In the last few years, there has been an explosion of new apps that help people be

more productive. Employees are bringing these apps to work with them to do their
jobs more efficiently. While forward-thinking companies recognize the benefits the
bring your own cloud (BYOC) movement for their organizations, you may have heard
of it referred to by the more ominous title of “shadow IT”. In most cases, shadow IT
starts with good intensions. Employees use apps that help them be better at their jobs,
unaware of the risks that storing corporate data in unsecured apps can have. Skyhigh
analyzed cloud usage of 18 million employees and found the average company uses
923 cloud services.
Surveying 409 IT and security leaders, the Ponemon Institute report The Insider
Threat of Bring Your Own Cloud (BYOC) investigated the risk of cloud services. The
survey revealed that many respondents don’t have any idea how pervasive the
problem of BYOC is within their own organization. They don’t know what
applications and cloud services workers are using, and, worse, they don’t know what
information is exposed, where it is going, and with whom it is being shared. Here are
the top risks of BYOC, as identified by respondents in the survey. Some of these risks
are linked to weak cloud security measures of the services, such as storing data
without controls such as encryption, or lack of multi-factor authentication to access
the service.
1. Loss or theft of intellectual property

Companies increasingly store sensitive data in the cloud. An analysis by Skyhigh

found that 21% of files uploaded to cloud-based file sharing services contain sensitive
data including intellectual property. When a cloud service is breached, cyber criminals
can gain access to this sensitive data. Absent a breach, certain services can even pose
a risk if their terms and conditions claim ownership of the data uploaded to them.
2. Compliance violations and regulatory actions
These days, most companies operate under some sort of regulatory control of their
information, whether it’s HIPAA for private health information, FERPA for
confidential student records, or one of many other government and industry
regulations. Under these mandates, companies must know where their data is, who is
able to access it, and how it is being protected. BYOC often violates every one of
these tenets, putting the organization in a state of non-compliance, which can have
serious repercussions.
3. Loss of control over end user actions
When companies are in the dark about workers using cloud services, those employees
can be doing just about anything and no one would know—until it’s too late. For
instance, a salesperson who is about to resign from the company could download a
report of all customer contacts, upload the data to a personal cloud storage service,
and then access that information once she is employed by a competitor. The preceding
example is actually one of the more common insider threats today.
4. Malware infections that unleash a targeted attack
Cloud services can be used as a vector of data exfiltration. Skyhigh uncovered a novel
data exfiltration technique whereby attackers encoded sensitive data into video files
and uploaded them to YouTube. We’ve also detected malware that exfiltrates
sensitive data via a private Twitter account 140 characters at a time. In the case of the
Dyre malware variant, cyber criminals used file sharing services to deliver the
malware to targets using phishing attacks.
5. Contractual breaches with customers or business partners

Contracts among business parties often restrict how data is used and who is authorized
to access it. When employees move restricted data into the cloud without
authorization, the business contracts may be violated and legal action could ensue.
Consider the example of a cloud service that maintains the right to share all data
uploaded to the service with third parties in its terms and conditions, thereby
breaching a confidentiality agreement the company made with a business partner.
6. Diminished customer trust
Data breaches inevitably result in diminished trust by customers. In one of the larges
breaches of payment card data ever, cyber criminals stole over 40 million customer
credit and debit card numbers from Target. The breach led customers to stay away
from Target stores, and led to a loss of business for the company, which ultimately
impacted the company’s revenue. See number 9 below.
7. Data breach requiring disclosure and notification to victims
If sensitive or regulated data is put in the cloud and a breach occurs, the company may
be required to disclose the breach and send notifications to potential victims. Certain
regulations such as HIPAA and HITECH in the healthcare industry and the EU Data
Protection Directive require these disclosures. Following legally-mandated breach
disclosures, regulators can levy fines against a company and it’s not uncommon for
consumers whose data was compromised to file lawsuits.
8. Increased customer churn

