• The amount of users that upload, create, share, or store data in cloud apps is up from 65% to 79%.
• Users are uploading an “unusually high” amount of data to personal apps and instances in the 30 days before they leave an organization.
• Organizations can implement policies to limit personal app usage to reduce the risk posed to data security.

Netskope released its latest Cloud Threat Report on data sprawl, examining how organizations use cloud apps to create, upload, share, and store data. The report found the number of cloud apps organizations use continues to climb – up 35% in the first five months of 2022. 

Netskope Director of Threat Labs, Ray Canzanese, said he expects the increase in cloud app usage won't slow. “This seems to just keep getting more and more important to control over time, just because of the magnitude of the problem,” Canzanese told SDxCentral.

The amount of users that upload, create, share, or store data in cloud apps is also up from 65% to 79%. The report notes that personal apps, like Gmail, WhatsApp, and Google Drive, present an “especially challenging” problem because users can upload and maintain access to sensitive data through private accounts.

“That's not a problem if they're uploading pictures of their cat to their photo album somewhere,” Canzanese explained. “But it is a problem if it's a work-related file that's getting uploaded to one of these apps.”

The top three types of apps being used are cloud storage, collaboration, and webmail apps. These include managed app instances, unmanaged app instances freely adopted by business units, and personal apps and instances.

While most users deal with data in managed app instances, nearly a quarter of users regularly do so with personal apps. “When they start doing that, mixing this personal and work together, naturally all sorts of things getting tangled, including where the data is that's only supposed to be going to your work,” Canzanese said.

On top of that, 20% of users upload an “unusually high” amount of data to personal apps and instances in the 30 days before they leave an organization. The two apps used most to upload data before employees leave, Google Drive and Microsoft OneDrive, were unchanged from 2021, with WeTransfer and Dropbox moving up in the rankings this year.

According to the Netskope report, a proliferation in apps with overlapping functionality also contributes to security threats such as misconfigurations, policy drift, and inconsistent access policies. Depending on the size of the organization, 138 to 326 different apps are used to create, upload, share, or store data.

Organizations use multiple apps in the same category for various reasons, like divisional or regional preferences, the adoption of a new app without retiring its predecessor, or addition of new apps through mergers and acquisitions. But another major contributor to the use of multiple apps with overlapping functionality is individual preferences throughout an organization. 

Canzanese said while some of the increase in cloud app usage can be attributed to organizations, it doesn't explain the magnitude of the growth. “There's no organization out there that I've been able to find that has said, these are the 2000 cloud apps that I'd like you to use.” he said. “What we find is that the number is mostly being driven by individuals.”

The report found that of the 138 apps used across an organization with 500–2,000 users, there are on average four webmail apps, seven cloud storage apps, and 17 collaboration apps with essentially the same function being used.

Organizations can implement policies to limit personal app usage to reduce the risk posed to data security. For example, the Netskope report found the financial services sector on average has the strictest policies and sees less than half as much data uploaded to personal instances than other sectors.

Canzanese said organizations in the financial sector either bar users from certain apps entirely, or more commonly, restrict what users can do in personal apps. “If whatever you do as an organization involves sensitive data that you want to protect, then following the lead of the financial services sector makes sense,” he said. “You should look toward financial services and healthcare as as your North Star, as the as the thing you aspire to be to help lock down this type of data movement.”

Netskope offers several recommendations, like deploying a security services edge (SSE) cloud platform with context for users, apps, instances, and data sensitivity in real-time with adaptive access controls and data loss prevention. Enabling multi-factor authentication and single sign-on for managed apps can help maintain centralized control over access to sensitive data.

Organizations can also coach users toward safer app alternatives to protect data, justify unusual data activity, and provide better authentication for risky conditions within business transactions.

But Canzanese said ultimately, the priority should be preventing data from going to personal apps and instances. “If you can do that, you reduce the risk that somebody accidentally uploads a bunch of data to the wrong place and maybe accidentally retains that.”