At the start of the year, Wisegate, the networking organization for IT and InfoSec professionals, issued a report on the Top IT Security Threats of 2013. The report opens with what these leaders say is the root cause of this year’s most concerning security threats within their organizations:
“Broadly speaking, the main threats that our members are seeing have one underlying root cause: the universe of available IT resources – devices, applications and services – is no longer fully controlled by an official IT department. By this we mean that business units and even individual end users can deploy their own resources such as smart phones, SaaS applications and cloud-based data storage that may not meet corporate security standards but that still have access to the company network or data. This introduces a wide range of IT security threats that are completely unintentional but no less real.” |
According to the report, the consumerization of IT means that employees often use technologies and solutions with weak (or even non-existent) security controls to accomplish their work objectives. For example, workers use consumer-oriented data storage services because they are readily available and easy to use.
The use of these types of cloud applications – from storage and file transfer to collaboration and productivity – can put a company at risk for data loss, privacy issues, and non-compliance with regulations and governance controls. However, that doesn’t mean there isn’t value in using these applications. Workers are going to use whatever tools without compromising on security, help them do their jobs—whether the tools are endorsed by the IT department or not. This is often referred to as Shadow IT.
The startup company Skyhigh Networks aims to solve the dilemma of cloud services that have insufficient security controls. Skyhigh calls itself a “cloud access security company.” With services to discover, analyze and secure cloud applications, Skyhigh enables companies to embrace cloud services by applying the appropriate levels of security, compliance and governance that a business needs. So, rather than blocking workers from using cloud services that help them increase their productivity, the IT department can support the use of such tools, according to Skyhigh without compromising on security. By leveraging capabilities from Skyhigh, the security controls that are more commonly found with on-premise applications can be added.
Skyhigh’s services are themselves cloud based, so they are easy to deploy and manage. Let’s take a look at the three main functions – discover, analyze, secure – that Skyhigh provides, and how they help to bring cloud applications under control.
Skyhigh Discover
The use of cloud today, in general, is so ad hoc and outside of the security controls and mechanisms that the IT organization has put in place. IT leaders have completely lost their visibility into what applications are actually being used, and where their data is going outside of the traditional data center.
Rajiv Gupta, Skyhigh’s CEO, says when he talks to prospective customers, they tell him their employees are using between 25 and 40 different cloud services. In reality, the average is between 400 and 500 cloud services, and in some cases it is more than 1,000, according to Gupta. Many CIOs are shocked to learn how many services are really in use. In almost every category of cloud service, employees are using many disparate and incompatible providers. While CISOs are concerned about the loss of control and visibility and the increase in data risk, CIOs are concerned about the roadblocks to collaboration and economies of scale engendered by this incompatible mess.
The Skyhigh Discover service uses an organization’s web traffic logs to determine the cloud services that employees are using. In less than an hour, according to Gupta, an administrator can view a dashboard that reveals precisely which cloud services are being used; which IP addresses are accessing them; how many people within the organization access each service, and how often and when. It’s a real eye-opener for IT administrators who want to regain control over where corporate data is going and how it is being protected.
Skyhigh Analyze
Skyhigh has analyzed more than 4,300 cloud services in detail to understand the risks they pose to user organizations. Once a company has discovered what services its workers use, the dashboard displays a composite risk score for each service. For example, there might be ten different data storage services in use, but some are better than others for enterprise use because they offer features such as encryption and user authentication. Skyhigh can recommend alternative services to replace high risk ones. Then the IT department can evaluate the lower risk services, set a company standard and block the use of the high risk services.
Skyhigh also analyzes cloud service usage for anomalous behavior. Consider the company that discovers an employee is downloading 500 contacts a day from its Salesforce.com database. With little context around this behavior, the company can’t know if 500 daily downloads are good or bad. However, Skyhigh can notify the company that the behavior is anomalous when compared to other users of Salesforce.com, where 20 downloads per day is the norm. The company can now explore the suspicious behavior to determine if data theft is a possibility.
The analysis tools in the Skyhigh service help companies make reasonable decisions based on real insight—the kind of insight that they otherwise can’t get from disparate cloud services. Take trends, for example. Skyhigh customers can watch the growth of its users’ cloud services over time. Once the penetration of a specific service reaches a certain level – say 10% of all employees now use this service – the company can leverage this information to negotiate an enterprise license agreement with the service provider in order to reduce costs.
Skyhigh Secure
The Skyhigh Secure service offerings help to build enterprise security controls into cloud services that otherwise wouldn’t have them. This includes features such as application auditing, data encryption, data loss prevention, contextual access control, and consistent enforcement of corporate policies as data moves from mobile-to-cloud, premise-to-cloud, and cloud-to-cloud.
Skyhigh appears to have a very unique and utterly frictionless way to enforce security policies when end users are accessing cloud apps from their mobile devices (i.e., BYOD). In the absence of Skyhigh, companies that want to enforce controls as workers access cloud services from their own smart phones and tablets typically require those people to utilize a VPN. Traffic from the devices is back hauled through the corporate network, and then sent to applications such as Office 365 or Salesforce.com, which can result in slow performance and a bad user experience.
Gupta says that Skyhigh can take the traffic from mobile devices to the cloud application without requiring a VPN or any agent or download on the device, or any back haul through the corporate network. He said Skyhigh makes use of the Internet’s DNS infrastructure and traffic rerouting that takes a cloud application’s intended traffic through Skyhigh where corporate policies are applied before the traffic is sent back to the cloud app. An end user is authenticated and then through Skyhigh corporate policies are applied. Following this, the user gets forwarded on for normal use of the cloud application—all in the background without any delay or other friction. Optionally the company can require the user to register their device at Skyhigh before allowing access to the cloud application—again without any download, agent, or other friction to the end user.
Another important security and governance feature Skyhigh says it provides is application auditing. Many regulations (think SOX, HIPAA, etc.) require companies to keep precise logs of important transactions—who has done what, and when. This is easy enough to do when all the transactions are behind the corporate firewall, but it’s a real challenge when they take place in a cloud application. Skyhigh says it brings the ability to audit and log all transactions, including reads and downloads from the cloud application, so if the data from a cloud application gets compromised, there is an audit trail to know who did what.
Many cloud applications – especially those designed for consumer use – don’t have the ability to encrypt data with keys held by the customer, so Skyhigh adds that capability. For example, workers may choose to use Hightail (formerly called YouSendIt) for cloud based data sharing. If Hightail gets compromised or if there is a blind subpoena by the federal government, the data can be disclosed without the owner’s knowledge. Skyhigh can encrypt data in this service to make it more palatable for enterprise use. Skyhigh provides cloud application encryption capabilities that do not break the functionality or the native user experience of the cloud application.
Many companies have deployed data loss prevention (DLP) solutions on-premise, and now Skyhigh can add DLP capabilities to cloud applications. For example, two employees are using Salesforce Chatter to converse about a client. The organization wants to make sure that no sensitive data such as Social Security numbers or credit card numbers get revealed in the conversation. Skyhigh can look for sensitive data and block it, encrypt it, or send alerts about it.
The Skyhigh Secure capabilities are available today for some of the most popular cloud applications (Salesforce, ServiceNow, Jive, Workday, Office 365, and others) and the company says will continue to add more cloud applications as customers request them.
About Skyhigh Networks
The Cupertino-based company Skyhigh Networks was founded in March 2012 and launched in April 2013. It is backed by Greylock Partners and Sequoia Capital. Skyhigh says it already has a number of customers in the financial services, healthcare, high technology, media, manufacturing and legal industries. The company has partnerships with ISVs such as Salesforce, Workday, Microsoft, Egnyte, Hightail, Dropbox, Box, NetSuite, Google, Jive and Amazon.
“As we were building our company and our solution set,” says Gupta, “we talked to a number of CIOs and CSOs about their pain points. ‘Cloud’ came up over and over again, in terms of increasing agility while reducing costs, but there’s also a concern about the perils of cloud. They were used to having their IT environments under their control, and now with cloud computing it is out of their control. Skyhigh Networks helps organizations get visibility into and control of their employees’ use of third-party cloud services.”