Netskope Study: More Than 4 Percent Of IT-Sanctioned SaaS Laced With Malware

More than 90 percent of the software served from the cloud to the enterprise is unsanctioned by the IT department.

And of the roughly 6 percent of Software-as-a-Service apps used by large organizations that don't fall into the category of Shadow IT, a touch more than 4 percent are infected with some form of malware.

Those are some of the findings from the latest Netskope Cloud Report, a global survey of application usage from the cloud security broker based in Los Altos, Calif., compiled by tracking billions of customer transactions in the last quarter of 2015.

[Related: Netskope Closes $75M Funding Round As Unchecked Cloud Software Lurks In The Workplace]

Sponsored post

The report also documented an important market milestone -- several tools from the Google Apps office productivity suite were displaced by their Microsoft Office 365 counterparts near the top of the list of overall adoption by Netskope customers.

Netskope CEO Sanjay Beri told CRN his company has seen a roughly 20 percent surge in SaaS adoption among its customers over the past year. The average enterprise, at the end of 2014, was running 755 applications in the cloud -- that's now ramped up to 917 applications.

The IT department introduced and owns less than 10 percent of those hundreds, if not thousands, of applications, Netskope found among the majority of its customers. Far more often, software was provisioned by employees who "don't go through any process. They swipe a credit card and off they go," Beri told CRN.

"Most companies and most organizations have now realized there is a lot of Shadow IT and unsanctioned usage," Beri told CRN. "But the numbers are still jaw-dropping to them."

The latest report is the first in which Netskope looked at the percentage of content infected by Trojans, worms, viruses and spyware, finding 4.1 percent of all enterprise-sanctioned cloud apps are laced with such malware, Beri said.

That means an average enterprise cloud customer with a million files in an IT-approved cloud storage environment is likely to have 41,000 infected files.

While Netskope doesn't have data for the amount of malware attached to the unsanctioned apps that are used far more often in the workplace, Beri said he would expect a significantly higher infection rate because of the lack of policing and wider permissions.

And in the cloud, malware takes on another level of danger, Beri said.

"You put it there, you share it with people, and without them even doing much, it can be auto-synced to their laptop, so the ability for malware to spread once it's in the cloud is unprecedented, because it can just happen automatically," Beri said.

Netskope calls that quality the "fan-out effect" -- users unknowingly spreading malware through automatic file syncing and effortless sharing.

Netskope also observed that Microsoft Office 365 surpassed heated rival Google Apps in popularity near the end of last year, not only in total deployments but also in overall usage among its customers.

OneDrive for Business, Microsoft's cloud storage product, did particularly well, climbing from 11th place in overall enterprise adoption in Netskope's fall 2015 report to third in the latest study. Office 365 Outlook, the Web mail component, was the second-most-widely-used app in the enterprise at the end of 2015, taking a spot previously held by Google's Gmail.

In the fall 2015 report, Google Drive was third in adoption; YouTube, another Google property, was in fifth place; and Google Docs was in seventh. Microsoft didn't show up on the list until the No. 10 slot, with Outlook.

But in the latest report, Gmail fell to fifth place, Google Drive to sixth, YouTube to 11th, and Docs didn't crack the top 20, pushed out by several Microsoft entrants, including Yammer and Lync Online.

The flip in SaaS leadership can be seen beyond the applications directly offered by the two tech giants, Beri noted.

The average customer plugs in 25 SaaS apps to Office 365, Beri said, and market shifts reverberate through entire ecosystems.

"What we've also seen is the growth of Office 365 has led to the growth of partners in the ecosystem," Beri told CRN. Some Microsoft-aligned ISVs posted triple-digit growth, driven by surging Office 365 adoption.

Google's ecosystem partners also did well, Beri said, but "we've seen higher growth in the ones that are more attached to Office as [opposed] to Google."

Other software options Netskope saw widely deployed in the enterprise -- both sanctioned and not -- were Dropbox, Cisco's WebEx, Salesforce, Box and Evernote, which came in at ninth, 12th, 13th, 14th and 18th place, respectively.

So what's the leading cloud application used in the enterprise?

Facebook, of course.

If IT-led apps constitute one category, and unsanctioned enterprise apps another, consumer apps constitute a third category that's just as prevalent, if almost never sanctioned.

"Everybody knows your employees are using it. But they don't know what they're doing on it," Beri said of the social networking leader. "Some choose not to know, others in regulated environments have to know."

One finding from the Netskope report should come to a head in the next year -- SaaS providers are not meeting strict European Union regulations that will soon go into effect.

Europe's General Data Protection Regulation will be fully implemented in 2017, intended to protect the privacy of end users. The new set of rules involves criteria like the ability to export data, how fast data gets deleted after an account is terminated, and who owns the data.

Netskope found 43 percent of cloud apps keep data for longer than a week after service is terminated, a violation of the rules. And almost 13 percent don't support data export, while 60 percent don't specify in their terms of service that customers own their data -- two more violations.

"You're going to find a lot of cloud apps are not compliant with EU regulations," he said.

Next year, fines will kick in, and the violators will be the enterprises themselves. That puts the impetus on organizations to secure their environments.

"That's something you're going to hear more about as it becomes more top of mind," Beri told CRN.