Shadow IT. It's not a new term and certainly not a new challenge. But with only blunt-force solutions like saying "no" or blocking cloud services at the firewall, IT has not been able to do much to address the challenge. This is all changing. Business and IT leaders alike see real value in cloud services and want to take a lean-forward approach to enabling them. The reality, though, is that cloud services are not without their risks, and the risk of a data breach increases when the cloud is involved. Hear from Netskope about the risks, economic impact, and multiplier effect of a cloud data breach, and how forward-looking organizations are walking the razor’s edge to mitigate these risks while enabling the cloud.
7. The following are contributors to
the cloud multiplier effect
7
Cloud app
adoption
Mobile and
consumerization
Ease and speed
of data sharing
8. 8
Increase use and
increase probability
If your organization had 100 cloud apps and added 25 more in a
12-month period, you would increase your probability (and
expected economic impact) of a data breach by 75%
9. We looked at 2 data breach types
9
Loss or theft of 100,000
customer records
Theft of high-value
information
12. The probability adjusted estimated
economic impact
11.8% of $20.1 =
$2.37M
25.4% of $11.8 =
$2.99M
13. Effects of cloud on the probability of theft or
loss of 100,000 or more customer records
13
Use of
cloud services
(SaaS)
Backup and storage of
sensitive and/or
confidential
information
Increase use of cloud by 50% in 12 months
14. 14
Use of
cloud services
(SaaS)
Backup and storage of
sensitive and/or
confidential
information
Increase use of cloud by 50% in 12 months
Effects of cloud on the probability of theft of
high-value information
16. Invisible to IT
16
36% of business-critical
apps are in the cloud.
IT isn’t aware of nearly
half of them.
30% of business information
resides in the cloud.
IT doesn't have visibility into
more than one third of it.
17. People love their cloud apps,
and for good reason
17
Love doesn’t have to
be blind
19. 19
MEASURE:
Discover the cloud
apps running in your
enterprise
• 3rd party tools like
Netskope can analyze
firewall logs (and others)
for this information
• Resist the urge to
immediately blacklist
unsanctioned apps
23. 23
ACT:
Plot a course of action based
on risk, usage criticality
• Use an objective criteria for assessing app. The Cloud Controls
Matrix from CSA is good start, and vendors have taken this to
a whole new level.
• After risk, look at usage, including the nature of the content.
This will help triage policy enforcement next steps, especially
when hundreds of apps are in play.
• Risky usage can be more important than app risk.
24. ACT:
Plot a course of action based on risk,
usage criticality
ANALYZE:
Understand the context of app usage at
a deeper level
MEASURE:
Discover the cloud apps running in your
enterprise
25. 25
The real face of shadow IT is
you and me.
Ultimately, this is simply
unmanaged risk.
26. Allow is the new block (allow is new block green
light slide)
26
S
M
Hinweis der Redaktion
Cloud computing is one of the most dramatic workplace shifts we’ve seen in decades. When we think about cloud app growth, it’s often about individuals’ usage of apps like Box and Dropbox. The reality is every line of business is adopting cloud apps, whether for HR, finance, supply chain, or business intelligence. Mobile, the other major crossover we’re seeing – with mobile devices and access surpassing that of PCs in virtually every measure – has fueled this shift. Cloud is no longer a question – it’s the way we do business.
There are nearly 5000 enterprise apps today. This is up from 3,000 6 months ago and we’re adding somewhere in the range of 100-150 of these apps per month on average. These are the most common apps and some apps you’ve never even heard of. I talk to customers who a year ago were trying to get their heads around deployments of apps we’ve all heard of like Evernote and HipChat… today these customers are calling me about apps like Trello and Seamless. These things aren’t just grow up in numbers, they’re growing out in category redundancy – we’ll talk about that in a minute. But why is this happening? How has it come to be?
The answer is closer to you than you think. Reach into your pocket and pull out your phone. Take out that tablet. Grab 1 of the 3 devices we all carry around with us everyday… We love these devices and we love these apps!
And why wouldn’t it be? In nearly every survey, people cite “business agility” as the primary driver for cloud adoption – even more so than cost. People want to be productive now, not after the software rollout next spring. They want to access apps from any of their devices (we now count an average of 3.5 devices per knowledge worker). And they want to collaborate with colleagues and business partners in a seamless, frictionless way.
Beyond paving the way for productivity gains, this shift has also created a new opportunity for IT – to become an enabler and innovator in facilitating the use of these apps.
All of this is troubling to IT departments. When we talk to CIOs and CISOs there’s just a lot of uncertainty and anxiety about the quickly changing environment and pace of change. We’ve seen this before with other trends like mobile.
We wanted to find out the effect this was having on the perceived vulnerability and how cloud might effect the estimated economic impact of a data breach. We asked the Ponemon Institute to conduct a study. They surveyed more than 600 IT and security professionals, all of whom had knowledge of their use of cloud services. 61% of whom report to the CIO
IT considers the following to be contributors to the cloud multiplier effect
Cloud app adoption
Mobile and consumerization
Ease and speed of data sharing
According to survey respondents, if you increase use of cloud services, you increase the probability of a data breach. By 3.1x actually, depending on the scenario involved.
So, for example, if you organization had 100 cloud apps and added 25 more in a 12-month period, you would increase your probability of a data breach by 75%
We examined 2 types of data breaches
Loss or theft of 100,000 or more customer records
Theft of high-value information such as intellectual property
In the study of data breaches over the years these are commonly used methods of examination
Leveraging previously calculated amounts from actual data breaches we know that the baseline cost of a data breach is $20.1 million for the loss or theft of 100,000 or more customer records and $11.8 million for the theft of high-value information. This comes from the Ponemon Institute’s study of the Cost of a Data Breach conducted with IBM in May of 2014.
This survey considered respondents answers and determined that their estimated baseline probability of a data breach of these two types was 11.8% and 25.4% respectively. This is, essentially, how they feel about their current environment, absent any changes. This is not “before cloud” and doesn’t consider how much they are, or are not, using the cloud today. It’s simply their “current state”.
So, if you consider their estimated probability today you get a probability adjusted estimate of the economic impact.
11.8% times $20.1 million gets you to $2.37 million for the loss or theft of 100,000 or more customer records.
25.4% times $11.8 million gets you to $2.99 million for the theft of high-value information
Of course IF a data breach of one of these types were to happen to them then the actual cost would be different, but this gives us a baseline from which to work.
The baseline established previously is important for estimating the economic impact that comes from increasing use of cloud in the enterprise. For instance, if you increase the use of SaaS by 50% in a 12 month period, you increase the probability of the loss or theft of 100,000 or more customer records by 2.6 times. When you factor in the probability adjusted economic impact, the cost goes up from $2.37 million to $6.08 million.
Similarly, the baseline established previously is important for estimating the economic impact that comes from increasing use of cloud in the enterprise. So, if you increase the use of cloud-based backup and storage for your sensitive or confidential information, you increase the probability of theft of high-value information by 1.6 times. When you factor in the probability adjusted economic impact, the cost goes up from $2.99 million to $4.93 million.
Survey respondents indicate that IT is still skittish about BYOD and that increasing access of cloud apps from personally owned mobile devices increases the probability of a data breach by 124 percent
Visibility into the use of cloud services is a big component of the challenges and why we think that the perceptions reflected in this study are resulting in the cloud multiplier effect. When business critical apps are in the cloud and IT can’t see half of them, this is naturally going to lead to uncertainty about security and the perception that cloud will lead to an increased probability of a data breach.
Love doesn’t have to be blind.
So, let’s start to talk about some solutions and how we find our way out of this morass. Here are a few things IT can do to get a better handle on things
Step 1: Let’s rip off our blind folds. Seeing is believing and knowing definitively the number of cloud apps people are using in your enterprise is the first step.
Your firewall alone isn’t going to be able to tell you this. You need a tool that’s tuned to see the 5000+ apps in existence that traverse your firewall or web gateway. And to be honest, that’s just the beginning. The portion of apps that will never touch a perimeter device is growing, so consider how you discover in real-time, beyond the network and in remote and mobile situations
Once you discover, take a moment and resist the urge to blacklist apps. You’ll find that many of these apps are actually considered business critical today.
Context is critical and you’d be surprised how deep an understanding you can get
Understand
App risk
Who is using the service and where they’re using it from
Understand the devices that are being used to access these apps
Understand the content and if it’s sensitive or not
Get to know the types of activities that people are conducting in these apps. In the case of sharing, understand who they are sharing with.
Act: With all the information you’ve gathered, you can start to come up with a plan and start making decisions.
When doing this, don’t think that you alone must assess every app. There are companies out there that will provide this information for you and some of them are leveraging the Cloud Controls Matrix from CSA. This matrix provides guidance for people in plain English and I think they’ve done a good job at capturing the criteria that should be used to evaluate cloud services.
The usage/popularity of apps can really help guide your triage. If a particularly risky app is being used by 300 people, you need to be a lot more thoughtful about your next steps than if it’s 1 or 2 people. Unless of course that 1 person is the CEO… and then you’ve got another problem on your hands. :)
And remember that Context Matters. The usage of an app can be risky and this is another pivot point you should consider in your triage. Coming at it from an activity point of view can be helpful. Saying “I want to look at sharing first, regardless of app risk”
Here, in summary. I think it’s a good starting point and I hope you think so to. Because ultimately …. <click>
Here’s the real face of shadow IT. A lot of the time it’s not at all sinister. They’re people like you and me, getting their jobs done and trying to do a better job of that all the time. And for IT, let’s just face it. It’s just a risk that has gone unmanaged and for quite some time now. So let’s do something about it…
But during that, let’s remember not to repeat the heavy-handed sins of the past instead, remember a simple mantra >
Allow is the new block. This is something that Netskope talks about a lot and I think it’s a good way to think about it.
Thank you very much for your time and attention today -- I hope you enjoy the rest of the meeting and find me after if you have any questions.