Authored by: Brought to you by. Jim Reavis, President - Reavis Consulting Group Brandon Cook, Director, Product Marketing Skyhigh Networks

Transcription

1 Authored by: Brought to you by Jim Reavis, President - Reavis Consulting Group Brandon Cook, Director, Product Marketing Skyhigh Networks

2 ABSTRACT Shadow IT is a real and growing concern for enterprises and for the right reasons. An organization uses 738 cloud services on average, of which 16% can be characterized as highrisk and do not provide the security capabilities required by an enterprise. At the same time, over 200 enterprises have taken proactive steps to understand the size, scope, and risks of Shadow IT. They are using that information to gain insight into employee need, approve and encourage the use of appropriate low-risk cloud services, and secure confidential data at rest in cloud services. INTRODUCTION IT, security, and compliance practitioners have become familiar with the concept of Shadow IT. The term refers to information technology that is procured or managed outside of, and without the knowledge of, the IT department. While Shadow IT can refer to hardware, typically Bring Your Own Devices (BYOD), this whitepaper specifically focuses on the use of cloud services, which comprise the majority of Shadow IT today. Industry data shows that Shadow IT is widespread today. Skyhigh s quarterly Cloud Adoption and Risk Report shows that enterprises use an average of 738 cloud services today (SaaS, PaaS, and IaaS). More interesting perhaps, is the fact that on average the number of cloud services identified is 10-20x the number IT expects, meaning that 90-95% of cloud usage belongs in the Shadow IT category. 1 Furthermore, this phenomenon occurs at varying degrees across every industry, as shown below. 1 PAGE 2

3 AVERAGE NUMBER OF CLOUD SERVICES USED PER COMPANY, BY INDUSTRY Education Oil & Gas Healthcare Financial HighTech Utility Manufacturing Food & Beverage Media Services Recently, terms such as Rogue IT and Cockroach Technology have alternatively been used to describe the concept of Shadow IT. However, these terms inaccurately imply that employees are doing something deviant when they independently obtain IT services. In reality, the vast majority of Shadow IT results from employees simple desire for the ease of use, convenience, and higher productivity delivered to them by cloud service providers. In fact, some employees and departments are solving challenging business problems that can only be solved via solutions offered by cloud service providers. Greater usage of cloud computing is clearly the trend and a strategic objective within enterprises. Many have adopted a Cloud First policy, stating that any new IT initiative must first be carefully analyzed to determine if it can be fulfilled via cloud computing before any other alternative is considered. PAGE 3

4 Many cloud service providers have information security and risk management programs that exceed that of a typical enterprise. The same economies of scale that make cloud computing attractive also allow these cloud service providers to invest more into security technologies and expertise. It is by no accident that the preponderance of reported data breaches occur in legacy IT systems. However, while tier 1 cloud service providers have a good track record, many more cloud service providers have less credible security standards. In the context of this white paper, it may be best to think of the term Shadow IT as an indiscriminate procurement of cloud. By intelligently managing Shadow IT and turning it into The process each organization used to manage Shadow IT can be a quality improvement process, the enterprise achieves several generalized as: Identify Evaluate strategic objectives. Firstly, the enterprise is able to understand Remediate - Enable. the business drivers that led to cloud adoption and is able to capture institutional knowledge of important and much-needed innovation. Secondly, the enterprise is able to reduce the risks caused by Shadow IT. Thirdly, the enterprise is able to actually accelerate adoption of cloud computing and its associated gains in productivity and cost effectiveness by assuring that best fit solutions are selected. We will share the specific tactics used by progressive organizations that have moved beyond identifying Shadow IT and are now successfully managing it and enabling secure cloud usage for their employees. We will also provide metrics on the results of their efforts. The goal is to demonstrate how these organizations support cloud usage to drive productivity, reduce costs, and minimize the security and compliance risks of unapproved and unmanaged cloud usage in real-world scenarios. While the 200+ organizations that Skyhigh works with each have unique cloud usage profiles, risk tolerances, and compliance requirements, the process each uses to manage Shadow IT can be generalized into the following process: Identify Evaluate Remediate - Enable. IDENTIFYING SHADOW IT CLOUD USAGE As one would imagine, the first step to managing Shadow IT is identifying it. Enterprises have found that the most complete and reliable source of data on employee cloud usage is firewall and proxy log data. Log data analysis has the benefit of offering visibility into cloud usage metrics without introducing any friction to the employees and without exposing the content that employees upload to personal cloud services, which would PAGE 4

