12:00 PM
Connect Directly
E-Mail vvv

Cloud & The Fuzzy Math of Shadow IT

Do you know how many cloud apps, on average, are running in your organization? The number is probably greater than you think.

Organizations are adopting the cloud in a big way. Today, representing about 23% of IT spend, cloud computing has accelerated because it allows people to get their jobs done more quickly, more easily, and more flexibly than they can using traditional computing tools. Set to account for 60% of cloud services in 2017, software-as-a-service has proliferated in enterprises and has now reached a tipping point. 

IT has responsibility for some cloud apps. Most IT departments I’ve talked to say they have responsibility for a handful of cloud deployments, maybe 10 at most, and further estimate that they have 40-50 total apps running per organization. In reality, they have an average of 461 cloud apps, according to our latest Cloud Report, an aggregated, anonymized measure of cloud app usage from the Netskope Active Platform.

This isn’t just individuals using apps like Dropbox and Twitter. It’s that too. But it’s whole lines of business using apps, and not just a few of them. It’s Workday, SuccessFactors, Netsuite, Zendesk, Marketo, and GitHub. It’s every line of business, department, and workgroup. A more recent report shows an average of 47 cloud marketing, 41 HR, 32 collaboration, 27 storage, and 27 finance and accounting apps per enterprise. Even our four person marketing team at Netskope uses 50 cloud apps.

Why is IT’s estimate so out-of-whack? The reason is a combination of need and procurement ease. Now more than ever people are empowered to go outside of IT to get the tools they need. This means they are procuring, paying for, managing, and using these apps without IT’s involvement. Gartner predicts that by the end of the decade, 90% of technology will be procured outside of IT. This isn’t because people want to flout the rules. It’s because they need the best tools to get their jobs done -- and fast -- because, by God, their competitors will clean their clocks if they don’t.

Even IT realizes this necessity. A forward-leaning public sector CIO recently described a project to me he and his team took on to estimate the time it would take to complete all of the IT projects on the docket. Their estimate: seven years. He used this calculation to justify the rapid pursuit of cloud investments and the facilitation of non-IT groups to make those investments. Even if he had the budget and additional headcount to accelerate the roadmap, his team would not be able to execute nearly fast enough to meet the needs of the organization. The only way to be strategic to users and the business is for IT to embrace cloud and help the business do the same. It’s the only way.

Embracing cloud sounds like the right answer, and it is, but it’s not without risk. Two key risks are non-compliance and data loss or exposure. A recent Ponemon report called “Data Breach: The Cloud Multiplier,” found that 51% of survey respondents believe cloud apps are as or more secure than on-premises applications. That said, the survey also found that for every percent increase in cloud service usage in a 12-month period, respondents estimate a 3% increase in the probability of a data breach. This means that if an organization has 100 apps and adds 25, its chance of a data breach will increase by 75%. It’s well understood that cloud apps introduce capabilities that change the computing dynamic and therefore increase the probability or the magnitude of a data breach.

For one thing, cloud usage is growing quickly within organizations, often without IT or the security team’s knowledge. This lack of visibility makes it impossible to monitor for the existence of risky apps and data violations.

Second, cloud and mobile go hand in hand. Cloud apps offer easy access from anywhere, and often provide native apps that make it possible (and in fact preferable) for users to access them from multiple devices. Users are also acquiring and using more devices. Cisco reports an average of 3.3 devices per knowledge worker. This means that the surface area for risks, threats, and policy violations is greater today than ever before.

Finally, cloud apps make it easy to share data with others, which makes it easy for sensitive data to get out of an organization’s control. Sharing is available in not just well-known cloud storage apps like Box and Dropbox, but in customer relationship management, business intelligence, and software development too. In fact, one out of every five cloud apps in use by our customers enables sharing, and 49 out of the 55 app categories Netskope tracks have apps that enable sharing. As we jokingly say around the office, “Shadow IT has a share button, and isn’t afraid to use it."

Do you know how many cloud apps are running in your organization? Let’s chat about the security risks and rewards of bringing “shadow IT” into the light.

Krishna Narayanaswamy is a founder and chief scientist of Netskope, a leader in cloud app analytics and policy enforcement based in Los Altos, Calif. He is a highly regarded researcher in deep packet inspection, security, and behavioral anomaly detection and leads Netskope's ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Re: Does no one ever question these numbers before publishing..
While it is hard to believe Gartner's prediction on technology spend outside of IT, it is one that may be a reality even before the end of the decade. One has to only look at the procurement process of cloud apps - it is very simple to self sign in a portal and pay for it using a credit card. We are seeing lines of businesses within an enterprise sign up for multiple apps without IT involvement. Based on cloud app usage data that we processed over a wide range of industry verticals last quarter, we found an average of 461 cloud apps being used in an enterprise. And to top it - this was 9-10x more than the number the IT dept had estimated. So you can see the 90% number is not out of the realm of possibility.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
7/14/2014 | 3:06:56 PM
Re: Shadow IT's "share button"
Thanks, Krishna. Not long-winded at all, but very useful information. It sounds like a bit of a process from identifying & evaluating  potential risk and then educating the users. 
User Rank: Guru
7/14/2014 | 3:05:38 PM
Does no one ever question these numbers before publishing..
or do you look at these quotes like "Gartner predicts that by the end of the decade, 90% of technology will be procured outside of IT" and let the source take the hit? 90%, really?

