Netskope’s approach to Shadow IT security.

On Wednesday last week I attended “Cloud Expo Europe” at London’s Excel centre. One of particularly interesting product was Netskope (also a finalists in the UK Cloud Awards) who are addressing the challenge of ShadowIT – employees use of cloud-services which are not sanctioned by the corporate IT departments.

According to Accenture (2013) “78% of cloud procurement comes from Strategic Business Units (SBUs), and only 28% from centralized IT functions”. Without some form of control the data-protection and compliance challenges of this can prove a huge. Users are also poorly skilled in making rational decisions about the safety of company data and products like Netskope address this by examining fire-wall logs or running Proxy servers and providing an easy interface so IT departments can enforce cloud access policies. The product analyses users’ access patterns and sends alerts, encrypts content on upload, blocks cloud transactions and quarantines content for review by Legal or IT. It essentially monitors and stops employees doing anything risky.

For me, the value of this product is the database of different cloud services with detailed information as to their safety and compliance. The product is however also really frustrating. At its heart is the assumption that the job of the IT professional is to monitor, control and police employees. This puts IT in opposition to the other business functions. Why couldn’t this product have instead started from a different assumption – that employees are, mostly, just trying to do their work as efficiently as possible. While a few are bad, most are just ignorant to the risks. Netskope would have been fantastic if it instead helped reduce this ignorance rather than policing users’ failures.  Had it provided an employee-portal to allow employees to evaluate cloud services prior to adoption it would have promoted the effective use of them, and allowed users to make rational decisions on their adoption. The IT department would be in a facilitation role rather than a policing role, and employees would feel in control (rather than in fear). The safety would be just the same (with Netskope policing policy) but with users feeling part of that effort. Productivity gains might also be achieved as users are freed to try using new valuable IT services knowing they were doing it safely and with management approval.

This isn’t to criticise Netskope for what it does do – but to call upon new approaches to thinking about the role of IT and the CIO in this cloud-future.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s