5 create privacy liabilities for the enterprise. Log data from firewalls and proxies has a disadvantage in that it does not provide visibility into cloud usage when the employees are off the corporate network. However the overwhelming consensus is that this approach gives the enterprise 90%+ visibility into employee cloud needs with minimal effort. The alternative approach, requiring employees to install Proxy auto-config (PAC) files and agents on their devices, is considered a non-starter because of the immense end-user friction, privacy violation, and operational complexity. Leveraging automated log data analysis, enterprises determined: Which cloud services employees were using Who was using each cloud service How much data was uploaded/downloaded to each cloud service Aggregating the anonymized cloud usage data of over 11 million employees at over 200 enterprises, we found that before addressing Shadow IT, the enterprises used an average of 849 cloud services. The most popular categories of cloud services are: Category Services Collaboration Marketing Cloud Infrastructure Development Content Sharing File Sharing Media Finance HR Networking PAGE 5

6 Across enterprises, the most popular enterprise and consumer cloud services were: Rank Enterprise Services Consumer Services Amazon Web Services Office 365 Salesforce.com Cisco WebEx Box Yammer ServiceNow SuccessFactors Adobe EchoSign LivePerson Concur Workday MSDN SAS OnDemand Github Zendesk Informatica Cloud Ariba Host Analytics Intralinks Facebook Twitter Apple icloud YouTube LinkedIn Dropbox Gmail Google Docs Pinterest Instagram Sina Weibo Tumbler Prezi Yahoo! Mail Flickr Evernote Photobucket Myspace Shutterfly VK EVALUATING SHADOW IT Once organizations identified the scope of their employees Shadow IT usage, the next step was to evaluate the usage to identify risks and uncover opportunities. By pairing automated log analysis with Skyhigh s cloud service registry, enterprises were able to evaluate the risk of their Shadow IT using a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA) that covers data, user and device, service, business, and legal attributes. PAGE 6

7 Before addressing Shadow IT, enterprises found that, on average, 16% of the cloud services used by employees were high-risk, 72% were medium-risk, and 12% were low-risk. Overall, we saw that before addressing Shadow IT, on average enterprises sent 31GB of data to high-risk cloud services per month. Furthermore, enterprises identified an average of 10 high-risk development services, 8 high-risk content sharing services, 20 high-risk collaboration services, and 6 high-risk file sharing services in use. Within file sharing, enterprises identified an average total of 99GB of data per month sent to 37 services by 10,100 employees. Of these services, an average of 16GB were sent to 6 high-risk services, 71GB to 26 medium-risk services, and 12GB sent to 5 low-risk services. Enterprises also examined the devices employees were using to access corporate data in the cloud. They found that the average employee used approximately 3 devices to access cloud services of which 1.1 devices on average was an unregistered BYO Device. This points to the challenges of asking employees to download PAC files or other agents on their personal devices. Organizations used big-data analytics on the cloud usage data and identified usage anomalies that indicated compromised Before addressing Shadow IT, enterprises found that, on average, accounts, security breaches, and insider threats. They also 16% of the cloud services used by evaluated the data to see if employees were unknowingly using employees were high-risk, certain types of cloud services, such as tracking services, which provide no value to the employees or to the business but expose the company to risk in the form of watering hole attacks. Before enterprises started to address Shadow IT, an average of 32 active tracking services were in use at every company. Benchmarking is an important part of any risk mitigation process. In order to benchmark risk, organizations use Skyhigh s CloudRisk Dashboard, which provides a 1-10 CloudRisk Score derived from service, user, and data risk. At the point just before beginning to remediate Shadow IT risks, enterprises had an average CloudRisk Score of 6.4. Armed with this information, organizations can set goals and make decisions on new policies, such as acceptable use parameters based on the risk of services, which will enable them to meet their goals. For instance, some cloud services may have valuable capabilities but are too risky to host corporate data, so the company may elect to allow access in read-only mode. PAGE 7

