February 26, 2013, 8:49 AM — Start-up Skyhigh Networks has introduced a service aimed at tracking risk associated with enterprise use of about 2,000 cloud services, in order to spot any rogue cloud services or to identify high-risk exposure that cloud use might bring to the enterprise.
[RELATED: 12 Must-Watch Security Start-Ups for 2013]
"Cloud is top of mind for CIOs and a bit of a concern because they can't control it as well," says Rajiv Gupta, CEO of Cupertino, Calif.-based Skyhigh which he founded in 2011 with Sekhar Sarukkai and Kaushik Narayan. Because business managers are sometimes bypassing the IT department altogether to order cloud-based services, the CIO and staff can be left in the awkward position of not even knowing where corporate data is headed.
But the cloud-based service from Skyhigh is intended to get a bead on what's happening and correlate that information with about 50 cloud-risk parameters to understand what might be considered "high risk" to the corporation using them.
The basic technique that Skyhigh uses is to collect logs from firewalls and perimeter gateways to learn which URL or IP address that an employee is trying to access associated with a cloud service, while also coming up with a risk score for it. Cloud services would be ranked according to several risk factors that include "is it multi-tenant, can I use an enterprise ID, does it do penetration testing," Gupta says.
All of this monitoring information is batched and sent to a dashboard for review by the IT department in order to gauge the risk to the organization. Another aspect of the service seeks to ensure encryption of data, Gupta says. The service, priced at about $2 to $10 per employee per month, has been in pilot with Torrance Memorial Medical Center, Cisco and data-hosting firm Equinix.
Brian Lillie, CIO of Equinix, says his organization, which started piloting the Skyhigh service last fall, is finding it a good way to discover and manage cloud services, though he doesn't use it at this point to block.
"We have taken action based on it," says Lillie, saying it's a tool that did help pinpoint a cloud service that had been turned on by some inside the organization that needed to be discussed in terms of risk. Finding out through monitoring made it much easier to have that discussion in comparison to just hearing about it in passing.