As more business turn toward the cloud for applications and services, many are beginning to experience what is referred to as “shadow IT,” a set of services and applications that are beyond the knowledge and control of corporate IT.
For some business units, the concept of shadow IT sounds like a viable solution to their IT request problems. However, shadow IT brings with it significant risks, such as lack of governance, compliance violations, policy violations and the potential loss of intellectual property.
Ironically, business managers try to justify “shadow IT” with the claim that it eliminates the need for costly corporate IT support. Yet there is such a serious danger of shadow IT causing even more costly security and compliance problems that corporate IT must get involved. Skyhigh is one of those tools corporate IT executives use to discover how big a problem shadow IT is in their organization. Then they can implement policies to bring it under control.
What’s more, Skyhigh functions as a resource to calculate the ROI of cloud services, showing whether or not a particular service is economically viable for a particular business need, thanks to the service’s instant analysis capability. Then Skyhigh returns control of services back to IT, by incorporating a zero footprint click control feature, which can authorize or block access to cloud services based upon policy controls.
A Closer Look at Skyhigh
Let’s start with the good news. Skyhigh is a cloud-based service that requires little in the form of installation, dedicated hardware or configuration. But here is the bad news, Skyhigh is a cloud-based service that resides out on the Internet and requires access to your egress device log files to function.
However, both the good news and the bad news are subjective and depend on how the network is implemented and managed. For example, if the target network is for a multinational company, then access by a service across international borders or use of foreign data centers can become a compliance violation. On the other hand, distributed networks that already use cloud services should have no worries with using Skyhigh.
As a hosted service, configuration proves to be quite easy; it just comes down to providing the service with access to the various logs that track the traffic on the network. The Skyhigh platform then analyzes the log information and creates extensive analytical reports that provide insight into the cloud services that are connected to the network.
Service discovery is part of the analytics process that Skyhigh performs and gives detailed information about what Web services are in use, by whom and when. That information can be presented via drill-down screens, reports or as a combination of visual and text references that make it simple to identify if those services violate company policy, are high risk or are a threat to compliance or potential avenues for intrusions or data compromise.
Skyhigh is founded on the concept of discovery, in other words knowing what is happening on the network—at least as far as cloud services are concerned. The very concept of stealth IT has introduced hundreds, if not thousands, of cloud-based applications to the corporate network, including the more obvious applications such as Box.net, Dropbox.com and many others.
Skyhigh does an excellent job of discovering what cloud applications are actually running. While testing the product, I was able to discover dozens of cloud applications running on the test network, many of which I had forgotten about or had not even realized that they had been implemented on the network. With that in mind, Skyhigh becomes a very powerful tool to prevent data leakage and maintain compliance.
Skyhigh Brings Order to Cloud With Advanced Control Techniques
Naturally, the problem of stealth IT goes beyond basic cloud applications, such as file-sharing services and social networking. Many companies are discovering that employees are using services such as Google Apps, Zoho, Gmail, Workday and so on. While those applications may have legitimate uses, IT still needs to know if any corporate (or intellectual property) data is being stored or transmitted across those services.
Simply put, a document stored on Google Docs that contains corporate information may very well violate compliance policies. Although the violation is not intentional, it is still something that may turn up in an audit, resulting in a fine.
If IT is aware of those hosted services or Web apps, then IT can properly educate users on what falls within company guidelines and policies, preventing what could be a major compliance violation or security breach.
Nevertheless, discovery is only part of the Skyhigh story. Analytics also plays a major role in what Skyhigh can bring to a business. For example, I was able to run several reports that not only offered traffic trending information, but also the details required to execute forensics. The drill-down methodology offered by the reporting capabilities allowed me to delve deeper into a service and find out whether or not it was blocked or accessed, when and by whom.
Of course, monitoring and identifying Web applications is only part of a viable security tool; one must be able to react to the possible threats that some of the services may contain. Here, Skyhigh uses policies to generate scripts that can be inserted into egress devices, which can block Web apps. I was able to quickly and easily define rules to prevent access to Facebook, Twitter, Google APIs and so on. The ability to block access proved to be a critical methodology for combating shadow IT and maintaining compliance.
What’s more, the analytical capabilities allowed me to discover anomalies in access. For example, if a service such as SourceForge or Dropbox is rarely used and then spikes in usage, it shows up as an anomaly, allowing me to investigate what exactly is happening—such as someone sending source code or large customer lists outside of the network.
Another capability worth mentioning is the ability to enforce encryption, certificate use and other methods of protecting data while it’s in motion. For those organizations that leverage Web services as part of their line of business capabilities, the importance of encryption cannot be stressed enough.
Skyhigh, as part of its ability to control services, is able to enforce key usage or certificate policies. The product accomplishes that by aliasing the domain, meaning that traffic meant for the service must pass through another step, before arriving at its intended destination. That is where the encryption/key policy enforcement can take place. This proves to be a simple solution to what many view as a complex problem.
All things considered, Skyhigh accomplishes the goal of taming and securing Web services, while combating the ills of shadow IT. What’s more, Skyhigh is a zero footprint service, meaning that no investments in hardware, additional software or other ancillary items are needed, making it very easy to calculate the true costs and risks of unfettered Web access.