It’s almost like a throwdown, the kind of challenge that CIOs may be too proud to ignore: Let us look inside your network and show just how many employees are acting as if corporate about cloud computing policies don’t even exist.
In dozens of meetings that have been happening over the last year, startups in the cloud security space have been playing a game of gotcha in which they help identify just how many people have been secretly using Dropbox, Prezi, Evernote and Apple’s iCloud. In many firms, they are told by IT executives that the numbers are low, because they have strictly forbidden such services. Then they get the reports, and the jaws start dropping.
“When you are a CIO or CSO and you find out you have 400 cloud apps (running on your network without permission), you almost fall off your chair,” says Sanjay Beri, CEO and founder at Los Altos, Calif.-based NetSkope, which is among the early entrants in this space. “The first reaction tends to be, ‘Can we shut it down?’ Then they look into why the business groups want to use it, and they wonder if maybe they should be enabling it.”
That’s what’s interesting about these services: CIOs (and their employers) have been worried about the risks around cloud computing and security from the very beginning, and the potential complexity in warding off so many myriad problems from different software-as-a-service (SaaS) programs have led some of them to just say no. Beyond merely discovering who’s ignoring IT policies and running SaaS apps, the latest generation of cloud security firms seem focused on getting more CIOs to say yes.
“Employees are asking for the usability and flexibility in office applications that they can get from existing cloud services. And if they don’t get it, they will use it anyway,” says Rajiv Gupta, CEO of Skyhigh Networks of Cupertino, Calif., which provides a service similar to NetSkope’s. “CIOs are starting to see that if I don’t make changes, it’s going to be more difficult for all the things they’re trying to accomplish. They need to be an enabler.”
Prepare to be shocked
Richard McConnell, IT director at Ottawa-based law firms Gowlings, is among the firms giving Skyhigh Networks’ products a test drive. Like many of those referenced by the vendors, he was surprised to learn just how much “shadow IT” covers his organization.
“It’s produced some fairly startling results,” he says. “We’re still surfing through the data. As a ballpark, (what’s being used) is in the area of hundreds of cloud services.”
That’s consistent with findings from research reports that are produced on a regular basis by both Netskope and Skyhigh. In the latter’s Q2 Cloud Security Report, for example (which was published over the summer), companies ranging in size from 506 to more than 200,000 employees were using between 327 to 3,201 unauthorized cloud or SaaS applications.
“Only nine per cent of services used were Skyhigh Enterprise-Ready, meaning that they fully satisfied the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection,” the report says. “Only 11 per cent encrypt data at risk, only 16 per cent provide multi-factor authentication, and only four per cent are ISO 27001 certified.”
Netskope’s Cloud Report from July, meanwhile, says there are an average of more than 500 apps in use, more than 88 per cent of which are not enterprise-ready. The top offenders include Google Drive, Amazon Web Services and, of course, Dropbox.
“Where things start to get interesting is in app adoption by departments and lines of business for business-critical activities like finance and human resources,” the report says. “The top five categories in terms of apps per enterprise are: marketing, HR, collaboration, storage, and finance/accounting . . . While marketing is a broad category, we believe this significant and growing figure has to do with the larger trend that chief marketing officers are increasingly spending more of organizations’ IT budgets to accommodate sophisticated digital marketing campaigns.”
According to Gupta, just getting the information is almost as valuable as resolving the risk issues in some cases.
“It’s not just the CIO. The board is asking those questions as well,” he says. “I’ve seen customers with thousands of employees, thousands of customers. I would have thought they’d have other things to talk about, but what happens is, once they run the analysis, they’ll say, ‘This is the first time I’ve had real data.”
Don’t block; tackle the problem
On the other hand, McConnell says IT executives aren’t necessarily going to have a knee-jerk reaction to the data. CIOs are increasingly aware that some of what they would have blocked or forbidden in the past could be an important part of their organization’s future.
“It’s not a concern more than just a reality we have to adopt to,” he says. “These are often freely available or publicly tools that are providing value to people. In some cases, though, it’s being funded in ways people don’t understand. You can try to block these things if there’s a risk of data leakage, but in other cases it’s just an educational thing, where you need to be aware of the risks if you’re a stakeholder who’s using them.”
It’s also worth remembering that even if shadow IT is rampant, those using the free SaaS applications are likely doing so in a rush to get something accomplished rather than doing something malicious. They will listen to reason and in many cases should care the CIO’s outlook.
“No marketing head is going to say, ‘I don’t want to prevent data from being breached,’” says Beri. “Long term, I don’t believe IT will be the owner of cloud apps. If you need to do that you if you are in a world where (users) can’t procure some of those apps, you needs a different architecture.”
Once firms like Netskope and Skyhigh reveal how many cloud services are in use, they help organizations set policies that can be enforced across the board, rather than configuring different workarounds for each application. This is where the value of the analytics ultimately comes in, because a CIO could set an alert, for example, if someone was downloading important files off SharePoint and sending them to iCloud, for instance.
Analyze, then act
The next steps, according to Beri, will be addressing performance as well as risk factors.
“If I’m in financial services or health care and I have data going to the cloud, it needs to be encrypted, but we also want to make sure the user doesn’t lose functionality,” he says, adding that in some cases, the process may lead CIOs to adopt enterprise versions of the SaaS tools (there are already business versions of DropBox on the market, for example). Or, if the SaaS service comes at a cost, becoming aware of its use means CIOs and their teams could negotiate for a better rate. It also means companies could get a better sense of what’s running across their network, so as to avoid being caught off-guard by bandwidth needs.
Of course, the cloud service providers will no doubt welcome the efforts of Netskope and Skyhigh to make their products more “legit” in the eyes of CIOs. Both firms have earned healthy funding rounds from venture capitalists in Silicon Valley. Skyhigh has also received major investment from the likes of Salesforce.com. The question for some CIOs may be how long before these young cloud security firms are acquired outright by the service providers, or by more broad-based IT security giants such as Symantec or Intel’s McAfee.
And even with all the data and policy orchestration tools in the world, cloud vulnerabilities may lead to some services being restricted or prohibited outright. The recent incident involving naked celebrity photos being leaked online probably won’t make it easy for some organizations to accept the use of Apple’s iCloud, for example. However McConnell says it’s unlikely anybody expects the CIO to say yes to absolutely everything.
“As long as you can explain it, and you’ve got stakeholder buy-in, I think it’s going to be okay,” he says. “If anyone sees it as a heavy-handed policy, that’s where people tend to get a little bit grumpy about it.”