8 Evaluating Shadow IT is about more than identifying risks; it s about identifying opportunities, too. Progressive IT leaders understand that employees are voting with their feet when they adopt unsanctioned cloud services. For this reason, they evaluate Shadow IT usage to identify opportunities to better enable their employees with the services they need. They use this cloud visibility to find pockets of usage or usage trends to help shape sanctioned adoption. (See WSJ Article Cisco, H-P Use Shadow IT as a Roadmap) REMEDIATING SHADOW IT RISKS Once organizations have evaluated their Shadow IT usage Using Skyhigh and its integration with and identified areas of risk, the next step is to remediate firewalls and proxies, organizations those risks and educate employees so they can continue to enforced a wide range of coarseleverage cloud services but in a way that creates less risk to and fine-grain access policies across thousands of their cloud services. the organizations. Remediation typically occurs in two ways - both proactively through education, access control, and sanctioning of previously unapproved services, and reactively through investigation. In addition, with visibility into the Shadow IT services employees used, organization are able to bring highly utilized services out of the shadows, officially adopt them, and enforce the security, governance, and compliance policies they require. Using Skyhigh and its integration with firewalls and proxies, organizations enforced a wide range of coarse- and fine-grain access policies across thousands of their cloud services. Depending on the category, risk level, and usage, organizations enacted granular policies that would: Allow access Allow but monitor access Allow but educate users of service risks and acceptable use policy Enforce read-only access Block access and provide company-approved alternatives Rather than educating employees about security, governance, and compliance risks and policies at set intervals, organization found that the most effective way to influence employee cloud usage was through just-in-time education. Upon accessing a sensitive service, employees were educated about the security, governance, and compliance PAGE 8

9 risks so they could use the service in accordance with the company s policies. Upon attempting to access a high-risk service, employees were educated about the risks of the service and presented with alterative low-risk services with equivalent functionality. Organizations also reduced their risk through the use of anomaly detection, which was used to identify security breaches, compromised accounts, and data exfiltration. As part of the remediation workflow, administrators investigated anomalies, marked any false positives, adjusted thresholds, and added specific users to watchlists. In doing so, they were able to reduce the number of security incidents that resulted in data loss and reduced the extent of data loss when security incidents did occur. Upon illuminating their Shadow IT cloud usage, organizations also found it effective to officially adopt or sanction highly utilized yet previously unapproved services. They would then develop and enforce the security, governance, and compliance policies the organization required through encryption, data loss prevention and granular access control. After addressing Shadow IT, organization saw an 80% increase in the use of low-risk cloud services. Using these remediation techniques, organizations were able to substantially reduce the risk created by Shadow IT usage. They found that on average, after remediation, 8% of the cloud services used by employees were high-risk, 70% were medium-risk, and 22% were low-risk. This represented a 50% decrease in the use of high-risk cloud services and an 80% increase in low-risk cloud usage. While one may expect high-risk service usage to cease immediately once remediation begins, most organizations use a combination of education and blocking to discourage use of high-risk services, and in doing so gradually reduce high-risk service usage without negatively impacting employee productivity or their perception of IT. After addressing Shadow IT, on average enterprises sent 6.7GB of data to high-risk cloud services per month. Further, enterprises identified an average of 4.7 of high-risk development services, 2.5 high-risk content sharing services, 11.3 high-risk collaboration services, and 1.3 high-risk file sharing services in use, representing a 53%, 71%, 44%, and 78% reduction respectively. Within file sharing, enterprises reduced the amount of data sent to high-risk services to.5gb sent to 1.3 high-risk services, which indicates an overall reduction of 97% in data sent to high-risk rile sharing services per month. Overall, on average, enterprises reduced the volume of data sent per month to high-risk services by 82%. PAGE 9

