REPORT Cloud Adoption and Risk Report 2019REPORT 2 Cloud Adoption and Risk Report Through analysis of billions of anonymized cloud events across a broad set of enterprise organizations*, we can determine the current state of how the cloud is truly being used, and where our risk lies. Consider that nearly a quarter of data in the cloud is sensitive, and that sharing of sensitive data in the cloud has increased 53% year-over-year. If we dont appropriately control access and protect our data from threats, we put our enterprises at risk. IaaS/PaaS providers like AWS are increasing the productivity of our developers and making our organizations extraordinarily agile. However organizations on average have at least 14 misconfigured IaaS instances running at any given time, resulting in an average of 2,269 misconfiguration incidents per month. Prominently, 5.5% of all AWS S3 buckets in use are misconfigured to be publicly readable. We can see the risk of immediate and grand-scale loss of data starting to grow with these trends. We need to get the basics right, or face losing the opportunity for business acceleration before the gas pedal can hit the floor. The majority of threats to data in the cloud result from compromised accounts and insider threats. 80% of organizations are going to experience at least 1 compromised account threat in the cloud this month. 92% currently have stolen cloud credentials for sale on the Dark Web. Cloud Adoption and Risk Report Executive Summary Cloud services bring a momentous opportunity to accelerate business through their ability to quickly scale, allow us to be agile with our resources, and provide new opportunities for collaboration. As we all take advantage of the cloud, theres one thing we cant forget our data. When using software-as-a-service (SaaS) we are responsible for the security of our data, and need to ensure it is accessed appropriately. When using infrastructure-as- a-service (IaaS) or platform-as-a-service (PaaS), we are additionally responsible for the security of our workloads, and need to ensure the underlying application and infrastructure components are not misconfigured. Connect With Us 2019 *Many of the data points we cite in this report are determined by enterprise policy. For example, classifications of “sensitive data” are set by the organizations in our study, not McAfee. Our visibility is limited to the results of that policy, not the actual data.3 Cloud Adoption and Risk Report REPORT Fortunately, the cloud is still bringing more opportunities than threats. Cloud use is extremely broad, with most organizations using approximately 1,935 cloud services, up 15% year-over-year. Unfortunately, most think they only use 30. Key Findings 21% of all files in the cloud contain sensitive data, up 17% over the past two years. The amount of files with sensitive data shared in the cloud has increased 53% YoY. Sharing sensitive data with an open, publicly accessible link has increased by 23% over the past two years. 94% of IaaS/PaaS use is in AWS, but 78% of organizations using IaaS/PaaS use both AWS and Azure. Enterprise organizations have an average of 14 misconfigured IaaS/PaaS instances running at one time, resulting in an average of 2,269 individual misconfiguration incidents per month. 5.5% of AWS S3 buckets have world read permissions, making them open to the public. The average organization generates over 3.2 billion events per month in the cloud, of which 3,217 are anomalous, and 31.3 are actual threat events. Threat events in the cloud, i.e. compromised account, privileged user, or insider threat have increased 27.7% YoY. 80% of all organizations experience at least 1 compromised account threat per month. 92% of all organizations have stolen cloud credentials for sale on the Dark Web. Threats in Office 365 have grown by 63% in the last two years. The average organization uses 1,935 unique cloud services, an increase of 15% from last year. Most organizations think they use about 30. REPORT 4 Cloud Adoption and Risk Report Table of Contents 5 Breaking Down Sources of Cloud Data Risk 7 When Sharing Isnt CaringCloud Collaboration as a Blessing and a Curse 8 You Can Bet Your IaaS is Misconfigured So Dont Forget the Basics 10 Internal and External Threats 11 Compromised accounts 11 Insider threats 11 Privileged user threats 12 Cloud threat funnel 12 Cloud Usage Trends 13 Average number of services 14 Native security controls vary by provider 15 The top cloud services 15 Top 10 enterprise cloud services 16 Top 10 collaboration and file sharing services 16 Top 10 consumer cloud services 17 Top 10 social media services 17 Perception vs RealityTotal Cloud Services 18 Perception vs Reality“Over Trusting” Cloud Services to Keep Data Secure