Shadow IT is often used in a derogatory manner, but what if the apps and services a company's employees are bringing into the enterprise were actually the secret to their success? What if the efficiency and productivity gains your company is experiencing are owed, in part, to these apps that IT isn't responsible for sourcing and enabling? In this presentation Netskope discusses the challenges and opportunities that come from the use of rogue apps in the enterprise and how IT can turn the corner and end the catch-22 between enablement and security.
8. of CLOUD APPS
don’t make
the grade
75% Cloud App
Cloud App
Cloud App
Cloud App
REPORT CARD
* Netskope Research, Adapted from CSA’s Cloud Controls Matrix
9. Evaluating Apps on Objective Criteria
• Measure of a cloud app’s enterprise-readiness
• Based on the app’s security, auditability, and
business continuity
• Based on 30+ objective criteria adapted from the
Cloud Security Alliance
EXCELLENT HIGH MEDIUM LOW POOR
* Netskope Research, Adapted from CSA’s Cloud Controls Matrix
14. Example: User and Admin Audit
• Admin audit logs
• Change/upgrade notifications
• Data access logs
• Infrastructure status reports
• User audit logs
15. Example: Certifications and Compliance
• Compliance certifications
– HIPAA
– PCIDSS
– etc.
• Datacenter certifications
– SOC-1, -2
– ISO27001
– etc.
16. Key Capabilities
• Audit and alert capabilities
• Certifications and compliance
• Data classification capabilities
• Disaster recovery and business continuity
• Encryption
• File sharing
• Policy enforcement and access control
17. June 10, 201417
10% 90%
Most Organizations
Underestimate Cloud
App Usage by 90%
18. CLOUD HAS CREATED
A BLIND SPOT
The average number of security
While the percent of people stating they “don’t know”
Source: PwC
In the past 2 years…
if they’ve had a security breach increased 100%
incidents has risen 25%
19. The Multiplier Effect of a Cloud Breach
3.3 devices per
knowledge worker
50% of people share
content via unapproved
cloud services
90% of organizations
that lost sensitive
content via file sharing
5 out of top 10 data
breaches involved cloud
?
Source: Cisco Source: Ponemon
Source: CRNSource: Ponemon
0100
01
1 110 01 1
1010
20. Cost of a data breach:
$5.4 million
Source: Ponemon
• Remediation costs
• Brand and reputation impact
• Loss of intellectual property
• Fines for non-compliance
• Cost and time for reporting and prevention
21. Yet, people love their cloud
apps, and for good reason
Anywhere Access CollaborationProductivity
22. CAN’T COMPLY WITH
SOX, ETC.
• Public biosciences co. would like
to embrace cloud, but doesn’t
know what services are running
• Can’t evaluate new services
• Can’t attest to access/auth
usage for SOX and other regs,
e.g., HIPAA
23. POTENTIAL DATA LEAKAGE
• Large media firm discovered a
dozen cloud storage apps, plus
others in which data could be
shared
• IT must see what sensitive data are
being uploaded
• Then, see whether data are being
shared, and with whom
24. POST-EVENT FORENSICS
• High tech company suspects theft of
proprietary documents by a departing
employee
• IT must construct audit trail, showing user
download from corporate account and
subsequent upload to and share from
personal account
25. DISCOVER APPS &
EVALUATE RISK
• Discover all apps, known or not
• Objectively evaluate apps’
