Cloud
7/10/2014
12:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cloud & The Fuzzy Math of Shadow IT

Do you know how many cloud apps, on average, are running in your organization? The number is probably greater than you think.

Organizations are adopting the cloud in a big way. Today, representing about 23% of IT spend, cloud computing has accelerated because it allows people to get their jobs done more quickly, more easily, and more flexibly than they can using traditional computing tools. Set to account for 60% of cloud services in 2017, software-as-a-service has proliferated in enterprises and has now reached a tipping point. 

IT has responsibility for some cloud apps. Most IT departments I’ve talked to say they have responsibility for a handful of cloud deployments, maybe 10 at most, and further estimate that they have 40-50 total apps running per organization. In reality, they have an average of 461 cloud apps, according to our latest Cloud Report, an aggregated, anonymized measure of cloud app usage from the Netskope Active Platform.

This isn’t just individuals using apps like Dropbox and Twitter. It’s that too. But it’s whole lines of business using apps, and not just a few of them. It’s Workday, SuccessFactors, Netsuite, Zendesk, Marketo, and GitHub. It’s every line of business, department, and workgroup. A more recent report shows an average of 47 cloud marketing, 41 HR, 32 collaboration, 27 storage, and 27 finance and accounting apps per enterprise. Even our four person marketing team at Netskope uses 50 cloud apps.

Why is IT’s estimate so out-of-whack? The reason is a combination of need and procurement ease. Now more than ever people are empowered to go outside of IT to get the tools they need. This means they are procuring, paying for, managing, and using these apps without IT’s involvement. Gartner predicts that by the end of the decade, 90% of technology will be procured outside of IT. This isn’t because people want to flout the rules. It’s because they need the best tools to get their jobs done -- and fast -- because, by God, their competitors will clean their clocks if they don’t.

Even IT realizes this necessity. A forward-leaning public sector CIO recently described a project to me he and his team took on to estimate the time it would take to complete all of the IT projects on the docket. Their estimate: seven years. He used this calculation to justify the rapid pursuit of cloud investments and the facilitation of non-IT groups to make those investments. Even if he had the budget and additional headcount to accelerate the roadmap, his team would not be able to execute nearly fast enough to meet the needs of the organization. The only way to be strategic to users and the business is for IT to embrace cloud and help the business do the same. It’s the only way.

Embracing cloud sounds like the right answer, and it is, but it’s not without risk. Two key risks are non-compliance and data loss or exposure. A recent Ponemon report called “Data Breach: The Cloud Multiplier,” found that 51% of survey respondents believe cloud apps are as or more secure than on-premises applications. That said, the survey also found that for every percent increase in cloud service usage in a 12-month period, respondents estimate a 3% increase in the probability of a data breach. This means that if an organization has 100 apps and adds 25, its chance of a data breach will increase by 75%. It’s well understood that cloud apps introduce capabilities that change the computing dynamic and therefore increase the probability or the magnitude of a data breach.

For one thing, cloud usage is growing quickly within organizations, often without IT or the security team’s knowledge. This lack of visibility makes it impossible to monitor for the existence of risky apps and data violations.

Second, cloud and mobile go hand in hand. Cloud apps offer easy access from anywhere, and often provide native apps that make it possible (and in fact preferable) for users to access them from multiple devices. Users are also acquiring and using more devices. Cisco reports an average of 3.3 devices per knowledge worker. This means that the surface area for risks, threats, and policy violations is greater today than ever before.

Finally, cloud apps make it easy to share data with others, which makes it easy for sensitive data to get out of an organization’s control. Sharing is available in not just well-known cloud storage apps like Box and Dropbox, but in customer relationship management, business intelligence, and software development too. In fact, one out of every five cloud apps in use by our customers enables sharing, and 49 out of the 55 app categories Netskope tracks have apps that enable sharing. As we jokingly say around the office, “Shadow IT has a share button, and isn’t afraid to use it."

Do you know how many cloud apps are running in your organization? Let’s chat about the security risks and rewards of bringing “shadow IT” into the light.

Krishna Narayanaswamy is a founder and chief scientist of Netskope, a leader in cloud app analytics and policy enforcement based in Los Altos, Calif. He is a highly regarded researcher in deep packet inspection, security, and behavioral anomaly detection and leads Netskope's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
krishna@netskope.com
50%
50%
krishna@netskope.com,
User Rank: Apprentice
7/14/2014 | 9:17:00 PM
Re: Does no one ever question these numbers before publishing..
While it is hard to believe Gartner's prediction on technology spend outside of IT, it is one that may be a reality even before the end of the decade. One has to only look at the procurement process of cloud apps - it is very simple to self sign in a portal and pay for it using a credit card. We are seeing lines of businesses within an enterprise sign up for multiple apps without IT involvement. Based on cloud app usage data that we processed over a wide range of industry verticals last quarter, we found an average of 461 cloud apps being used in an enterprise. And to top it - this was 9-10x more than the number the IT dept had estimated. So you can see the 90% number is not out of the realm of possibility.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/14/2014 | 3:06:56 PM
Re: Shadow IT's "share button"
Thanks, Krishna. Not long-winded at all, but very useful information. It sounds like a bit of a process from identifying & evaluating  potential risk and then educating the users. 
GAProgrammer
50%
50%
GAProgrammer,
User Rank: Apprentice
7/14/2014 | 3:05:38 PM
Does no one ever question these numbers before publishing..
or do you look at these quotes like "Gartner predicts that by the end of the decade, 90% of technology will be procured outside of IT" and let the source take the hit? 90%, really?

