Cover your SaaS!

Its time to get serious about cloud security

The Bitglass Cloud Adoption Report

Executive Summary
Is everyone really moving to the cloud?
Cloud providers and investment gurus
are outdoing themselves to give that
impression. Promises of:
cost savings,
happier employees, and
cutting-edge performance

Turn companies such as Box and Cloudera into ballyhooed acquisitions or potential
IPO candidates. If the hype is to be believed, throngs of IT leaders are ready to shutter
their server rooms and move their infrastructures to the cloud, leaving traditional
hardware and software manufacturers choking in the rubble.
But is the reality of cloud adoption living up to the hype? We decided to run the
numbers and see. We separated the cloud dabblers from those showing signs of strategic
cloud adoption, and give our recommendations for how cloud customers should
proceed in the midst of the public cloud fiascos that continue to plague the industry.
Read on to find out more about how to take and deploy this first-ever insight in
your organization.

Real-World Numbers Tell the Story

Traditional survey responses can include inherent lag times and other discrepancies, so
for this study we analyze publicly available, real-world traffic data. This inaugural cloud
adoption report takes a sampling of 81,253 businesses across a range of industries
and company sizesthe largest data set available on this topic. We zero in on email
and productivity suites, such as Microsoft Office 365 and Google Apps, under the
assumption that companies using those applications are most likely to embrace the
cloud across their organizations rather than deploying tactical, employee-driven tools.

Results:

Strategic, company-wide cloud adoption is taking hold as new technologies to

secure cloud applications gain a greater foothold. But even in the midst of continual
cloud fiascos, security concerns persist as the elephant in the room, with most cloud
customers continuing to ignore basic security mechanisms.

Conclusions:

After analyzing these numbers, we believe that for the cloud to reach its incredible
potential, business cloud customers must address security gaps that represent
significant threats, especially to large organizations and those in heavily regulated industries.

The Bitglass Cloud Adoption Report

Today CRM and collaboration tools,

along with web applications, data
warehousing systems and email,
top the list of cloud applications that
businesses use most, according to
ChangeWave Alliance, a technology
research network.

Cloud Computing
Top 5 areas that companies currently
support applications running on
public cloud computing services

Cloud Trends: A Contextualized Overview

In the beginning, individual consumers logged into Hotmail or Yahoo email accounts
from work or home. As smartphone technology matured, people happily augmented
that convenience to include mobile applications they could access from anywhere.
It wasnt long before many managers recognized the improved performance,
simplicity, and cost savings that the cloud could bring to their jobs. They began
pressuring the companies they worked for to deploy cloud-based tactical applications,
such as customer relationship management (CRM) and collaboration tools. And the
increased demand has resulted in even more cloud-based apps.

50%

Email Systems
39%

CRM (Customer Relationship Management)

34%

Web Applications

October 2013

ChangeWave Research, a division of The 451 Group.

2013 451 Group. LLC

Collaboration Tools

31%

Databases

30%

0%

10%

20%

30%

40%

50%

60%

But how many organizations are going beyond tactical, employee-driven cloud
apps to embrace the cloud strategically across large portions of their company?
The best indicators are email and productivity suites, such as Google Apps or Microsoft
Office 365. Companies deploying those applications across large portions of their
organizations are most likely moving in the direction of adopting the cloud as a strategic
element in their business models.

The Bitglass Data Set: Microsoft vs. Google

For this reason, our analysts focused on Microsoft Office 365 and Google Apps in their
quest to uncover strategic, company-wide cloud adoption rates. While neither company
shares these numbers in their financial reports, we were able to obtain them through
the persistent effort and technical skills of our analytics team.

7.7%
16.3%

Out of the 81,253 companies sampled, Google Apps clearly is the most popular service:
16.3 percent of companies use it, versus 7.7 percent using Microsoft Office 365.

However, when you account for company size, it is a dead heat: Organizations with
more than 1,000 employees use both services equally, at a rate of 8.8 percent each.
612 companies use Microsoft Office 365 while 610 use Google Apps.

The Bitglass Cloud Adoption Report

Size does matter

Company size makes a big difference when it comes to cloud adoption:

More than

1,000 = 17.6%

Less than

500 = 24%

Employees

chance of using cloudbased email for work

Employees

chance of using cloudbased email for work

This difference makes sense when you consider the consumer-driven nature of cloud
adoption. Large organizations with established IT processes move more slowly
and have a higher degree of mistrust with respect to cloud security concerns.
These organizations, however, also have the biggest economic incentive to move to the
cloud, so we expect those numbers to even out over time.

As do shareholders
In a similar vein, private companies use cloud-based email more than public companies
and Google leads the way.

Privately-Held Companies

vs.

