Cloud Security Alliance: Sanctioned and unsanctioned apps in cloud ecosystems

ATN-300InsightaaS: Today's featured post, from the Cloud Security Alliance, actually has an even-longer (and for some reason, all caps) title than is presented above: SECURING THE INTERSECTION OF SANCTIONED AND UNSANCTIONED APPS IN CLOUD ECOSYSTEMS. Odd naming conventions aside, it provides insight into an important issue. Published by the chief scientist at Netskope, it presents data on the number of apps that are attached to four core cloud applications: Box, Salesforce, Dropbox and Google Apps. The key finding is that "there is an average of 28, 26, 20, and 19 cloud apps for every implementation of Box, Salesforce, Dropbox, and Google Apps, respectively."

In the article, these additional apps are categorized as unsanctioned, and as potential points of security exposure. This isn't necessarily the case: there are organizations that vet associated apps carefully before allowing them access to corporate resources. However, it's very likely true that in many cases, at least some of these apps aren't fully vetted, and that where this is the case, they create security and enterprise GRC (governance, risk and compliance) exposure.

The post itself is brief, and will require only a minute or two to review. It's time well taken - despite the brevity of the description, the issue itself is substantial, widespread and growing rapidly.

We just completed a piece of research here at Netskope on cloud app ecosystems. In it, we highlight an important trend: the rise of cloud apps that orbit large, “anchor tenant” apps like Salesforce or Box.

Here’s how this trend works: Enterprises adopt popular cloud apps like Salesforce. IT is aware of and often manages the deployment, management, and security of the app. As lines of business begin using it, they find lots of different ways to get value. Those use cases often involve third-party services that integrate with the main app (like how Marketo, Zendesk, and DocuSign integrate with Salesforce). Because it’s in Salesforce’s best interest to facilitate this ecosystem (because it makes Salesforce more valuable), Salesforce facilitates developers with rich APIs, documentation, and even sometimes with go-to-market support. Recently Salesforce commented that half of its revenue is attributed to its APIs. That’s a heck of a business!

But what enterprises don’t often realize is that when they sanction an “anchor tenant” app, they are also welcoming dozens of apps that integrate with that app, many of which they don’t know about...

Read the entire post on the Cloud Security Alliance website: Link