Discovering The SaaS Footprint


C-level executives rarely view security projects as part of any cost-reduction measures, according to solution providers.

But when one organization attempted to gain visibility and control over unauthorized cloud services, it uncovered 50 instances of Salesforce.com being run and managed by its various business units. The business consolidated them to several instances, bolstering productivity by bringing together the disparate data sources and reducing onerous management costs, said Saideep Raj, global managing director of Software-as-a-Service at Accenture.

"IT had an agenda of being able to exert controls, but the organization realized it was not only reducing costs, it was transforming inefficient business processes that for different historical reasons were siloed and underperforming," Raj said.

[Related: Sign Of The Times: When Identity Access Management Platforms Aren't Ready For The Cloud]

Resellers, systems integrators and consultancies are increasingly adding SaaS-based security and Identity-as-a-Service platforms to their product portfolios. Some solution providers are involved in cloud migration projects or offer architecture planning and IT management services where the discussion about SaaS-based services fits in nicely with security and data protection, said Dev Ghoshal, senior vice president of strategy, global alliances and customer success at CipherCloud, a cloud security gateway vendor for data encryption and tokenization.

The growing market for SaaS-based security services encompasses many traditional controls, such as data encryption, data loss prevention, intrusion prevention, access control and file integrity monitoring. The goal is to put controls around Salesforce.com, Microsoft Office 365, Google Apps, Amazon Web Services and other cloud-based platforms. In some cases, cloud providers are adding their own security features, such as encryption, VPN capabilities and multifactor authentication.

One of the first challenges for enterprise IT security teams is to identify the amount of so-called ShadowIT within the organization, said Ashraf Motiwala, chief technology officer and co-founder of Identropy, an identity and access management and managed services consultancy. Identropy partners with Netskope and Skyhigh Networks, two SaaS vendors that can identify the cloud services being used and score them based on an organization's security policies and risk profile. Meanwhile, Elastica, one of the latest market entrants, can audit cloud services use and help enterprises enforce policies to control them.

"Discovering the SaaS footprint is always an eye-opener for the organization," Motiwala said. "In one recent engagement, it was fascinating to see the customer's jaw drop when they discovered that in just the marketing department alone they had 68 cloud applications in use."

After an accurate number of services are identified, an organization can eliminate overlapping or competing services or block services that are deemed too risky. Identropy works with customers to understand data flow from inside resources out to cloud apps and from cloud apps back to on-premise servers, said Motiwala.

"Getting a handle on the flow of data and where it goes each step of the way is very important to identifying how you are going to protect your assets," Motiwala said.

NEXT: Identity And Access Management Platform