There's hardly a company that doesn't have a problem with cloud services creating "shadow IT." That is, employees using services that you may or may not know about. Most CIOs think their company uses about 25 to 40 cloud services, but the reality is more like 200 to 400. Skyhigh Networks lets you discover and control all the cloud services your company uses -- whether you've authorized them or not.
If you had to estimate (or guess) how many cloud services your organization uses, what would the tally be? Twenty? Fifty? One hundred? Perhaps, but those are probably the ones you know about. What about the "shadow IT" cloud services that your lines of business and individual employees utilize on their own?
This would include cloud backup and storage solutions like Nirvanix, Carbonite and CloudElephant, file delivery services like Dropbox.com, productivity applications like Workday and Google Apps, and dozens of other types of cloud-based services and applications. How many of them are in use, authorized or not, and who is using them?
One CIO thought her company was using about 25 cloud services. Through a new discovery process, she learned the actual number was closer to 350! That was in March 2012, and by July the number was up to 420, and by November, 500.
It's so easy for departments and individuals to sign up for one service or another and before you know it, your organization's data is heading into the cloud -- perhaps without regard for data security and privacy, business risk and corporate liability.
Skyhigh Networks figures this is a universal problem for practically every business entity, large and small, and has developed a solution designed to help you discover what cloud services your company uses, analyze how risky they are to use, and control their use according to your company policies.
Skyhigh's new cloud service is designed to help you discover and gain control over all the other cloud services your company uses. There are three levels of functionality in the service: discovery, analysis and control. Let's look at each.
The discovery process is designed to allow you to get a comprehensive view into all the cloud services being used by employees. Rajiv Gupta, Skyhigh's CEO, says when he talks to prospective customers, on average they think their employees are using between 25 and 40 cloud services. In reality, the average is between 200 and 400 and in some cases more than 1,000. In Oprah parlance, that's a big aha! moment.
Skyhigh says it does discovery in a low-touch way. The service taps into existing egress devices like your firewall or the proxy you have for your organization, and it acquires a subset of the traffic logs. They do this by giving you a small script that collects the log entries that point to cloud services. To maintain your privacy, the confidential data in the logs (like user name or internal IP address) is tokenized before it is sent to Skyhigh. The service provider then analyzes the data to get an understanding of all the cloud services your organization uses.
In less than an hour of initiating the discovery process, you can be viewing a dashboard with some revealing insight. Skyhigh can tell you which cloud services are being used, which IP addresses are accessing them, how many people access each service, and how often and when. And then it gets interesting.
Skyhigh then develops an independent risk score for each service. More than 30 different attributes -- the relative weights of which you can customize for your business from the Skyhigh recommended best practice weights -- are analyzed to arrive at an overall risk score of 1 to 10 comprised of data risk, service risk, business risk and user device risk.
Example attributes include whether or not the service encrypts your data, and if so, who holds the encryption keys; whether the service uses geolocation data from the devices accessing the service; and whether the service comingles data from different customers in a multitenant hosting environment.
With a quick look at your dashboard, you can see what cloud services people use, and how risky they are for your business. Going a step further, Skyhigh Networks can recommend alternative services to replace high risk ones.
Skyhigh also analyzes anomalous use of cloud services. Let's say you notice an unusually high volume of tweets from one user or IP address. This could be due to a valid business reason, or it could be that an automated application or other unauthorized source is generating this traffic as it tries to exfiltrate confidential data from your organization.
Finally, Skyhigh's service can help you gain control over your company's use of cloud services. Viewing information through the dashboard can help you see where you need to develop new policies or reconfigure the firewall to block high risk services. Skyhigh can give you recommendations on how to configure your firewall to block specific services. If you specify your specific firewall -- for example, a Juniper SRX -- Skyhigh can generate the script that you can put in a support ticket so the firewall administrator can implement the exact change. This helps to ensure that your firewall code is consistent and current even though the cloud services can change so often. Skyhigh keeps track of all of this and gives you a very simple way to update your configuration to block access to services that you don't want people using.
Skyhigh also has an approach to protect sensitive data through its CloudFlow Gateway -- a reverse proxy encryption gateway which has a zero client footprint and requires no changes to the enterprise-ready cloud services. Customers use Skyhigh's gateway to protect data stored in several services such as Salesforce, Box.com, Google Apps and Microsoft Office 365, and effectively address data residency, security, privacy and compliance requirements.
If you worry about your company's data sitting in the cloud -- whether you know it's there or not -- or you worry that data is leaking out through the cloud, Skyhigh may be able to help you spot the problems and get them under control. What's more, you can save money by standardizing on one cloud service for, say, data storage, rather than using several disparate services.
Steve Martino, VP of information security at Cisco Systems, summed up his use of this unique service this way: "With Skyhigh we immediately discovered a wide range of services that we had not authorized. It allowed us to better understand the risks these services presented and put in place usage policies that both protect the company and work for our employees."
Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.
About Essential Solutions Corp:
Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.