled from the logs of more than 100 SkyHigh corporate customers, which represent a combined total of 3 million end users.
The data showed a total of 2,204 cloud-based services in use, though the highest number in use by a single company was 1,769.
Cloud-based apps allowed to pass through external firewalls into user territory, and especially those that interact directly with data or applications within the datacenter, could definitely be used as a vector for attack on the datacenter itself, according to the SkyHigh usage analysis.
Not all apps or types of traffic present the same amount of risk, however. To create effective security policies, internal IT specialists should understand the type of traffic produced by specific applications, know which pose the greatest threat, and respond with policies specific to that threat rather than in ways that could apply to any networked application, the SkyHigh report concluded.
What usage data showed, however, was that corporate security policies appear to be based on characteristics other than the specific level of risk – how popular a particular cloud application might be, or how well-known it is to security staff.
Web services whose only purpose is to track the online activity of end users, effectively following them back through the firewall to collect more data on their activities through the use of persistent or flash cookies, have no redeeming qualities from a corporate-security perspective. Yet those services are blocked at only 9 percent of companies in the study, according to SkyHigh.
Of the services most often blocked, few appear to pose a threat except to productivity levels of end-user employees – a decision that would be made by business-unit managers rather than security managers.
Of the 10 most-blocked Web services, four appear to pose only a threat to productivity, (Netflix, Foursquare, Batanga, PhotoBucket), four are commonly used for legitimate work functions (Amazon Web Services, KISSmetrics, Gmail) and the remaining three could be either one, depending what files or fellow employees are involved in a particular exchange (Apple iCloud, Skype, Dropbox).
Many cloud apps are blocked based on the concern among business-unit-managers that allowing some cloud apps would distract employees and bring down productivity levels, not create a data breach, according to SkyHigh.
Services from safe sources or that are rarely used for attacks are blocked 40 percent more often than those that typically pose a higher risk, the report showed.
Study participants used a total 19 file-sharing services, for example. Box, which SkyHigh rates as the safest of the 19 file-sharing services used, is blocked at 35 percent of corporate customers. Rapidgator, a similar service considered to be a higher risk for malware or questionable content, on the other hand, is blocked by only 1 percent of companies.
Cloud-based apps and environments are not inherently less safe than corporate datacenter, according to the March 2013 version of a semi-annual cloud-security evaluation from SaaS security developer AlertLogic.
Corporate datacenters, in fact, were attacked more often than cloud-hosting service providers, and were attacked using more sophisticated, persistent methods that indicated attackers had picked specific datacenters as potential victims and researched their weaknesses before an attack, suggested the report. Cloud services were 10 times more likely than enterprise datacenters to see “reconnaissance” attacks – probes or queries designed to identify a site and catalog its systems and potential vulnerabilities rather than with the goal of immediate penetration.
Fifty-two percent of cloud services experienced direct attacks on Web applications within the past six months using cross-site scripting exploits, SQL injections or other attempts to compromise a specific application, according to AlertLogic’s data.
Web-application attacks tend to be directed against the service provider rather than the companies using the service, however, which only creates more confusion over what is a “safe” Web service, according to Rajiv Gupta, founder and CEO of Skyhigh Networks. “What we are seeing is that there are no consistent policies in place to manage the security, compliance, governance and legal risks of cloud services,” Gupta wrote in a statement announcing the report. “Enterprises are taking action on the popular cloud services they know of and not the cloud services that pose the great risk to their organization.”