Cloud security: Think you're blocking staff access to certain sites? Think again

Stopping staff using certain web services may be in decline outside regulatory environments, but even where it is being attempted it may be falling well short of its aims.
Written by Toby Wolpe, Contributor
The top 20 cloud services used by enterprises. Source: Skyhigh
1 Amazon Web Services
2 Microsoft Office 365
3 Salesforce
4 Cisco WebEx
5 Concur
6 ServiceNow
7 Box
8 LivePerson
9 Zendesk
10 Yammer
11 BMC Service Management
12 Workday
13 OpenText BPM
14 OneDrive
15 GoToMeeting
16 NetSuite
17 SuccessFactors
18 SAS OnDemand
19 Oracle Taleo
20 Host Analytics

Some companies routinely block employees from using certain websites. The trouble is that what they think they're blocking just doesn't match up with staff access figures for those services.

That disparity between perception and reality can be pronounced, even for websites that pose no particular security threat.

For example, four out of 10 firms say they block employee access to Netflix. But in reality only four percent are doing so successfully, according to research from cloud security firm Skyhigh Networks and non-profit body the Cloud Security Alliance.

There are several possible reasons for that gap, which emerged from usage data generated by 11.5 million employees worldwide and a survey of IT and security professionals.

"It could be that they intend to block [a certain site] but they haven't implemented the firewalls or the proxies, or it could be that they're blocking it inconsistently. They may have a network of locations and they may be blocking at a few sites and not blocking at others," said Skyhigh vice president of products Kamal Shah.

"If I'm a large global company and I want to block, say, Dropbox across my entire network, I may be blocking it in some parts of it but not in others. It's geographically inconsistent."

The sheer variety of URLs used by web services and the number of routes employees can use to access them are another possible explanation for the gap between theoretical and real block rates.

The top 20 consumer cloud services used by staff at work. Source: Skyhigh
1 Facebook
2 Twitter
3 YouTube
4 LinkedIn
5 Pinterest
6 Gmail
7 Instagram
8 Tumblr
9 Flickr
10 Myspace
11 Dropbox
12 Yahoo Mail
13 Apple iCloud
14 Google Drive
15 Photobucket
16 Spotify
17 Shutterfly
18 SlideShare
19 SmugMug
20 VK

"It could also be that sometimes they think they're blocking Dropbox because they're blocking www.dropbox.com, as an example. But there are six other ways to get to Dropbox. The reality is they may not be aware of all the addresses that Dropbox uses," Shah said.

"Twitter is great example of that. There are so many different ways to get to Twitter. They're blocking the most commonly-known domains but not the others. All these factors collectively drive the enforcement gap."

Companies may also decide that, for example, their marketing group needs access to Twitter for its social media efforts.

"You may grant them access to it. But the reality is the way you grant that access to Twitter is to say, 'I'm going to give you access to all social media'. Because there's no way to give access to Twitter only, because of firewalls and proxies," Shah said.

"The next thing you know is they go to Facebook. They can use it because the whole social media is made available to them. It's broader because they cannot do access control at a cloud-service level — and the exceptions cause sprawl. It's not because employees are trying to do intentionally bad things but it exacerbates the enforcement gap."

Shah said these sites may be innocuous in terms of security but if companies are misguided about their ability to block benign websites, what about the dangerous services that are off the corporate radar?

"That's the broader point that's important here. Everybody knows about these services. They're not the issue. These are sites you're aware of and it's inconsistent. There's a gap. Imagine then what the gap is for the other services that you don't even know about," he said.

The research shows that on average, firms are using 831 cloud services and 80 percent of data from companies is going to only 11 of these services.

"Nobody can name 80 services, much less 831 services. And 20 percent of corporate data is going to services that you don't know exist. It's the long tail. It's that 20 percent that you've got to be concerned about. Where is that data going, what are those sites and how do I understand what those sites are?" Shah said.

In fact, blocking is a measure that many companies are abandoning. They recognise that staff generally only use services to get their jobs done and perform certain tasks. Nevertheless, data about what employees are accessing can provide valuable information for CIOs, which enables them to work out what services employees need.

"Generally speaking, organisations are — unless they're in regulatory environments — moving away from blocking because what they realise is that it is a whack-a-mole exercise. If I block Dropbox, there are 50 other file-sharing services that you can use," Shah said.

"So what customers are doing is they're turning it on its head and saying, 'There is a reason you want to use it. There's a demand. We're going be proactive and we're going to make it available to you. We're going to select a service and make it enterprise-wide. Then the next time you try to use those other services, we'll give you a reminder so at least you'll know that the corporate standard for file-sharing is, say, Box'," Shah said.

"If you're going to upload family pictures, that's fine — but not if you're going to use it for business use. That's why educating employees is the bottom line because employees want to do the right thing. They're doing it to get their jobs done."

More on cloud

Editorial standards