Discovering The SaaS Footprint

C-level executives rarely view security projects as part of any cost-reduction measures, according to solution providers.

But when one organization attempted to gain visibility and control over unauthorized cloud services, it uncovered 50 instances of Salesforce.com being run and managed by its various business units. The business consolidated them to several instances, bolstering productivity by bringing together the disparate data sources and reducing onerous management costs, said Saideep Raj, global managing director of Software-as-a-Service at Accenture.

"IT had an agenda of being able to exert controls, but the organization realized it was not only reducing costs, it was transforming inefficient business processes that for different historical reasons were siloed and underperforming," Raj said.

[Related: Sign Of The Times: When Identity Access Management Platforms Aren't Ready For The Cloud]

id
unit-1659132512259
type
Sponsored post

Resellers, systems integrators and consultancies are increasingly adding SaaS-based security and Identity-as-a-Service platforms to their product portfolios. Some solution providers are involved in cloud migration projects or offer architecture planning and IT management services where the discussion about SaaS-based services fits in nicely with security and data protection, said Dev Ghoshal, senior vice president of strategy, global alliances and customer success at CipherCloud, a cloud security gateway vendor for data encryption and tokenization.

The growing market for SaaS-based security services encompasses many traditional controls, such as data encryption, data loss prevention, intrusion prevention, access control and file integrity monitoring. The goal is to put controls around Salesforce.com, Microsoft Office 365, Google Apps, Amazon Web Services and other cloud-based platforms. In some cases, cloud providers are adding their own security features, such as encryption, VPN capabilities and multifactor authentication.

One of the first challenges for enterprise IT security teams is to identify the amount of so-called ShadowIT within the organization, said Ashraf Motiwala, chief technology officer and co-founder of Identropy, an identity and access management and managed services consultancy. Identropy partners with Netskope and Skyhigh Networks, two SaaS vendors that can identify the cloud services being used and score them based on an organization's security policies and risk profile. Meanwhile, Elastica, one of the latest market entrants, can audit cloud services use and help enterprises enforce policies to control them.

"Discovering the SaaS footprint is always an eye-opener for the organization," Motiwala said. "In one recent engagement, it was fascinating to see the customer's jaw drop when they discovered that in just the marketing department alone they had 68 cloud applications in use."

After an accurate number of services are identified, an organization can eliminate overlapping or competing services or block services that are deemed too risky. Identropy works with customers to understand data flow from inside resources out to cloud apps and from cloud apps back to on-premise servers, said Motiwala.

"Getting a handle on the flow of data and where it goes each step of the way is very important to identifying how you are going to protect your assets," Motiwala said.

NEXT: Identity And Access Management Platform

Supported services must be mapped back to the organization's identity and access management platform. Okta, OneLogin and Centrify are part of an emerging group of Identity-as-a-Service vendors that play a role in bridging traditional, on-premise identity and access management systems and cloud-based apps and services.

For data protection and encryption, CipherCloud competes with Vaultive. FireLayers recently came out of stealth mode and takes a compliance and IT governance approach with its cloud-based platform, which monitors and controls the use of popular cloud applications with predefined policies that can be set against them. For monitoring, Skyfence and Adallom sell a cloud gateway to monitor employee access to Salesforce.com and other services. Meanwhile, Skycure sells mobile firewall software for a VPN and a cloud component for policy enforcement.

Organizations may be able to extend the security controls already in place, such as data loss prevention, because ultimately the entire technology ecosystem is moving to an as-a-service model, said Ryan LaSalle, global managing director for Security Transformation Services at Accenture. When clients assess their traditional, on-premise systems, they often find that they don't scale and turn to the pure-play, SaaS security providers, LaSalle said.

"Traditional vendors in the security space are moving to cloud-based solutions because they know that's where the market is going, but this new class of security brokers have a really aggressive head start in these areas and solid integration stories to tell," LaSalle said.

This article originally appeared as an exclusive on the CRN Tech News App for iOS and Windows 8.