A startup vendor has released a report that rates the security features of some of the most popular cloud applications currently operating in enterprise settings, but those ratings can't simply be used to block riskier apps, according to the company's CEO.
Having just left stealth mode with over $21 million in funding, Los Altos, Calif.-based Netskope measured the security of over 2,600 cloud applications as part of its report on cloud app security, which the company plans to release quarterly. Based on real-time cloud app usage data collected from enterprise customers, the vendor scored the apps on 30 security parameters, including audit logging and the separation of customers' data in the cloud.
Netskope CEO Sanjay Beri said the driving force behind the report was to educate both consumers and enterprises about the security of cloud applications. In particular, he noted that many enterprises simply don't understand what is going on in the cloud, especially when it comes to apps they use, but didn't purchase. Some of Netskope's enterprises customers are unaware, for example, of how many cloud applications are being actively used, whether documents are being shared outside the company, or even if sensitive documents are being shared with the proper protections.
Beri does not want enterprises to make the mistake of simply blocking apps based on their security ranking, though. In fact, he described the approach of blocking apps as "old school." Security teams can no longer indiscriminately say "No" to applications when business units are more productive with them, he continued. Instead, security teams have to find a way to say "Yes," but with caveats.
Before being able to set such policies though, enterprises must first have a better understanding of how cloud apps are being used. Beri painted a scenario where twelve cloud storage apps are in use at an enterprise, with six of those considered risky, according to Netskope's rankings. Instead of indiscriminately blocking those six apps, the organization should investigate how many people are actually using each one, what content is being shared, and any other risks that may surface due to their use. If only two users are utilizing one of the risky apps, an organization could simply ask them to migrate to a safer choice, Beri said. If sensitive content is being uploaded to one of the apps, the enterprise should block the upload rather than the app itself.
"So you take a scalpel to the ones that are high-risk. You curtail the behavior as is necessary. You look at the usage patterns and leverage that to make business decisions," he commented. "It's not about saying, 'Six high-risk apps? Shut 'em off,' without knowing anything about them."
Beri clarified that an app being deemed low-risk by Netskope doesn't in and of itself mean it's ready to be deployed in an enterprise setting. The vendor's report noted that even some of the most secure cloud apps still lack features that enterprises may deem to be necessary based on usage. When such apps are deployed, IT teams must implement the additional controls needed to bring risk down to what the company considers to be an acceptable level.
"You view [the report] with a grain of salt and say, 'Look, this application itself has met some strict criteria, but I still need to surround myself with solutions that can manage the security of these apps,'" Beri said.
As for the findings of the report, well-known services such as Salesforce.com, Box and Amazon Web Services rank among the most secure cloud applications, according to Netskope. The top apps tended to have functionality such as audit logging and the ability to separate customers' data, Beri said, while those apps with low scores tended to lack these features, which many enterprises would consider to be basic security functionality. App categories were also rated, with enterprise resource planning, document management and security apps performing well, while software development, marketing and productivity were at the bottom.
From a general perspective, a large majority of cloud applications contain functionality for disaster recovery and data backup to a separate location, but most are unable to encrypt data at rest or manage keys. Beri noted that encryption continues to be a hotly debated area, as it is still not clear whether cloud app vendors should be responsible for encryption. In his opinion, vendors should have an "encryption story" to tell when prompted by enterprise consumers.
While it may be shocking to some enterprises to find that cloud apps lack seemingly basic security functionality, Beri commented that even the top apps in the report were not always so secure. Instead, he said they added functionality deemed to be important by enterprise customers in order to make their offerings more competitive.
"I wouldn't tell you that any of these apps started off as a low-risk app," Beri said. "It's an evolution that happens over time."