10 By leveraging big-data analytics on the cloud usage data to identify usage anomalies, organizations reduced both the frequency and impact of compromised account, security breaches, and insider threat. They also reduced the number of tracking services divulging information about employee internet usage from an average of 32 to 4. By leveraging the aforementioned risk-mitigation tactics, enterprises saw a measurable reduction in their overall cloud risk. Specifically, the average enterprise reduced their CloudRisk Score by 59% - from 6.4 to 3.8. Attribute Before After Improvement High-Risk Service % 16% 8% 50% Monthly Data Sent to High-Risk Services 31GB 6.7GB 79% High-Risk File Sharing Services % Monthly Data Sent to High-Risk File Sharing Services 16GB.5GB 97% Active Tracking Services % Low-Risk Service % 12% 22% 83% Enterprise CloudRisk Score % While the results are significant and encouraging, they represent an average of 3-12 months of evaluation and remediation. Cloud security and enablement is a work in progress, and each organization expects the results to only improve over time. It is important to note that these benefits were obtained without employee friction or pushback. While employee engagement and employee perception of the IT organization were not measured, the anecdotal evidence overwhelmingly points to improved employee engagement and employee perception of the IT organization as their strategic partner. ENABLING SECURE CLOUD SERVICES Following identification, evaluation, and remediation, organizations have enabled highvalue and low-risk cloud usage. They do this by selecting approved cloud services for various functions and consolidating redundant services and licenses. The Cloud Adoption and Risk Report shows that, on average, enterprises use 125 collaboration and 37 file PAGE 10

11 sharing services. While the use of each service individually may increase productivity, the unmanaged sprawl actually inhibits productivity (it is difficult to collaborate or share files productively when every group or individual is using a different collaboration and file sharing service). Reducing the risk of using cloud services is a combined effort, and part of the responsibility is certainly shared by the cloud services providers themselves. The CSA Cloud Controls Matrix and Skyhigh CloudTrust Program outline 5 facets of cloud security that companies have evaluated when selecting approved cloud services. These facets are: Data, User & Device, Service, Business, and Legal. For the data-related capabilities, enterprises enabled services with encryption in transit, encryption at rest, data multi-tenancy, and data retention on termination. For the user and device capabilities, enterprises looked for services with authenticated user requirements, SAML or OATH identify federation, multi-factor authentication, and device access control. For the service capabilities, enterprises preferred services with penetration testing, supporting IP filtering, and offering detailed admin and user audit trails. Further, for business capabilities, enterprises enabled services that offered datacenter hosting locations that The CSA Cloud Controls Matrix and Skyhigh CloudTrust Program evaluate aligned with their privacy requirements, developed 5 facets of cloud security: Data, User and published a business continuity plan, obtained and & Device, Service, Business, and Legal. maintained third party certifications such as ISO and attestations such as AICPA SOC Type 2, and performed selfassessment, certification, and attestation with the CSA s Security, Trust, and Assurance Registry (STAR). Finally, companies filtered qualified services by their legal terms. They looked for prohibition of third party disclosure, compliance with Digital Millennium Copyright Act (DMCA) requirements, and terms defining IP ownership as belonging to the customer exclusively. Using the CSA Cloud Controls Matrix framework and data provided through the Skyhigh CloudTrust ratings, organizations selected approved cloud services and consolidated redundant Shadow IT services. They increased the percentage of low-risk services used by 83%, from 12% to 22%. They also consolidated redundant services in key categories and reduced the number of collaboration and file sharing services by 33% and 40%, PAGE 11