Publicly-Traded Companies

7.6%

8.8%

16.5%

11.9%

Predictably, Google adoption falls off substantially in publically traded companies, while
Office 365 use increases.
This trend makes sense when you consider the additional regulatory and reporting
burdens that public companies bear. Most cloud applications still lack the compliance
and auditing capabilities required by publicly traded companies, many of which have a
history with and substantial ties to Microsoft, based on on-premises experience and
familiarity with Microsoft Office over the years.

The tech industry leads the pack

Technology companies, with their vocal and knowledgeable user groups, are
consummate early adopters, so its no surprise that:

37%

37% of tech companies

overall in our sample use
cloud-based email.

10%
27%

However, larger, more established tech companiesthose with more than 1,000
employees or more than 10 years in businessare less likely to deploy email in the cloud.

18%

18% of established tech

companies have deployed
email in the cloud.

9% 8.6%

The Bitglass Cloud Adoption Report

Heavily regulated companies bring up the rear

Its also no surprise that enterprises in regulated industries tend to avoid the cloud.

Healthcare, government, and financial

services organizations in our sample are
40% less likely to use cloud-based email,
compared to other companies.

-40%

Compliance mandates, such as the Health Insurance Portability and Accountability

Act, the Payment Card Industry Data Security Standard, and the Sarbanes-Oxley Act,
require a stringent approach to data security and complete audit records of data
access. Very few cloud vendors have bundled these capabilities into their apps.

Growing Threats: A Lesson in Due Diligence

Our research backs up a story that only a few other analysts are telling: Security is a
significant and growing concern for the cloud industry. According to a 2013 ChangeWave
Alliance survey, 52 percent of large companies and 33 percent of small to medium-size
companies report security concerns as a major inhibitor.

Reasons for Not Using Cloud

Large-Sized Companies vs. Medium
to Small-Sized Companies
October 2013

Security
Concerns
Complexity of
Integrating with
Existing IT

13%
11%

Technology
is Too New

7%

1%
0%

ChangeWave Research, a division of

The 451 Group. 2013 451 Group. LLC

10%

6%

General
Resistance
Cost Too High

52%

33%

13%

8%
10%

20%

Large-Sized Companies (over 1,000 Emp.)

30%

40%

50%

60%

Medium to Small-Sized (under 1,000 Emp.)

Among companies of all sizes, 42 percent in 2013 cite security concerns as a reason for
not using the cloud, versus 25 percent in 2011, an increase of 17 percent.

The Bitglass Cloud Adoption Report

Reasons for Not Using Cloud

Of Those Companies not currently
using Cloud, what is the most
important reason why?
October 2011 July 2013

50%
40%
30%

32%

34%

37%

41%

42%

13%

20%

25%

10%

14%

12%

12%

14%

10%

12%

15%

7%

8%

7%

6%

7%

7%

7%

OCT
11

JAN
12

APR
12

JUL
12

OCT
12

JAN
13

APR
13

0%

ChangeWave Research, a division of

The 451 Group. 2013 451 Group. LLC

32%

41%

Security Concerns

Complexity of Integrating with Existing IT

5%
JUL
13

Cost Too High

Yet, of the cloud customers we sampled, only a tiny number have taken even the
most basic security step: implementing single sign-on (SSO) to create a manageable
authentication mechanism for all users and applications. Such a step helps stop
hackers who prey on lax password practices, and also makes it easier and faster for
companies to provision or de-provision user accounts.

% of Salesforce.com
customers using SSO

9.2%

5.5%

% of Box customers
using SSO

The Cloud Security Alliance (CSA) 2013 report on cloud security vulnerabilities ranks
threats in order of severity, according to industry experts.

The Notorious Nine

Cloud Computing Top Threats in 2013

No. 1 Data Breaches

No. 6 Malicious Insiders

No. 2 Data Loss

No. 7 Abuse of Cloud Services

Account or Service

No. 3 Traffic Hijacking

No. 8 Insufficient Due Diligence

No. 4 Insecure Interfaces and APIs

No. 9 Vulnerabilities

Shared Technology

No. 5 Denial of Service

Source: Cloud Security Alliance

According to the CSA report, Too

many enterprises jump into the cloud
without understanding the full scope
of the undertaking. ... Organizations
are taking on unknown levels of risk in
ways they may not even comprehend,
but that are a far departure from
their current risks.

The top three threats? Data breaches, data loss, and account hijacking, respectively.
However, cloud providers tend to put more effort into protecting against the fourth and
fifth threats on the listinsecure APIs and denial of service attacks, respectively
because they put the entire service at risk. So cloud customers who rely solely on the
provider for security are at greater risk for all of these threats, including the malicious
insider threat, which comes in at No. 6.
Threat No. 8, lack of due diligence, points to the overall cloud security problems we face.

