Making Shadow IT Work
Jun 29, 2015
Making Shadow IT Work
Dear ,
I love you, I hate you.
Regards,The CIO
CLOUD CAGR FOR ‘13-’17 WILL BE 5XOF IT INDUSTRY AS A WHOLE
ORGANIZATIONS ARE PUTTING THECLOUD TO WORK FOR BUSINESS
Who?
What?
When?
with Whom?
unsanctioned CLOUD APPS 72%
* OneLogin Survey 2012
of people admit to using
of CLOUD APPS don’t make the grade
75% Cloud App
Cloud App
Cloud App
Cloud App
REPORT CARD
* Netskope Research, Adapted from CSA’s Cloud Controls Matrix
Evaluating Apps on Objective Criteria
• Measure of a cloud app’s enterprise-readiness• Based on the app’s security, auditability, and
business continuity• Based on 30+ objective criteria adapted from the
Cloud Security Alliance
EXCELLENT HIGH MEDIUM LOW POOR
* Netskope Research, Adapted from CSA’s Cloud Controls Matrix
1%
22%34%16%27%
EXCELLENT
HIGH
MEDIUM
LOW
POOR
* Netskope Research, Adapted from CSA’s Cloud Controls Matrix
* Netskope Research, Adapted from CSA’s Cloud Controls Matrix
Reasons Apps Do Well and Fall Short
* Netskope Research, Adapted from CSA’s Cloud Controls Matrix
* Netskope Research, Adapted from CSA’s Cloud Controls Matrix
Example: User and Admin Audit• Admin audit logs• Change/upgrade notifications• Data access logs• Infrastructure status reports• User audit logs
Example: Certifications and Compliance• Compliance certifications– HIPAA– PCIDSS– etc.
• Datacenter certifications– SOC-1, -2– ISO27001– etc.
Key Capabilities• Audit and alert capabilities• Certifications and compliance• Data classification capabilities• Disaster recovery and business continuity• Encryption• File sharing• Policy enforcement and access control
April 14, 202317
10%
90%
Most Organizations Underestimate
Cloud App Usage by 90%
CLOUD HAS CREATED A BLIND SPOT
The average number of security
While the percent of people stating they “don’t know”
Source: PwC
In the past 2 years…
if they’ve had a security breach increased 100%
incidents has risen 25%
The Multiplier Effect of a Cloud Breach
3.3 devices perknowledge worker
50% of people share content via unapproved cloud services
90% of organizationsthat lost sensitivecontent via file sharing
5 out of top 10 data breaches involved cloud
?Source: Cisco Source: Ponemon
Source: CRNSource: Ponemon
0100011 110 01 1
1010
Cost of a data breach:
$5.4 million
Source: Ponemon
• Remediation costs• Brand and reputation impact• Loss of intellectual property• Fines for non-compliance• Cost and time for reporting and prevention
Yet, people love their cloud apps, and for good
reasonAnywhere Access CollaborationProductivity
CAN’T COMPLY WITH SOX, ETC.
• Public biosciences co. would like to embrace cloud, but doesn’t know what services are running
• Can’t evaluate new services
• Can’t attest to access/auth usage for SOX and other regs, e.g., HIPAA
POTENTIAL DATA LEAKAGE
• Large media firm discovered a dozen cloud storage apps, plus others in which data could be shared
• IT must see what sensitive data are being uploaded
• Then, see whether data are being shared, and with whom
POST-EVENT FORENSICS
• High tech company suspects theft of proprietary documents by a departing employee
• IT must construct audit trail, showing user download from corporate account and subsequent upload to and share from personal account
DISCOVER APPS & EVALUATE RISK
• Discover all apps, known or not• Objectively evaluate apps’
enterprise-readiness • Score apps on security,
auditability, and business continuity
ANALYZE USAGE
• Discover who’s using what apps, from where, and on what device
• See what class of data are being uploaded, downloaded, shared
• See with whom data are shared
LIMIT ACTIVITIES VS. BLOCK APPS
• Rather than block an app, limit usage (e.g., don’t share with people outside of the company)
• Use context such as user, location, device, data class, and user activity
VERIFY AND THEN TRUST
• Create risk model of scenarios involving user, app, data, activity, and other contextual factors
• Set watch lists on scenarios that represent the most risk
CONSIDER CONTEXT IN EVERYTHING YOU
DO• Consider contextual factors when
shining a light on shadow IT, running analytics and setting policies
• Think about user, group, location, time, device, OS, app, and app score
1. DISCOVER cloud apps and evaluate risk2. Analyze USAGE3. LIMIT activities vs. blocking apps4. VERIFY and then trust5. Consider CONTEXT in everything you do
THANK YOU