12 respectively. Just as important, organizations who consolidated enterprise and team licenses into enterprise licenses reduced their overall cloud license costs by an average of 6%, or $532,000 per year 2. As enterprises have become more discerning in selecting low-risk cloud services, providers have begun to implement the security capabilities required by their customers. Over the last 2 quarters, the number of services rated as high-risk has decreased by 25%. While the total number of high-risk services has not decreased over the last 24 months due to the large number of new, high-risk services introduced, 14% of services rated high-risk 24 months ago have addressed their security shortfall and are now rated medium-risk or better. Overall, 65 services have added encryption at rest, 101 have added multi-factor authentication, 122 have added SAML or OATH identify federation, and 311 have added regular penetration testing. In addition, as of this writing, 75 companies have completed the Organizations that consolidated CSA STAR self-assessment, and 23 companies have completed enterprise and team licenses into CSA STAR Certification or Attestation. enterprise licenses reduced their overall cloud license costs by an average of 6%, or $532,000 per year. It s useful to aggregate specific security capabilities and certifications to evaluate the overall enterprise-readiness of a cloud services. Skyhigh s CloudTrust Program evaluates over 7,000 cloud providers based on a framework developed in conjunction with the CSA, and deems those that fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection as Skyhigh Enterprise-Ready. The number of services earning this distinction has increased by 51% over the same two-year period. Beyond selecting low-risk services, organizations have also implemented additional controls and capabilities to secure their cloud services and data. Using Skyhigh, they have protected data from security breaches by encrypting data in cloud services and maintaining control of encryption keys. Organizations have also met security, privacy, and regulatory requirements by leveraging Skyhigh to extend their DLP policies to the cloud. They have employed coarse- and fine-grain control to define access based on geography, device type, and device-based certificate validation. In doing so, organizations have enabled new cloud services that would not have been viable otherwise. 2 Quantifying the Value of Skyhigh, 2014 PAGE 12

13 IMPORTANT CONSIDERATIONS FOR EMPLOYEES As mentioned earlier, the vast majority of employees are simply trying to get their jobs done better, faster, and smarter when they adopt cloud services. That s why many enterprises take a trust but verify approach to cloud management. However, despite their best intentions, employees and their use of Shadow IT and sanctioned cloud services can and does expose their companies to risk, so they too must play a role in risk mitigation. Their first responsibility is to learn and understand the security, compliance, and governance risks associated with various categories of services and with specific services they use regularly. This education should be provided by the enterprise but must be consumed in earnest by the employees. Just as the enterprise respects the privacy of the user and does not monitor their personal and social accounts, the user must respect the usage policies defined by the enterprise and not use services or share data that violate those policies. The dynamic nature of the cloud industry makes this process challenging. As cloud services mature, they often implement additional security capabilities that reduce the risk of using their service. Conversely, if vulnerabilities are exposed or the service is breached, the risk of the service surges. With changes in assurance and trust levels, one-off audits become more difficult, so enterprises and their employees must unite and collaborate. Some organizations have even created policies permitting employees to select their own cloud services for use cases deemed low- and medium-risk. In these instances, employees are instructed to select services that carry important trust seals, such as those granted by the Skyhigh CloudTrust Program, and that offer continuous monitoring of security attributes for cloud services 3. Over the last 2 years, we ve seen 96% of enterprises offer cloud risk and policy education. Going one level deeper, 40% of organizations have implemented just-in-time education, which informs end-users of risks and policies at the point of access. Companies that employed the just-in-time education workflow saw a 68% decrease in the use of high-risk services. 3 PAGE 13

14 CONCLUSION With a 21% average reduction time in product time-to-market, 18% average increase in employee productivity, and 15% average reduction in IT spend 4, there is little doubt that the cloud provides value to businesses today. However, in order to reap these benefits, enterprises must remediate the risk vectors of Shadow IT and securely enable sanctioned cloud services for employees. Examining companies that have done this and attended to all three axes of Shadow IT usage, we have measured a quantifiable increase in the value of cloud for their employees and decrease in risk to the organization. 4 To gain visibility and control over the cloud, contact us today PAGE 1