Shadow IT threatens public sector security

Shadow IT has become a major problem in the public sector as users flock to cloud services to carry out their day-to-day work in government administration. Research from Skyhigh Networks found that 742 cloud services were being used in the average public sector organization, which is around 10 times more than the IT department expects. The research is based on actual anonymized usage data from over 200,000 users in the public sector in the US and Canada.

The most popular cloud services are collaboration (e.g. Microsoft Office 365), followed by development (e.g. Sourceforge, GitHub), file sharing (e.g. Dropbox) and content sharing (e.g. YouTube). Although some of these applications are enterprise-grade, many users bring their consumer applications into the organization. Perhaps unsurprisingly, the top three of these are Twitter, Facebook and YouTube.

Although most users have the best of intentions, the use of shadow IT is a serious problem for the public sector. In fact, research shows that US government agencies estimate that nearly one-third of the data they host can’t actually be moved to the cloud, because of security or data sovereignty issues. The public sector faces similar restrictions within the EU, particularly around data protection and data location issues.

Not meeting basic levels of security

A startling number of cloud services don’t even meet the basic levels of security required for enterprise use. Skyhigh looked at over 10,000 cloud services and calculated that only 9% of them achieved the Enterprise-Ready CloudTrust rating from the Cloud Security Alliance. And some of the cloud services in use in the public sector are clearly high-risk. The top ten of these – according to data uploaded – include Smallpdf, LiveLeak and FilePi.

“The highest-risk services are hosted in export controlled or embargoed countries, claim ownership of IP uploaded to them, retain data on account termination, or have experienced recent data breaches,” says the report.

These data breaches could put highly confidential government data at risk – and not only in the service that is compromised. The problem is that users frequently reuse login and password details between different cloud services, so that once one account is compromised, it could potentially affect many more.

The research cross-referenced stolen identities on the darknet with attacker attempts to log into compromised accounts to try and calculate how many US government departments were at risk. The figures were alarming. It found that 96% of departments had users with compromised accounts, with on average 6.4% of users in government departments having at least one compromised account.

Immediate action required

It’s clear that the public sector needs to take immediate action to prevent shadow IT causing a serious security breach. There needs to be a sea change in attitude in public sector IT departments around cloud services, because despite the enthusiasm at the highest levels of government, 89% of public sector IT professionals “feel apprehension” about moving to the cloud.

The simple fact is that users are turning to cloud because they find government computing procurement too slow. Research has found that 54% of Federal agencies in the US say they are not able to acquire IT resources quickly enough.

If IT departments don’t take action and start providing the services that users need when they need them, and secure them properly, then this problem of shadow IT will not go away.

Find out more about secure cloud computing services from Orange Business, how the CyberSOC can protect organizations against breaches, and how Flexible Identity Federation can secure access to cloud applications.