Amid reports federal agencies continue to lag behind on cloud adoption, a new report revealed federal employees are increasingly adopting cloud services on their own, creating shadow IT—the use of IT solutions and systems within anorganization without authorization.
Cloud security company SkyHigh Networks released its new Cloud Adoption & Risk in the Government Report earlier this week based on data from 200,000 public sector employees in the United States and Canada.
The Q1 Report revealed that shadow IT is prevalent in the public sector, with estimates that shadow cloud services are 20 times more prevalent than sanctioned cloud. In fact, the average public sector organization now uses 742 cloud services, a number 10 to 20 times more than IT departments thought they were using.
“As agencies grapple with how to manage shadow IT and securely enable sanctioned IT, they need visibility into the real usage and risk of cloud services as well as the ability to detect threats and seamlessly enforce security, compliance, and governance policies,” said Rajiv Gupta, CEO of Skyhigh Networks, in a statement.
As Homeland Security Today previously reported, although governmentagencies understand the benefits of migrating services to the cloud, nearly three quarters of federal cloud users remain wary of fully committing to cloud computing, according to MeriTalk, a public-private partnership focused on improving the outcomes of government IT.
That being said, many federal employees are turning to their own cloud services.
According to the Q1 report, strict security requirements and lengthy procurement times are among the major factors driving federal employees to find their own cloud solutions. A 2013 report by MeriTalk revealed that 54 percent of federal IT executives say their agency is not able to acquire IT resources in a timely manner, with upgrades taking an average of 31 months to complete.
Although use of shadow IT often stems from good intentions and not malicious behavior, federal employees using shadow cloud services may be creating significant security gaps within their organization. The Q1 report found that 96.2 percent of public sector organizations have users with compromised identities and, at the average agency, 6.4 percent of employees have at least one compromised credential.
“At the time of our analysis, we found that some accounts had been updated with new passwords, while many others remained active with compromised identities,” the report stated. “The availability of stolen credentials online is widespread. Anecdotally, we identified one US cabinet-level department with a staggering 55,080 compromised identities."
Furthermore, the average public sector employee uses 16.8 cloud services, including social media and file sharing tools, and their movements are tracked by an average of 2.7 ad and analytics services, opening the gates to a watering hole attack.
In addition, although just 7 percent of IT security professionals at public sector organizations indicated their agency had experienced an insider threat, Skyhigh Networks’ analysis of the anomaly data found 82 percent of public sector organizations had behavior indicative of an insider threat.
While the massive leak of classified information by the notorious former defense contractor Edward Snowden brought awareness of the insider threat to the forefront, many organizations continue to operate on the assumption that the insider threat is rare.
“Your organization may worry about a similar malicious insider leaking data to the media, but more often than not, insider threats are quiet and tend to fly under the radar,” the report stated.“While not all insider threats involve leaking data to the media, the risk of malicious and careless insiders is much higher than previously believed.”
Under the Federal Information Technology Acquisition Reform Act (FITARA), federal CIOs must oversee sanctioned cloud services as well as shadow IT, putting pressure on CIOs to ensure the organization’s cloud services are in line with federal security requirements, such as the Federal Risk and Authorization Management Program and Federal Information Security Management Act, while not impeding acceleration towards cloud adoption.
“Federal requirements such as FedRAMP, FISMA, Federal Information Processing Standard 140-2, and FITARA help to mitigate risk through stringent controls, but they are not sufficient,” said Kamal Shah, VP of products and marketing at Skyhigh Networks. “Agencies will need solutions that provide unparalleled visibility and risk assessment, usage and threat analytics, and seamless policy enforcement so that they can confidently take advantage of the cloud to fulfill their mandates.”
To counter the potential security risks posed by shadow IT, Shah suggests that federal CIOs utilize solutions, like those offered by Skyhigh Networks, to help discover all of the cloud services in use within their organization and also provide detailed risk ratings for each cloud service, enabling IT departments to quickly understand the risks to their agency.
In addition, public sector entities need to enable IT-sanctioned cloud services by implementing data security controls. For example, IT departments need to encrypt data with agency-controlled keys or tokenize data before it is uploaded to the cloud – making data indecipherable to any third parties.
Overall, federal CIOs need to look at shadow IT as an opportunity to gain insight into their organization, rather than simply as a threat.
“Instead of seeing shadow IT as a threat, Federal CIOs should see shadow IT as an opportunity to leverage employees to identify the applications they want to use so that their IT departments can enable the ones that have gained traction and are enterprise-ready,” Shah said.