That's not even realistic, yet it gets published anyways. We all know what they say about statistics, but should we seriously put stock in companies that are constantly wrong? I guess if you work in meteorology, economics or as an "industry analyst", you can keep doing your job poorly and still make money. Guess I should have picked a different profession.

Gartner may be a big name, but does anyone ever actually research how often they are right, or does the name give it more weight by default?
Re: Shadow IT's "share button"
Excellent question Marilyn. IT departments can use the following methods to get an assesment of their cloud apps.

- analyze the log files of egress FW/proxy to identify the cloud apps that are being used in their enterprise (least intrusive - no need to add new eqipment/software)

- once the apps are identified, they can assess the risk associated with these apps. Not all apps are craeted equal. There are over 150 cloud storage apps and their risk exposure is all over the spectrum. The risk rating of apps dpends on a a variety of criteria and is also sepcific to the category of apps (storage vs CRM vs productivity)

- a notch up is to have am in-line cloud access gateway that can not only provide visibility into usage of cloud apps in an enterprise but can do it at the activity level. In my previous post I had given the example of how a share activity in cloud storage can be very risky compared to an upload or download. The inline solutions will provide a more accurate picture of the risk exposure.

- after getting the current state of cloud app usage, IT depts can then coach users to move away from risky apps to more secure sanctioend apps that they procure.

This is a win-win solution for the IT dept and the users. The users get to use the cloud apps and the IT dept is in control of the risk exposure.

It was a long winded answer - but I hope I addressed your question.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
7/14/2014 | 8:07:24 AM
Re: Shadow IT's "share button"
Thanks for these best practices, Krishna. I'm wondering what suggestions you might have for IT departments in identifying and deploying enterprise cloud apps that employees like and will use without "going rogue" posing serious security risks.
Re: Shadow IT's "share button"
The discussion in this thread highlights the catch 22 situation with Shadow IT. The benefits of adopting cloud apps to a business are quite clear. It helps collaboartion, business agility, simpler processes which imply faster time to market and provide competitive edge to enterprises. The pitfalls and risks of cloud apps are also quite evident as has been highlighted in this thread. 

Here are some best practices(handy tips) to tackle this catch-22 situation

- first of all discover the extent of cloud apps proliferation in your enterprise and the associated risk.

- get visibilty to the activity level of these cloud apps. For ex sharing a document outside the enterprise is more risky than uploading the document to a cloud storage app.

- develop and enforce policies that govern the cloud apps usage. This should include general access control policies as well as content-aware policies like DLP. This will address the compliance requirements highlighted in this thread.

- continuously monitor and tweak the polcies that have been set based on business requirements.

Thanks for sharing your thoughts on this topic - keep them flowing.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
7/11/2014 | 2:30:42 PM
Re: Shadow IT's "share button"
Of course, HIPAA would be the stumbling block. (duh) But I can't imagine working in an environment where pagers, paging, and phone tag is the rule. Healthcare definitely has an uphill climb...
User Rank: Moderator
7/11/2014 | 2:03:41 PM
Re: Shadow IT's "share button"
I was talking about SMS texting with the CIO and the discussion was focused on healthcare, so it's a very specific industry example. Hospitals don't want physicians or nurses texting each other via standard texting since it's not secure or HIPAA-compliant -- yet hospital medical staff get fed up with the standard means of communication (things like pagers, paging, and endless games of phone tag). As an alternative, they may invest in secure texting apps that give the same immediacy as SMS but meet HIPAA rules.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
7/11/2014 | 9:45:55 AM
Re: Shadow IT's "share button"
Interesting, that the hospital CIO singled out SMS texting. What was their reasoning? Or is that just an example of a rogue app flying under the radar. It's hard to imagine texting as a rogue app since it's so ubiquitous and ingrained. 
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
7/10/2014 | 4:25:01 PM
And who cleans up the data breach mess?
It's always fun to be the rebellious end user, but what if someone in IT is fired due to a data breach caused by Shadow IT activity? More likely, the business user causing the breach would get fired, but it's hard to say where responsibility begins and ends with so many parties able to opt out and choosing to do so. It's an old problem but I've little doubt professional IT gets called in in the end to clean up the messes.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.