Rogue Clouds: Are Your Apps Enterprise-Ready?

Rogue Clouds: Are Your Apps Enterprise-Ready?

Question: How many cloud apps are the various facets of your enterprise currently using?

Answer: Probably more than you thought.

Adrian Sanabria According to its latest Cloud Report, Netskope, a cloud app analytics and policy enforcement firm and solutions provider based in Los Altos, CA, companies are using an average of 461 cloud applications. The same report asserts that 85% of the cloud apps in use are not enterprise-ready. The Cloud Adoption & Risk Report, Q2, 2014, released by Skyhigh Networks, a cloud visibility and enablement software developer in Cupertino, CA, found that organizations use an average of 759 cloud apps, and deemed only seven percent of them enterprise-ready. (Out of the top 10 file-sharing services used, only Box made Skyhigh’s grade as enterprise-ready.)

“Many cloud applications are built and brought to market quickly,” said Adrian Sanabria, senior security analyst at 451 Research LLC, headquartered in New York, NY.

“Often when that happens, proper attention on security is deferred. Sometimes ‘later’ never comes, or comes in the form of a data breach, like the directly related MongoHQ and Buffer breaches,” Sanabria said.

Sanabria aded that while next-generation firewalls (NGFW) enable technology managers to see which applications and services are in use, he cites cloud application control vendors like Skyhigh, Netskope, and Adallom, as potential solutions.

“The CAC [cloud application control] market is all about monitoring, controlling, and enabling cloud app use, whereas most NGFWs only give you the ability to allow or block a service.” He also points to encryption providers such as nCrypted Cloud, SafeMonk, Sookasa, and Viivo, that enable encryption of data before it is sent to the cloud. “If the cloud service provider is breached, only encrypted data will be compromised.”

Jamie Barnett

Netskope rates the approximately 4,500 cloud apps in its database according to three main criteria (with subsets of criteria assigned to each): security, auditability, and business continuity. “We look at things like: do these apps support auditing? Can you access data audit logs? Do they support things like encryption for data at rest and data in motion?” Jamie Barnett, Netskope’s vice president of market data, explained. “For some app categories, you are going to have your data uploaded, and so you need to think about not only if it supports encryption of data at rest, but what kind of encryption [it uses].”

Sanjay Beri

What’s interesting about Netskope’s Cloud Report is that it found that 90% of the cloud apps being used were blocked at the perimeter. So why are they still in use? Because users are granted exceptions, a phenomenon that spreads throughout the enterprise like an epidemic. Barnett illustrates it best in her blog post, “Just These Five, These Seven, These Eighty-Two Exceptions,” which lays out what the firm calls “exception sprawl”: “IT sets a policy and the network team blocks a service like Dropbox or Twitter at the perimeter. Then some poor guy in marketing whose job it is to tweet about new product releases goes to IT and asks for an exception. It’s granted. Then the entire marketing team asks for the exception. Granted. The CEO, who has just gotten her groove on in the social media realm, also asks for an exception…for herself and the entire executive staff. Granted, of course…” To quote Vonnegut: and so on. Barnett’s point: blocking at the perimeter is an outdated solution when one takes into consideration today’s “always-on,” BYOD business practices.

“Blocking applications en masse is not a good policy, because your users will revolt, and you’re not going to take advantage of the agility of cloud apps,” said Sanjay Beri, Netskope’s CEO. Instead, he counsels technology managers to examine what they’re really worried about when it comes to cloud apps. Are you concerned that your organization’s intellectual property is at risk in the cloud? With Netskope Active, “that’s a policy that you can very easily set,” he said. “They can use Box and Dropbox and whatever they want, but as soon as they attempt to upload sensitive content or share data with competitors, they’re stopped.” He says that this addresses the risk that organizations don’t want to expose themselves to, while at the same time balancing the employees’ need to use cloud apps to get their work done.

