Start-up Skyhigh Networks today introduced a service aimed at tracking risk associated with enterprise use of about 2,000 cloud services, in order to spot any rogue cloud services or to identify high-risk exposure that cloud use might bring to the enterprise.
[RELATED: 12 Must-Watch Security Start-Ups for 2013]
"Cloud is top of mind for CIOs and a bit of a concern because they can't control it as well," says Rajiv Gupta, CEO of Cupertino, Calif.-based Skyhigh which he founded in 2011 with Sekhar Sarukkai and Kaushik Narayan. Because business managers are sometimes bypassing the IT department altogether to order cloud-based services, the CIO and staff can be left in the awkward position of not even knowing where corporate data is headed.
But the cloud-based service from Skyhigh is intended to get a bead on what's happening and correlate that information with about 50 cloud-risk parameters to understand what might be considered "high risk" to the corporation using them.
The basic technique that Skyhigh uses is to collect logs from firewalls and perimeter gateways to learn which URL or IP address that an employee is trying to access associated with a cloud service, while also coming up with a risk score for it. Cloud services would be ranked according to several risk factors that include "is it multi-tenant, can I use an enterprise ID, does it do penetration testing," Gupta says.
All of this monitoring information is batched and sent to a dashboard for review by the IT department in order to gauge the risk to the organization. Another aspect of the service seeks to ensure encryption of data, Gupta says. The service, priced at about $2 to $10 per employee per month, has been in pilot with Torrance Memorial Medical Center, Cisco and data-hosting firm Equinix.
Brian Lillie, CIO of Equinix, says his organization, which started piloting the Skyhigh service last fall, is finding it a good way to discover and manage cloud services, though he doesn't use it at this point to block.
"We have taken action based on it," says Lillie, saying it's a tool that did help pinpoint a cloud service that had been turned on by some inside the organization that needed to be discussed in terms of risk. Finding out through monitoring made it much easier to have that discussion in comparison to just hearing about it in passing.
"It's a dashboard with visibility," Lillie says about using Skyhigh. "It's about knowing that you don't know." Cloud services of all varieties are now a way of life and productive for the enterprise, which can no longer be seen as "the castle with the moat around it," he points out.
Skyhigh's service classifies cloud services into types, such as storage or CRM, and there's a risk-scoring method that is helpful to the CIO and the information security manager, he notes. While Equinix also finds Websense to be a great tool for enterprise monitoring, it's required scripting to do the kind of cloud discovery process that Skyhigh is focused on. Lillie says he finds Skyhigh augments the Websense monitoring he does very well.
Forrester analyst Chenxi Wang says she's not aware of any similar service as Skyhigh's.
"What they did is essentially productized what people have been doing manually (and not very successfully). I think it addresses an immediate pain point," she commented. "Many enterprises would have need for a service like this, so they can understand better their risks associated with the use of cloud services and begin to manage that risk."
Gupta says he doesn't find it particularly unusual to see companies with "more than 200 cloud services, some more than 1,000" these days.
Skyhigh Networks also disclosed that it has $6.7 million in venture-capital funding, with Greylock accounting for $6.5 million of that.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org.