The Bitglass Cloud Adoption Report

Five Essential Cloud Security Solutions

Fortunately, as an enterprise adopting cloud apps, you do have the power to protect your
company against the worst threats out there. Today, emerging security technologies
for cloud applications give IT organizations more control, while also protecting
employee privacy. To overcome the loss of visibility, security, and control that you
encounter when deploying cloud applications, we recommend these five security solutions:

1. Use SSO (Single Sign-on)

July 2012:
A hacker stole an internal Dropbox
document listing customers email
addresses and launched a spam attack.

Remember the Dropbox fiasco of 2012? A hacker stole an internal Dropbox document
listing customers email addresses and launched a spam attack.
But a simple SSO authentication solution could have saved Dropbox a lot of
embarrassment and stopped the spammer in his tracks. SSO technology provides a
single login for all company applications, so when employees access cloud apps they
are automatically redirected to a company login page for authentication.
The IT organization now controls password requirements and can enable or disable
employee access across all company applications in one fell swoop, but employees
benefit, too. Instead of trying to remember which password to use for which service,
they only have to remember one, which saves time and frustration.

2. Track Employee Traffic

Once a user is authenticated, organizations need insight into what happens next. Its
not about snooping on employeesits about business requirements. Healthcare or
financial services organizations, for example, must provide logs of who accessed what
information when, so they can comply with audits and protect customers adequately.
This requirement can be difficult to satisfy with cloud services, but network proxies,
sometimes referred to as cloud access security brokers, can be a solution. A
reverse proxy service intercepts all traffic to corporate cloud applications, inspects and
secures data, and logs activities as they occur.

January 25, 2014:

Coca Cola reports stolen laptops that
contain the personal information of
up to 74,000 people.
January 27, 2014:
Horizon Blue Cross Blue Shield of
New Jersey officials face a Senate
panel after two stolen laptops
compromise the privacy of 840,000
policyholders.

3. Prevent Data Leakage

Data leaks are so common these days that they hardly make news anymore. Nevertheless,
they certainly retain their potential to destroy a companys reputation and disrupt the
lives of affected customers. These almost weekly data leak stories point to a gaping
need for organizations to gain control of all the data they collect.
Today, the technology is available to help them do that, whether data is stored on a
company server, an employee laptop, or in the cloud. The key is to block restricted
content from being downloaded, and for sensitive data that is not access restricted,
automatically watermark with hidden fingerprints tied to user, date, and transaction.
That way, you can stop your most sensitive data from leaving the company, and track
all other corporate data anywhere it goes. You can also securely delete corporate data
from a device when an employee loses it or leaves the company.

4. Limit Employee Access

All employees are not equalat least not in how they warrant access to sensitive
corporate data. Contextual access control technologies run employee profiles through
a policy engine each time they access company cloud applications, so IT organizations
can implement group-based authorization, location-based policies, and devicetype restrictions. You can even dynamically redact sensitive data on mobile devices,
helping you stay in compliance and keep data confidential.

The Bitglass Cloud Adoption Report

5. Encrypt Sensitive Data

Industry experts agree that companies must take control of sensitive data wherever
it resideswhether its in transit or stored on a server somewhere, on or off company
premises. Encryption can reduce or eliminate the impact of a data breach, should it
occur. Its essential for regulated industries, and can help organizations comply with the
data residency rules that some countries have in place.

Youre in good company, wherever

your company stands on the
spectrum of cloud adoption.

Conclusion
If youre well on your way to deploying cloud solutions, dont be lulled into complacency
by the constant stream of positive reinforcement coming from the media and cloud
providers. Cloud providers invest in the best security available, but there are still gaps
that you must fill when moving to the cloud.
Likewise, if you find moving to the cloud to be a daunting security headache, dont give
up on the cost efficiencies and productivity gains it offers. They are real. Todays cloud
security solutions take us back to the basic principles that IT organizations have relied
on for decades to protect their information, but architected for cloud and mobile.
We recommend you explore the ability of these technologies to keep your sensitive
corporate data safe.

Secure Cloud and Mobile in Minutes

Why Bitglass?
BYOD and Cloud are unstoppable trends. The benefits
are huge, but you can lose control of your data.
Regain control with Bitglass.
For IT: Secure cloud and mobile.
For employees: Privacy and unencumbered mobility.

Secure Cloud
Protect your cloud perimeter
Gain visibility and alerting
Secure data wherever it goes
Eliminate password issues with SSO
Support any cloud or internal app

Secure BYOD
Secure corporate data without
invading privacy

Prevent data loss

Track and manage sensitive data
Secure any mobile device or app

Learn more at www.bitglass.com

www.bitglass.com
2014 Bitglass, Inc.

Phone: (408) 337-0190 | Email: info@bitglass.com