If customers even suspect that their data is not fully protected by enterprise-grade
security controls, they may take their business elsewhere to a company they can trust.
A growing chorus of critics are instructing consumers to avoid cloud companies who
do not protect customer privacy.
9. Revenue losses

News of the Target data breach made headlines and many consumers stayed away
from Target stores over the busy holiday season, leading to a 46% drop in the
company’s quarterly profit. The company estimated the breach ultimate cost $148
million. As a result, the CIO and CEO resigned and many are now calling for
increased oversight by the board of directors over cyber security programs.
In the last few years, there has been an explosion of new apps that help people be
more productive. Employees are bringing these apps to work with them to do their
jobs more efficiently. While forward-thinking companies recognize the benefits the
bring your own cloud (BYOC) movement for their organizations, you may have heard
of it referred to by the more ominous title of “shadow IT”. In most cases, shadow IT
starts with good intensions. Employees use apps that help them be better at their jobs,
unaware of the risks that storing corporate data in unsecured apps can have. Skyhigh
analyzed cloud usage of 18 million employees and found the average company uses
923 cloud services.
Surveying 409 IT and security leaders, the Ponemon Institute report The Insider
Threat of Bring Your Own Cloud (BYOC) investigated the risk of cloud services. The
survey revealed that many respondents don’t have any idea how pervasive the
problem of BYOC is within their own organization. They don’t know what
applications and cloud services workers are using, and, worse, they don’t know what
information is exposed, where it is going, and with whom it is being shared. Here are
the top risks of BYOC, as identified by respondents in the survey. Some of these risks
are linked to weak cloud security measures of the services, such as storing data
without controls such as encryption, or lack of multi-factor authentication to access
the service.
1. Loss or theft of intellectual property

Companies increasingly store sensitive data in the cloud. An analysis by Skyhigh

found that 21% of files uploaded to cloud-based file sharing services contain sensitive
data including intellectual property. When a cloud service is breached, cyber criminals
can gain access to this sensitive data. Absent a breach, certain services can even pose
a risk if their terms and conditions claim ownership of the data uploaded to them.
2. Compliance violations and regulatory actions
These days, most companies operate under some sort of regulatory control of their
information, whether it’s HIPAA for private health information, FERPA for
confidential student records, or one of many other government and industry
regulations. Under these mandates, companies must know where their data is, who is
able to access it, and how it is being protected. BYOC often violates every one of
these tenets, putting the organization in a state of non-compliance, which can have
serious repercussions.
3. Loss of control over end user actions
When companies are in the dark about workers using cloud services, those employees
can be doing just about anything and no one would know—until it’s too late. For
instance, a salesperson who is about to resign from the company could download a
report of all customer contacts, upload the data to a personal cloud storage service,
and then access that information once she is employed by a competitor. The preceding
example is actually one of the more common insider threats today.
4. Malware infections that unleash a targeted attack
Cloud services can be used as a vector of data exfiltration. Skyhigh uncovered a novel
data exfiltration technique whereby attackers encoded sensitive data into video files
and uploaded them to YouTube. We’ve also detected malware that exfiltrates
sensitive data via a private Twitter account 140 characters at a time. In the case of the
Dyre malware variant, cyber criminals used file sharing services to deliver the
malware to targets using phishing attacks.
5. Contractual breaches with customers or business partners

Contracts among business parties often restrict how data is used and who is authorized
to access it. When employees move restricted data into the cloud without
authorization, the business contracts may be violated and legal action could ensue.
Consider the example of a cloud service that maintains the right to share all data
uploaded to the service with third parties in its terms and conditions, thereby
breaching a confidentiality agreement the company made with a business partner.
6. Diminished customer trust

