SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Interview: How Netskope is enabling secure use of cloud apps
Wed, 5th Dec 2018
FYI, this story is more than a year old

The adoption of cloud applications in the workplace is increasing exponentially as employees become accustomed to its convenience and simplicity.

Netskope has found that many of these applications are adopted by employees without the knowledge of IT staff, presenting a challenge for security teams.

TechDay sat down with Netskope APAC regional sales director Tony Burnside to discuss the adoption of cloud in the region, trends in app use among enterprise, and how they can be secured.

What trends have you seen in the use of cloud applications in APAC?

When I first came here with Netskope two and a half years ago, I really felt the Australian and New Zealand market was a good 18 months behind the US, but I think that gap is closing.

So the adoption may have been a bit late, but the growth the growth potential in the APAC market is probably stronger than any other marketplace.

How has Netskope evolved in response to this trend?

We've evolved from being a pure play cloud access security broker (CASB) vendor focused on software-as-a-service - think Office 365, Box, Dropbox, Salesforce workplace, by Facebook, SaaS applications - and a natural evolution for us is to address the security concerns around public clouds like Amazon Web Services (AWS), Azure, Google Cloud Platform.

So many people are pushing their workloads, applications, and data there so it's a natural evolution for us

On top of that, we're seeing the appetite and the need for what we call a “one cloud solution” – that's a single platform no matter what apps people using, with a software-as-a-service infrastructure.

They're saying, “I want a single place to apply security, data loss protection (DLP), malware protection, etc.

How do you see cloud security responding to this appetite?

Data is going to the cloud and one of those buckets of apps - I think security has to evolve with it.

We were born in the cloud, which I think gives us some certain advantages over the older companies - we think security in the cloud should be addressed in the cloud.

When we started the company six years ago, compare that to some of our competitors that are 15, 20 years old, when we started the company tools available to us were different than what's available to our competition.

So from the beginning, we have been an API-centric company whereas of these vendors started out blacklisting, or whitelisting URLs.

The language of the internet's changed, it's now all APIs - and that's how our company started, we have tools, we have the capability, and we focus in on getting API-centric engineers.

When we started, cloud wasn't a thing, it really wasn't embraced in a big way by the enterprise.

Now, fast forward five, six years, cloud-first is the typical mantra of most enterprises

Where do you see companies fall down when they're securing their cloud applications?

I've been somewhat surprised the ability of some security leaders to cover their ears and close their eyes a little bit - almost ignore that there's a problem with regard to shadow IT and the lack of visibility.

My perspective is any CSO in his organisation should know what apps are being used and where their data is, and I think a lot of organisations have just ignored the problem.

That train has left the station now - we see over 1100 apps being used within most enterprises, and probably in the region of 900 of those 950, or even 1000 of those were brought in by the users without IT's knowledge so I think, where they fall down is they're just not addressing the problem.

How does Netskope's risk-scoring technology evaluate the risks posed by cloud applications?

We call our risk index the Cloud Confidence Index (CCI).

So we give each one of the 28,000 apps (and counting) enterprises are using a cloud confidence level.

And that's between zero and 100 – 100 being the most enterprise-ready and the most secure.

So we've taken the Cloud Security Alliance's cloud confidence matrix and measured the apps against that and we've also added additional features that include things like, is the app SOC2 and SOC3 compliant? Does it meet ISO 27000 or does it use encryption at rest? Does that app own that data, if you upload to it?

With a lot of free apps, no one reads the small print, and our engineers do.

We track about 60 of those parameters, that's an extremely time-consuming process.

We offer that as part of our service.

With our Cloud Confidence Index, very quickly, we can evaluate an app and determine enterprise-ready.

A huge benefit is that IT doesn't want to be the ‘CI-No', they don't want to stop everything. However, some things should be stopped.

So if someone comes to IT security with an app that we determine is has a very low CCI, so is a bad app, they can print a document, give that back to the business to say, “We'd rather you don't use this, and this is why.

As the business owner, it's their data, they can very quickly see why they shouldn't use that. And as part of our service, we'll show them maybe five other applications that have a high score perform the same function.

Allow is the new block – so we want to allow people to use the apps that make them good at what they do, but like a bowling lane, we want to put some bumpers around it so if you either maliciously or mistakenly compromise security, we're going to push you back on track.

There are definitely some apps in the organisation that should be blocked. But there's also a huge number that are part of the business.