1H 2016 Shadow Data Report Published by

Elastica Cloud Threat Labs

Overview • Shadow Data Report

Speaker: Martin Johnson, Cloud Security Expert

• Recent Exploits Leveraging Cloud Apps and Services Speaker: Aditya Sood, PhD and Director of Security and Elastica Cloud Threat Labs at Blue Coat

• A Data Science Approach to Cloud Security

Speaker: Deena Thomchick, Cloud Security Expert

1H 2016 Shadow Data Report • Over 15K cloud apps analyzed,

categorized and rated for business readiness

• Over 108M cloud docs analyzed – Data from real world customers sharing data

in popular cloud apps, such as Box, Dropbox, Google Drive and Office 365

– Data is anonymized and aggregated to protect customer confidentiality

www.elastica.net/1h-2016-shadow-data-report

Full report available at:

Shadow IT Sanctioned vs. Unsanctioned Apps

Sanctioned Apps • Apps evaluated and approved by IT • Typically includes popular apps like

Office 365, Box, and Google Apps

Unsanctioned “Shadow IT” Apps • Apps adopted by employees and

business units without IT approval • Often includes consumer or unsecure

social or business apps

Shadow IT Controls Why do I need it? Use Cases

“We are a global company with 40K employees around the world. As a CIO/CISO, I need visibility into the scale and of shadow IT being used throughout the company to effectively plan my IT strategy.”

“As a CIO, I’m concerned that we are wasting money with users adopting multiple apps that have the same function or multiple accounts for the same app. How can I identify these inefficiencies so I can trim costs and simplify IT management?”

“My company has a lot of sensitive data stored in the cloud. As an IT manager, I need to know which users are the riskiest and may potentially leak that data.”

“As a Security Admin, I need to identify SaaS apps on my extended network that pose a risk to my company.”

Know Your Apps

Elastica tracks 15,000+ cloud apps and services shown here in 12 broad groups of app categories, by number of various apps within each category.

App Classification

Measuring App Risk How Business Ready Is That Cloud App?

• Blue Coat assigns a Business Readiness Rating (BRR) on a scale of 1-100 to each of 15,000+ cloud apps

• BRR is based on 60+ security attributes.

Measuring App Risk How Business Ready Is That Cloud App?

See BRR in action with our interactive widget at: http://www.elastica.net/brr-app

Measuring App Risk General Areas of Concern

99% of all business apps are not appropriate for corporate use

95% of business apps are not SOC 2 compliant

11% of business apps are still vulnerable to one or more major exploits (Heartbleed, FREAK, Poodle)

71% of business apps do not provide multi factor authentication (MFA)

Measuring App Risk Finance/Telecom/Education/etc.

87% of all business apps do not adequately encrypt data at rest or in motion • Places all sensitive data at risk,

Including PII, PCI (And PHI)

SEC Gets Tough $1.7-9.6M compliance fines for finance, telecom and education as US SEC increases penalties for leaking PII data.

Measuring App Risk Finance/Telecom/Education/etc.

Health Industry Information Portability and Accountability Act (HIPAA)

• Mandates industry-wide standards for

health care information on electronic billing and other processes

• Requires the protection and confidential handling of protected health information

50% of all business apps do not adequately protect PHI

Measuring Business Risk Fortress Europe

General Data Protection Regulation (GDPR)

• Supersedes the Data Protection Directive “Safe Harbor” and will be enforceable starting on May 25, 2018

• Extends EU data protection law to all foreign companies processing data of EU residents.

• Standardizes data protection regulations throughout the EU

• Severe penalties of up to 4% of worldwide turnover. (The Parliament's version contains increased fines up to 5%.)

98% of all business apps are not ready for use in Europe according to the new GDPR standards*

25% fulfill some of the GDPR requirements but not enough to confidently use in the EU

*

Good News Top Business Apps are Business Ready

However, most consumer apps, including some popular ones, are not.

Shadow Data Shadow data includes all the sensitive data that is stored and shared using either sanctioned or unsanctioned apps, without the knowledge of IT.

Shadow Data Controls Why do I need it? Use Cases

“As a VP in charge of compliance at a healthcare organization, I’m concerned that we could get hit with serious fines for HIPAA compliance violations if PHI stored in our cloud services is lost or stolen.”

“As an IT director, I need to know what types of data employees are storing in the cloud, how they are sharing it, and with whom. I also need to be able to enforce policies around the sharing of sensitive company data.”

Know Your Compliance Data Content Classification and Use

43%

36%

14%

6%

Know Other Sensitive Data Content Classification and Use

Alice shares a file with Bob

Bob shares that file publicly

Know Your Users Accidental Over-sharing

Or shares on other apps

Malicious Employees and Hackers

Just 1.3% of employees across all organizations were responsible for all data exfiltration, destruction and account takeover incidents.

Risky Users

Over half of all organizations with employees who exhibit high risk behavior have 10% or more of their users categorized as high risk.

Users who have exhibited high risk behavior are concentrated in 12% of companies.

Good News

Bad News

In 3% of companies, the vast majority of users—70% or more—are indulging in high risk behavior

when using cloud apps.

Financial Risk Healthcare vertical has the greatest amount of financial risk based on our analysis of real world data • Healthcare account breach translates into an average

cost of $10M per breach

• Anthem Data breach of $80M docs resulted in a

$100M remediation costs and compliance fines.

However, all verticals face steep financial costs due to data breaches.

Data Science Powered Cloud App Security

Machine Learning

Semantic Analysis

Natural Language Processing

Graph Theory

Analytics on your cloud app risks and compliance issues

App usage anomalies across your organization

What apps you should sanction and what apps you should block

Shadow IT Risk Assessment Based on logs and event info from proxies and firewalls

External and public content exposures, including compliance risks

Inbound risky content shared with employees (e.g. malware, IP, etc)

Risky users and user activities

Shadow Data Risk Assessment

Download the Shadow Data Report:

Thank You!

www.elastica.net/1h-2016-shadow-data-report

www.elastica.net/risk-assessment Consider a Shadow IT/Shadow Data Risk Assessment: