Cloud software-as-a-service (SaaS (News - Alert)) applications are being adopted at an unprecedented rate. While enterprises leverage traditional cloud services such as Salesforce.com and Microsoft Office 365, employees subscribe to less popular services, including Evernote (News - Alert) and Prezi – with or without their IT department’s permission or knowledge.
CIOs across the board agree that they have no idea how many services are in use on their networks, and have no way to secure their networks against risky services or manage the safe cloud service use by employees.
Below are some best practices for enterprises to follow to ensure that their organizations benefit from the wave of cloud adoption, all in a safe and secure manner. These steps revolve around discovering unknown services in use called “shadow IT,” gaining insight into risks these services pose and risky usage by employees, and managing and controlling which SaaS services are permitted and how they are allowed to be used. By following these steps, enterprises can proactively enable employees with the cloud services that will best meet their needs, while ensuring an overall safe enterprise network.
1) Start with Visibility: Your employees are already using cloud services; get a handle on your current cloud exposure and extent of shadow IT. This discovery of cloud exposure is a continuous activity because the velocity of new cloud service introduction and use is only increasing; a one-time snapshot will rapidly get stale.
2) Gain Service Insight: All cloud services aren’t risky. Get an objective understanding of the risk for all the cloud services in use by your employees. Bucket the services in broad categories so that you can compare like services, for example, you may find that your employee pool is using Box and 4Shared, both are data sharing cloud services but Box is low risk while 4Shared is high risk. Find the service with the lowest risk in a category, consider establishing a commercial relationship with the provider, and promoting that service across your employee pool while discouraging or blocking the use of higher risk services in the same category. Similar to visibility, the risk assessment of services is a continuous activity.
3) Gain Usage Insight: All uses of cloud services aren’t risky, conversely and more importantly, the use of even a low risk cloud service may be high risk, for example, if someone tries to download all the contacts from your Salesforce.com (News - Alert) instance before joining a competitor. Detect anomalous use that may indicate a security breach or data loss. This comes in two flavors: a) your confidential data stored in a cloud service may be at risk, as in the example above, and; b) your confidential data from within the enterprise may be exfiltrated using a cloud service. For example, confidential data such as product plans may be exported 140 characters at a time through Twitter (News - Alert) which your firewalls and proxies today can not block (even if configured to block Twitter.com there are newer ways to get to Twitter that today are unclassified by existing egress infrastructure). Usage insight may also help identify which services and which categories are most useful and therefore most used by your employees and therefore can help inform IT investment decisions. Furthermore it may help determine the optimal number of licenses needed for a particular service based on actual use.
4) Use the Visibility and Insight to Control: Control may take the form of blocking certain services, for example, blocking the use of high risk services in a category in which low risk services are promoted. Some control can be enforced at the existing edge of the enterprise such as through a service that delivers configurations for existing egress devices. Remember that these configurations will change over time as new high risk services need to be blocked. In general visibility and insight shine light and expose the shadow IT problem, and the control functionality then converts that shadow IT into IT that meets the corporation’s operations, security, governance, risk and compliance practices.
5) Identify and Manage Enterprise Cloud Services: Opt-in select services that are enterprise-critical, blessed, and procured, such as Salesforce, Box, Office365, Google (News - Alert), etc., such that access to those services requires the employee to use their corporate identity and then access to your enterprise’s account at the service, which can be controlled both in terms of who can access the account but also what happens to your data sitting at that service. Also, make sure that your control can be consistently enforced on premise to cloud accesses, as well as those from corporate-issued mobile devices and from personally-owned mobile devices without requiring the traffic from those devices to be back-hauled (through a VPN) into your enterprise edge first and also without introducing any friction (such as agents or other footprint on the mobile devices) to the end user because friction engenders shadow IT.
6) Get Ahead of the Game: Find services that you should proactively introduce to your employees and businesses by getting access to the cloud adoption best practices pertinent to your industry. This way the IT organization moves from a “just say no” entity to be avoided and bypassed (leading to shadow IT), to an organization that is considered to be an enabler to the business and the employees who are now incented to work with the IT organization which helps the employees get the best of cloud services without compromising on the enterprise needs for operational efficiency, security, governance, risk and compliance.
Rajiv Gupta is co-founder and CEO Skyhigh Networks.
Edited by Alisen Downey