Data breaches inevitably result in diminished trust by customers. In one of the larges
breaches of payment card data ever, cyber criminals stole over 40 million customer
credit and debit card numbers from Target. The breach led customers to stay away
from Target stores, and led to a loss of business for the company, which ultimately
impacted the company’s revenue. See number 9 below.
7. Data breach requiring disclosure and notification to victims
If sensitive or regulated data is put in the cloud and a breach occurs, the company may
be required to disclose the breach and send notifications to potential victims. Certain
regulations such as HIPAA and HITECH in the healthcare industry and the EU Data
Protection Directive require these disclosures. Following legally-mandated breach
disclosures, regulators can levy fines against a company and it’s not uncommon for
consumers whose data was compromised to file lawsuits.
8. Increased customer churn

If customers even suspect that their data is not fully protected by enterprise-grade
security controls, they may take their business elsewhere to a company they can trust.
A growing chorus of critics are instructing consumers to avoid cloud companies who
do not protect customer privacy.
9. Revenue losses

News of the Target data breach made headlines and many consumers stayed away
from Target stores over the busy holiday season, leading to a 46% drop in the
company’s quarterly profit. The company estimated the breach ultimate cost $148
million. As a result, the CIO and CEO resigned and many are now calling for
increased oversight by the board of directors over cyber security programs.
More and more, small businesses are moving to cloud computing, signing up with
private providers that make sophisticated applications more affordable as well as
setting up their own accounts with public social media sites like Facebook. The trend
is confirmed by Microsoft in its global SMB Cloud Adoption Study 2011, which
found that 49 percent of small businesses expect to sign up for at least one cloud
service in the next three years.
Private and public clouds function in the same way: Applications are hosted on a
server and accessed over the Internet. Whether you’re using a Software as a Service
(SaaS) version of customer relationship management (CRM) software, creating offsite
backups of your company data, or setting up a social media marketing page, you’re
trusting a third-party company with information about your business and, most likely,
your customers.
Although cloud computing can offer small businesses significant cost-saving
benefits—namely, pay-as-you-go access to sophisticated software and powerful
hardware—the service does come with certain security risks. When evaluating
potential providers of cloud-based services, you should keep these top five security
concerns in mind.
1. Secure data transfer. All of the traffic travelling between your network and
whatever service you’re accessing in the cloud must traverse the Internet. Make sure
your data is always travelling on a secure channel; only connect your browser to the
provider via a URL that begins with ”https.” Also, your data should always be
encrypted and authenticated using industry standard protocols, such as IPsec (Internet
Protocol Security), that have been developed specifically for protecting Internet
traffic.
2. Secure software interfaces. The Cloud Security Alliance (CSA) recommends that
you be aware of the software interfaces, or APIs, that are used to interact with cloud
services. ”Reliance on a weak set of interfaces and APIs exposes organizations to a
variety of security issues related to confidentiality, integrity, availability, and
accountability,” says the group in its Top Threats to Cloud Computing document.
CSA recommends learning how any cloud provider you’re considering integrates
security throughout its service, from authentication and access control techniques to
activity monitoring policies.
3. Secure stored data. Your data should be securely encrypted when it’s on the
provider’s servers and while it’s in use by the cloud service. In Q&A: Demystifying
Cloud Security, Forrester warns that few cloud providers assure protection for data
being used within the application or for disposing of your data. Ask potential cloud
providers how they secure your data not only when it’s in transit but also when it’s on
their servers and accessed by the cloud-based applications. Find out, too, if the
providers securely dispose of your data, for example, by deleting the encryption key.
4. User access control. Data stored on a cloud provider’s server can potentially be
accessed by an employee of that company, and you have none of the usual personnel
controls over those people. First, consider carefully the sensitivity of the data you’re
allowing out into the cloud. Second, follow research firm Gartner’s suggestion to ask
providers for specifics about the people who manage your data and the level of access
they have to it.
5. Data separation. Every cloud-based service shares resources, namely space on the
provider’s servers and other parts of the provider’s infrastructure. Hypervisor software
is used to create virtual containers on the provider’s hardware for each of its
customers. But CSA notes that ”attacks have surfaced in recent years that target the
shared technology inside Cloud Computing environments.” So, investigate the
compartmentalization techniques, such as data encryption, the provider uses to
prevent access into your virtual container by other customers.