Netskope’s approach to Shadow IT security.

On Wednesday last week I attended “Cloud Expo Europe” at London’s Excel centre. One of particularly interesting product was Netskope (also a finalists in the UK Cloud Awards) who are addressing the challenge of ShadowIT – employees use of cloud-services which are not sanctioned by the corporate IT departments.

According to Accenture (2013) “78% of cloud procurement comes from Strategic Business Units (SBUs), and only 28% from centralized IT functions”. Without some form of control the data-protection and compliance challenges of this can prove a huge. Users are also poorly skilled in making rational decisions about the safety of company data and products like Netskope address this by examining fire-wall logs or running Proxy servers and providing an easy interface so IT departments can enforce cloud access policies. The product analyses users’ access patterns and sends alerts, encrypts content on upload, blocks cloud transactions and quarantines content for review by Legal or IT. It essentially monitors and stops employees doing anything risky.

For me, the value of this product is the database of different cloud services with detailed information as to their safety and compliance. The product is however also really frustrating. At its heart is the assumption that the job of the IT professional is to monitor, control and police employees. This puts IT in opposition to the other business functions. Why couldn’t this product have instead started from a different assumption – that employees are, mostly, just trying to do their work as efficiently as possible. While a few are bad, most are just ignorant to the risks. Netskope would have been fantastic if it instead helped reduce this ignorance rather than policing users’ failures.  Had it provided an employee-portal to allow employees to evaluate cloud services prior to adoption it would have promoted the effective use of them, and allowed users to make rational decisions on their adoption. The IT department would be in a facilitation role rather than a policing role, and employees would feel in control (rather than in fear). The safety would be just the same (with Netskope policing policy) but with users feeling part of that effort. Productivity gains might also be achieved as users are freed to try using new valuable IT services knowing they were doing it safely and with management approval.

This isn’t to criticise Netskope for what it does do – but to call upon new approaches to thinking about the role of IT and the CIO in this cloud-future.

Strategy Security in the cloud – comments on Athens Cloud Computing Conference

Stefan Riepl - Thanks CC

Attending the Cloud Computing Conference in Athens today I was struck by the overarching interest of the audience in security. This is entirely understandable, and certainly should be the primary concern for IT directors whose overarching concern is to keep the company safe in this dangerous digital world. As fellow speaker Ian Murphy discussed – Hacking is available “as a service” today and for little money hackers can be directed towards any organisation whose security protocols are substandard.This point was reiterated by Amar Singh.

What worries me though is that organisational strategy is not also considered a significant security concern in the face of the cloud.  For me IT directors should be taking a primary position in considering the strategic risks to their organisation from cloud-based services ripping the heart out of their business. Without considering how the business model of a business might be undermined by cloud based digital services companies look like the vacuum-valve or Cathod-Ray-Tube manufacturer obsessing about whether their product can be stolen in production and delivery!

My rather random list of possible risks would include.

1) Disintermediation – Don Tapscott discussed many years ago how intermediation business can be lost as customers circumvent or replicate intermediary business and go direct. Cloud provides the simple tools to create this type of business.

2) Cost Collapse – Many businesses rely on cost inhibiting entry into marketplaces. Automation, Cloud and Data-abundance, and PAYG infrastructure can collapse the cost of entering some of these marketplaces. An example of this is Animation where small studies can now produce full feature-films using cloud rendering services.In the future digital technology are likely to do the same to many other areas of business which are today considered capital intensive.

3) Globally local – Prior to Uber most people working in taxi services could not imagine that the value of their business would shift to include services provided from north america. Yet such platforms, by their intensive focus on value creation for users, and their creation of brokerage services radically change the business model.  Like Ebay, AirBnB, and Booking.com the creation of a dual-sided market… Read Eisenmann, T. R., G. Parker and M. W. V. Alstyne (2006). “Strategies for Two-Sided Markets.” Harvard Business Review(10). for more on this type of business model

4) Service Quality – Many existing companies struggle to respond to customers need. Using cloud services small businesses can emerge which provide much better ease of use and services by starting with a cloud-only strategy and uninhibited by the existing legacy IT.

This is just a rather random list – with time I will try to develop these ideas into something more coherent! I welcome readers contributions.

Cloud computing security – lessons from Bletchley Park

 Today I’m at Bletchley park, home of the code-breakers in the second world war and the perfect location for a workshop* on Cloud Computing security. I thought I would share some of the most interesting points that emerged today:

Focus on security audits:

  • A talk from someone in the US department of homeland security was calling for improvements in CIO’s ability to move to the cloud while maintaining security. In doing this they argue the need for better auditing  – security audit, privacy impact audits, and performance audits. They argue the “goal is to develop test and deploy cloud computing to facilitate end-to-end trust”. Silverline was proposed as part of this move.

Cloud security as a religious debate:

  • Prof Ahmad Sadeghi argued that cloud security is “a religious debate”. While cloud security is presented as new, many parts of the work was already achieved in utility computing and IBM mainframes. The problem, he argues, is that for cloud providers the focus is upon optimization not on security. This lack of focus on security is a significant problem for BYOD (Bring your own device) since an employee backing up data with iCloud on their iPhone may be inadvertently sharing company data (e.g. calendar data on who they are meeting) in a less secure site.

Hardware Solutions to the problem of cloud security:

  • The problem with cloud security is ensuring that everything from the CPU up through the operating system stack, the hypervisor, and the users’ virtual machines are secure. Without this there is a risk either from the systems administrator, or another virtual machine, of attacking a user’s virtual machine. Prof. Sadeghi explained that one solution to this problem is being developed by Intel through their SGX – Software Guard Extension chipset. This is a hardware based cloud security solution maintaining an “enclave” area of memory which is secure from the operating system upwards – if you trust the CPU you can trust the whole server. The implementation is complex, but suffice it to say that many of the attack challenges are resolved allowing highly secure parts of the cloud to keep data.