Just as blocking at the perimeter is no longer effective, it’s also unrealistic for tech managers to handle security on an app-by-app basis, Beri says. “The first thing they look for as an enterprise is: what is something that gives me a single place where I can do what I need to do, [which is] encrypt, get visibility, get auditing, and protect against sensitive data being stored in the cloud?” he said. “They want one place to do it, a simple way to do it, one that is consistent no matter what app they use and, as a result, they have control.” Netskope Active, he says, offers this capability for both on-premise and remote use cases.

Stephen Coty

Within the enterprise, it’s likely that each business group is using a multitude of apps that, in essence, all do the same thing. “You need to analyze how those apps are being used,” said Kamal Shah, vice president of products and marketing at Skyhigh Networks. “If you find, for example, that there is tremendous demand for file-sharing and collaboration services across all of your employees, then as an IT organization you can initiate a project to standardize on one or two cloud-sharing and collaboration services.” This presents technology managers with the opportunity to steer users toward more secure enterprise-ready apps.

Security aside, standardizing on just several apps is more cost-effective, Beri points out. Why, really, does the marketing department need 32 collaboration apps? Why is the human resources department using 41? “It’s an opportunity for them to save money and help broker a conversation [to reduce the number of apps in use],” he said.

“It’s important, and it’s not even security-related,” Beri continued. “It’s just figuring out how to optimize your spend as a company.”

Not only will the process help locate potential vulnerabilities, closer departmental coordination might yield long-term productivity benefits.

Carolyn Heinze is a freelance writer/editor.

What’s New In Collaboration?

Blue Jeans Enhances All-in- One Video-Centric Collaboration

Blue Jeans Network has expanded its service with the ability to host larger meetings with up to 100 participants, and new record-and-share features.

“There is a fundamental shift happening in the marketplace with increasing demand for a single tool to manage all kinds of business collaboration cohesively. Businesses are clamoring for an easy way to connect and collaborate over audio and video, and share multi-media content across all their platforms from mobile devices, to desktops and laptops, to conference rooms,” said Stu Aaron, CCO of Blue Jeans Network.

Visit bluejeans.com for more information.

Top Apps in the Enterprise:

  • Twitter
  • Facebook
  • Box
  • Amazon CloudDrive
  • Microsoft Office 365
  • Google Drive
  • Google Plus
  • Dropbox
  • LinkedIn
  • Pinterest

—From the Netskope Cloud Report, April 2014

Top 20 Services:

• Facebook
• Amazon Web Services
• Twitter
• YouTube
• Salesforce
• LinkedIn
• Gmail
• Office 365
• Google Docs
• Dropbox
• Cisco WebEx
• Apple iCloud
• Pinterest
• Yahoo! Mail
• Pandora
• Weibo
• OneDrive
• ServiceNow
• Box
• Instagram

—Source: Skyhigh Networks’ Cloud Adoption & Risk Report, Q2, 2014

Questions to Ask Your Cloud Service Providers:

• What is the data encryption strategy and how is it implemented?
• What is the hypervisor and provider infrastructure-patching schedule?
• What is the drive-wiping standard used for recycled instances?
• How does you support your implementation of endpoint security?
• How do you isolate and safeguard my data from other customers?
• How is user access monitored, modified, and documented?
• Regulatory requirements: PCI, SOX, SSAE16?
• What is your back-up and disaster recovery strategy?
• What visibility will you offer my organization into security processes and events affecting my data from both front and back end of your instance?
• How do you ensure that legal actions taken against other tenants will not affect the privacy of my data?

—Supplied by Stephen Coty, Chief Security Evangelist, Alert Logic Inc., a Security-as-a-Service provider based in Houston, Texas

info

451 Research LLC
www.451research.com
Alert Logic Inc.
www.alertlogic.com
Netskope
www.netskope.com
www.netskope.com/blog/netskope-cloud-report-exception-sprawl/
Skyhigh Networks
www.skyhighnetworks.com