enterprise-readiness
• Score apps on security,
auditability, and business
continuity
26. ANALYZE USAGE
• Discover who’s using what apps,
from where, and on what device
• See what class of data are being
uploaded, downloaded, shared
• See with whom data are shared
27. LIMIT ACTIVITIES VS.
BLOCK APPS
• Rather than block an app, limit
usage (e.g., don’t share with
people outside of the company)
• Use context such as user, location,
device, data class, and user
activity
28. VERIFY AND THEN
TRUST
• Create risk model of scenarios
involving user, app, data, activity,
and other contextual factors
• Set watch lists on scenarios that
represent the most risk
29. CONSIDER CONTEXT IN
EVERYTHING YOU DO
• Consider contextual factors when
shining a light on shadow IT,
running analytics and setting
policies
• Think about user, group, location,
time, device, OS, app, and app
score
30. 1. DISCOVER cloud apps and evaluate risk
2. Analyze USAGE
3. LIMIT activities vs. blocking apps
4. VERIFY and then trust
5. Consider CONTEXT in everything you do
How many IT executives have this exact same sentiment – Dear Dropbox, I love you, I hate you. Essentially this is the dynamic at hand. On one side your users are finding a way to get their work done. Whole lines of business are taking advantage of these quick to procure and deploy tools.
Tools like Dropbox, Salesforce.com, Box, Evernote and the thousands of apps you may have never heard of. You want to enable and say “yes” but you also know that many of these introduce security risks that you can’t sit by and let stand un-mitigated.
And the pass of this growth and adoption isn’t slowing. IDC expects the Compounding Annual Growth Rate to be 5x from 2013 through 2017. That’s a freight train and your business is already on board whether you like it or not.
And this is a good thing, right? Look at this data from KPMG showing the rate of adoption as it relates to specific functions. And many of these business units view these cloud apps as business critical.
But you still have the problem of determining just who is using these apps and what they’re doing in them. You want details so you can have a better conversation about them.
Because if 72% of people admit that they’re using cloud apps without IT knowledge, that’s an overwhelming majority that you can’t shut down without detailed information.
Details like “are these apps enterprise-ready?” According to Netskope’s data, more than three quarters rated “Medium” or below in Netskope’s Cloud Confidence Index – that’s not enterprise-ready.
Netskope looks at these apps critically to score them.
Actual breakdown. Note that this is in terms of app counts. It is also reflected in our customer assessments – so it’s actually like this IN ENTERPRISES. Moreover, USAGE breaks down like this. In other words, not only do enterprises have these low-quality apps installed, but they’re being used in these same proportions.
And what they don’t know about is bigger than you’d think. In the assessments we do for our customers and prospects, our solution discovers about 10x their estimate of what they have.
But the fear is that without the visibility and control you’ve been able to exert in non-cloud environments, with the cloud you have a blind spot. Over the past two years, while the total number of incidents has risen by 25%, the number of people who DON’T KNOW how many incidents they’ve had has risen by 100%.
And among the most concerning of security incidents are data breaches. Because you’re now dealing with the cloud, the functionality that makes cloud so useful and collaborative also increases both the probability and potential surface area of a breach. Let’s talk through it.
Devices. Cloud makes it easy for people to access services from multiple devices. Couple that with the trend of multiple devices per user. A recent Cisco study indicates 3.3 devices per user. This increases the number of access points for the same service.
Sharing. This is something that the cloud has enabled that we’ve never been able to do before. But with the click of a button, people can now share a piece of content and that content is now out of the company’s control and potentially could be shared and shared again to an endless tapestry of connected endpoints.
Indeed, Ponemon took a look at just one aspect of cloud breaches – those in file sharing, or cloud storage, apps – and found that 90% of organizations reported losing sensitive content via file sharing technologies.
And even though these breaches often go undetected, the number of high-profile breaches involving the cloud is growing. CRN did a recent roundup of the top 10 data breaches and found that 5 involved cloud apps.
That’s what we call the multiplier effect of a cloud breach.
Ponemon estimates the cost of a data breach at $5.4 million. There are a number of factors that go into that number, and many intangibles that aren’t included.
But if you think about the top impacts of a breach, they include remediation costs, brand a reputation impact, loss of IP, fines, and of course both cost and time to do internal company and board-level reporting and engage in prevention activities, which can be incredibly time-consuming and cause a loss in productivity.
The cloud makes it really easy for them to do their jobs. And that’s what we all want, right?