Securing the Intersection of Sanctioned and Unsanctioned Apps in Cloud Ecosystems

If you are in charge of deploying a cloud app or suite like Box, Office 365, or Google Apps in your environment, you need to read this:

by Krishna Narayanaswamy, Chief Scientist, Netskope

We just completed a piece of research here at Netskope on cloud app ecosystems. In it, we highlight an important trend: the rise of cloud apps that orbit large, “anchor tenant” apps like Salesforce or Box.

Here’s how this trend works: Enterprises adopt popular cloud apps like Salesforce. IT is aware of and often manages the deployment, management, and security of the app. As lines of business begin using it, they find lots of different ways to get value. Those use cases often involve third-party services that integrate with the main app (like how Marketo, Zendesk, and DocuSign integrate with Salesforce). Because it’s in Salesforce’s best interest to facilitate this ecosystem (because it makes Salesforce more valuable), Salesforce facilitates developers with rich APIs, documentation, and even sometimes with go-to-market support. Recently Salesforce commented that half of its revenue is attributed to its APIs. That’s a heck of a business!

But what enterprises don’t often realize is that when they sanction an “anchor tenant” app, they are also welcoming dozens of apps that integrate with that app, many of which they don’t know about. And since they don’t know about them, they often don’t realize that those apps are sharing data back and forth with their sanctioned app, which poses risk of data exposure or leakage.

The big finding in our study is the number of apps per major app. We studied four apps, and found that in each of the enterprises in our cloud service, there is an average of 28, 26, 20, and 19 cloud apps for every implementation of Box, Salesforce, Dropbox, and Google Apps, respectively. Even more interesting, when we marry these stats to the data in the Netskope Active Platform, we find that, among other things, 15.3 percent of all downloaded data and 44.4 percent of DLP violations are from the Salesforce ecosystem (exclusive of Salesforce).

Why spend time on this research? Well, there’s a lot of talk in the market about protecting the major apps or sanctioned apps. While organizations rightly put a lot of emphasis on those apps, more controls can be like building a fence around Fort Knox. Instead, they should be paying attention to the myriad of apps that share data with those apps. Those ecosystems are made up of apps that have been sanctioned by the enterprise and several that are unsanctioned.

Here are five things we recommend for getting your arms around cloud app ecosystems:

1. Know what apps are running in your organization that integrate with your major apps, including sanctioned and unsanctioned apps;
2. Understand the workflows they complete and what data they pull out of (or contribute to) your major apps;
3. Secure access to those apps with identity management or SSO;
4. Monitor those apps as a group with your major apps. We have the ability to do this with custom app tags in the Netskope product; and
5. If you enforce policies (e.g., “don’t share outside of the company” or “don’t download to an unmanaged device if what’s being downloaded contains personally identifiable information,”) in your major apps, extend those policies to your ecosystem apps as well to get the intended security outcome.

If you want to read the report, you can get it here.