Part one of this SearchCIO feature on SaaS governance explored how CIOs can protect their companies against the risk of shadow apps while still reaping the benefits these cloud apps can bring the business. In part two, Gartner GRC expert French Caldwell gives pointers on developing SaaS governance. Also, read about the security tool that one IT director has found to be useful for curbing shadow apps and improving his IT strategy.
Analyst French Caldwell, who leads the governance, risk and compliance (GRC) coverage at Gartner, said an "executive-level push" is essential to SaaS governance. Companies with top-down policies for assessing the risk of shadow apps, however, are still the exception.
"I talked to one client last week whose CEO was a real cowboy, bypassing the CIO and the CFO on all kinds of initiatives whenever he wanted to get stuff done, including cloud-based initiatives," said Caldwell, a Gartner Fellow.
Indeed, the willy-nilly adoption of cloud services by lines of businesses is often a "completely rational response" to corporate policy, set at the highest levels, Caldwell said. "The CEO or CFO in many cases says, 'Look, I want IT focused on those areas of the company where we make our money.'" These could be the core financial systems or the inventory management systems. "They don't want IT distracted by those other peripheral applications -- for example, all the GRC applications and vendor risk management applications I cover," Caldwell said, referring to his software area of expertise.
In situations like this, employees may commission their own shadow apps because they know they're more likely to get the software support they need from a vendor than from IT. "They know they can pick up the phone and get the vendor on the line. If they call IT, they might get Tier 1 support on the other side of the world," Caldwell said.
Calling procurement and audit
This leaves enterprises wide open to SaaS run-rampant scenarios where no one knows who owns what software or whether the cloud services deployed follow or run afoul of regulatory mandates. In Caldwell's experience, the CIOs who have managed to corral and govern shadow SaaS most effectively work "really tightly" with the company's centralized procurement and internal audit functions. "Procurement has the tools that track what is purchased and who owns what relationships," he said. Once the inventory is done, the risks identified and the policy set, it's time to get internal audit involved.
CIOs at companies without a procurement function need to work closely with business executives to set top-down polices, including policies on how to conduct SaaS inventories and to educate employees on the risks, Caldwell said. But the policies "need to be rational." A prohibition against Dropbox requires an IT-sanctioned alternative that is as easy to use and offers, for example, the same ability to collaborate with internal and external business partners. "The policy only works if you have a corporate alternative that truly meets the needs of the end user," he said. And in some cases, it might not be worth offering the business lines an alternative that is enterprise-ready. "If it is an enterprise risk solution and it goes down for three days, ehh, who cares? They can all go and do some training. But if it's CRM, that would be a different matter," he said.
There are tools that can help with transparency. Security consultant and former CIGNA CISO Craig Shumard, for example, is a fan of Skyhigh Networks, a security startup that discovers, analyzes, monitors and helps control shadow SaaS using existing logs and data from APIs, as well as analytics, to point up anomalous behavior, rate cloud vendor security and apply guidance based on company rules about app use. Employees are alerted when they are using apps deemed unsafe by the business. The activity logs can be incorporated into the company's SIM and DLP tools, thus leveraging the security investment already made. But the biggest benefit from the tool may well be the data it provides to "have an intelligent discussion with business people about cloud usage," Shumard said. "If I'm a security guy, I'm thinking I struck gold."
Jim Rutt, director of IT at The Dana Foundation, a private philanthropy that supports brain research, uses technology from Netskope, another cloud app security startup that offers a closed loop system that promises to discover, monitor and "coach" users on appropriate behavior with alerts.
Unlike healthcare and finance, two industries in which Rutt has worked, The Dana Foundation is not heavily regulated, but he said the staff deals in "confidential data you don't want out." His concern about shadow IT was mainly related to his users' limited tech savvy. "They are easily susceptible to things like spear phishing and redirection attacks to rogue assets that resemble our SaaS partners but are not," he said.
The Netskope tool, installed just 45 days ago, also uses analytics to understand cloud applications at the API level. The activity in the cloud apps used by employees is mapped to one of 40 different actions, including downloading and sharing content and signing a document.
"It's been eye-opening," Rutt said. There were plenty of Dropbox users. Probably the biggest surprise was a third-party commenting system used to communicate with other publication sites The Dana Foundation interacts with. "A lot of our folks had been exchanging data over this publishing commenting stack application, which I had never heard of," he said. By analyzing the usage patterns, his team was able to "get some governance around it," and is now investigating alternatives that may be more cost effective.
"It's interesting. Besides acting as a governance tool and risk mitigation tool, it can also give us insight into what folks are doing, why they are doing and whether we have to rethink our process," he said.
Rogue IT is becoming CIO business as usual
SaaS governance breeds better business/CIO relationships