That's not even realistic, yet it gets published anyways. We all know what they say about statistics, but should we seriously put stock in companies that are constantly wrong? I guess if you work in meteorology, economics or as an "industry analyst", you can keep doing your job poorly and still make money. Guess I should have picked a different profession.

Gartner may be a big name, but does anyone ever actually research how often they are right, or does the name give it more weight by default?

krishna@netskope.com
50%
50%
krishna@netskope.com,
User Rank: Apprentice
7/14/2014 | 2:20:39 PM
Re: Shadow IT's "share button"
Excellent question Marilyn. IT departments can use the following methods to get an assesment of their cloud apps.

- analyze the log files of egress FW/proxy to identify the cloud apps that are being used in their enterprise (least intrusive - no need to add new eqipment/software)

- once the apps are identified, they can assess the risk associated with these apps. Not all apps are craeted equal. There are over 150 cloud storage apps and their risk exposure is all over the spectrum. The risk rating of apps dpends on a a variety of criteria and is also sepcific to the category of apps (storage vs CRM vs productivity)

- a notch up is to have am in-line cloud access gateway that can not only provide visibility into usage of cloud apps in an enterprise but can do it at the activity level. In my previous post I had given the example of how a share activity in cloud storage can be very risky compared to an upload or download. The inline solutions will provide a more accurate picture of the risk exposure.

- after getting the current state of cloud app usage, IT depts can then coach users to move away from risky apps to more secure sanctioend apps that they procure.

This is a win-win solution for the IT dept and the users. The users get to use the cloud apps and the IT dept is in control of the risk exposure.

It was a long winded answer - but I hope I addressed your question.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/14/2014 | 8:07:24 AM
Re: Shadow IT's "share button"
Thanks for these best practices, Krishna. I'm wondering what suggestions you might have for IT departments in identifying and deploying enterprise cloud apps that employees like and will use without "going rogue" posing serious security risks. 
krishna@netskope.com
50%
50%
krishna@netskope.com,
User Rank: Apprentice
7/14/2014 | 1:54:54 AM
Re: Shadow IT's "share button"
The discussion in this thread highlights the catch 22 situation with Shadow IT. The benefits of adopting cloud apps to a business are quite clear. It helps collaboartion, business agility, simpler processes which imply faster time to market and provide competitive edge to enterprises. The pitfalls and risks of cloud apps are also quite evident as has been highlighted in this thread. 

Here are some best practices(handy tips) to tackle this catch-22 situation

- first of all discover the extent of cloud apps proliferation in your enterprise and the associated risk.

- get visibilty to the activity level of these cloud apps. For ex sharing a document outside the enterprise is more risky than uploading the document to a cloud storage app.

- develop and enforce policies that govern the cloud apps usage. This should include general access control policies as well as content-aware policies like DLP. This will address the compliance requirements highlighted in this thread.

- continuously monitor and tweak the polcies that have been set based on business requirements.

Thanks for sharing your thoughts on this topic - keep them flowing.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/11/2014 | 2:30:42 PM
Re: Shadow IT's "share button"
Of course, HIPAA would be the stumbling block. (duh) But I can't imagine working in an environment where pagers, paging, and phone tag is the rule. Healthcare definitely has an uphill climb...
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Apprentice
7/11/2014 | 2:03:41 PM
Re: Shadow IT's "share button"
I was talking about SMS texting with the CIO and the discussion was focused on healthcare, so it's a very specific industry example. Hospitals don't want physicians or nurses texting each other via standard texting since it's not secure or HIPAA-compliant -- yet hospital medical staff get fed up with the standard means of communication (things like pagers, paging, and endless games of phone tag). As an alternative, they may invest in secure texting apps that give the same immediacy as SMS but meet HIPAA rules.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/11/2014 | 9:45:55 AM
Re: Shadow IT's "share button"
Interesting, that the hospital CIO singled out SMS texting. What was their reasoning? Or is that just an example of a rogue app flying under the radar. It's hard to imagine texting as a rogue app since it's so ubiquitous and ingrained. 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Strategist
7/10/2014 | 4:25:01 PM
And who cleans up the data breach mess?
It's always fun to be the rebellious end user, but what if someone in IT is fired due to a data breach caused by Shadow IT activity? More likely, the business user causing the breach would get fired, but it's hard to say where responsibility begins and ends with so many parties able to opt out and choosing to do so. It's an old problem but I've little doubt professional IT gets called in in the end to clean up the messes.
Page 1 / 2   >   >>
More Blogs from Commentary
Dark Reading Radio: Data Loss Prevention (DLP) Fail
Learn about newly found vulnerabilities in commercial and open-source DLP software in the 7/30 episode of Dark Reading Radio.
The Perfect InfoSec Mindset: Paranoia + Skepticism
A little skeptical paranoia will ensure that you have the impulse to react quickly to new threats while retaining the logic to separate fact from fiction.
Weak Password Advice From Microsoft
Tempting as it may seem to do away with strong passwords for low-risk websites, password reuse is still a significant threat to both users and business.
Internet of Things: 4 Security Tips From The Military
The military has been connecting mobile command posts, unmanned vehicles, and wearable computers for decades. Itís time to take a page from their battle plan.
Passwords Be Gone! Removing 4 Barriers To Strong Authentication
As biometric factors become more prevalent on mobile devices, FIDO Alliance standards will gain traction as an industry-wide authentication solution.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio