Start-up tracks risky security behaviour in the cloud

Start-up Skyhigh Networks has introduced a service aimed at tracking risk associated with enterprise use of about 2000 cloud services

Start-up Skyhigh Networks has introduced a service aimed at tracking risk associated with enterprise use of about 2000 cloud services, in order to spot any rogue cloud services or to identify high-risk exposure that cloud use might bring to the enterprise.

"Cloud is top of mind for CIOs and a bit of a concern because they can't control it as well," says Rajiv Gupta, CEO of Cupertino, California-based Skyhigh which he founded in 2011 with Sekhar Sarukkai and Kaushik Narayan. Because business managers are sometimes bypassing the IT department altogether to order cloud-based services, the CIO and staff can be left in the awkward position of not even knowing where corporate data is headed.

But the cloud-based service from Skyhigh is intended to get a bead on what's happening and correlate that information with about 50 cloud-risk parameters to understand what might be considered "high risk" to the corporation using them.

The basic technique that Skyhigh uses is to collect logs from firewalls and perimeter gateways to learn which URL or IP address that an employee is trying to access associated with a cloud service, while also coming up with a risk score for it. Cloud services would be ranked according to several risk factors that include "is it multi-tenant, can I use an enterprise ID, does it do penetration testing," Gupta says.

All of this monitoring information is batched and sent to a dashboard for review by the IT department in order to gauge the risk to the organisation. Another aspect of the service seeks to ensure encryption of data, Gupta says. The service, priced at about US$2 to $10 per employee per month, has been in pilot with Torrance Memorial Medical Center, Cisco and data-hosting firm Equinix.

Brian Lillie, CIO of Equinix, says his organisation, which started piloting the Skyhigh service last fall, is finding it a good way to discover and manage cloud services, though he doesn't use it at this point to block.

"We have taken action based on it," says Lillie, saying it's a tool that did help pinpoint a cloud service that had been turned on by some inside the organisation that needed to be discussed in terms of risk. Finding out through monitoring made it much easier to have that discussion in comparison to just hearing about it in passing.

"It's a dashboard with visibility," Lillie says about using Skyhigh. "It's about knowing that you don't know." Cloud services of all varieties are now a way of life and productive for the enterprise, which can no longer be seen as "the castle with the moat around it," he points out.

Skyhigh's service classifies cloud services into types, such as storage or CRM, and there's a risk-scoring method that is helpful to the CIO and the information security manager, he notes. While Equinix also finds Websense to be a great tool for enterprise monitoring, it's required scripting to do the kind of cloud discovery process that Skyhigh is focused on. Lillie says he finds Skyhigh augments the Websense monitoring he does very well.

Forrester analyst Chenxi Wang says she's not aware of any similar service as Skyhigh's.

"What they did is essentially productised what people have been doing manually (and not very successfully). I think it addresses an immediate pain point," she commented. "Many enterprises would have need for a service like this, so they can understand better their risks associated with the use of cloud services and begin to manage that risk."

Gupta says he doesn't find it particularly unusual to see companies with "more than 200 cloud services, some more than 1000" these days.

Skyhigh Networks also disclosed that it has US$6.7 million in venture-capital funding, with Greylock accounting for $6.5 million of that.

Tags Security ID

Comments

Comments are now closed

CIOs discuss ‘Mission Critical Computing’ at Leaders’ Luncheon

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]