Migrating Apps to the Cloud? Prevent Cloud Sprawl With More Visibility and Control

By Linda Musthaler, principal analyst, Essential Solutions

When I wrote about Cato Networks for Network World a few weeks ago, a colleague told me he thought the solution is interesting, but he couldn’t see why an enterprise would want to connect its entire network to the Cato Cloud. I told him I could see several important use cases, driven by the need for enterprises to move apps and workloads to the cloud while providing greater visibility and security.

Consider SaaS, or software as a service. Individuals, workgroups and entire companies now enjoy the benefits of simply renting access to an application in the cloud. In fact, the SaaS approach to software is now so popular that Netskope reports that the average enterprise has more than 900 different cloud apps in use.

With workers using so many cloud applications, it’s a safe bet that the IT group – which usually has responsibility for ensuring data security – has not been involved in the decision of choosing every application, validating their security aspects, and ensuring that the apps will properly protect the corporate data going into them. IT probably doesn’t even know about many or even most of these unsanctioned applications. This has given rise to the term Shadow IT, or as some call it, cloud sprawl.

SaaS-induced cloud sprawl creates a number of challenges for organizations. For instance, the company might not even know what applications its workers are using. This results in little visibility and control over what people are doing with company data. This is of paramount concern for highly sensitive and/or regulated data and information.

There are still other concerns. Workers could be accessing these cloud apps via their own mobile devices—untrusted devices as far as the company is concerned. What’s more, the apps themselves might be unworthy of trust. Netskope reports that 4.1% of enterprises have sanctioned cloud apps – ones that actually have been approved for company use – that are laced with malware. And since the majority of SaaS apps in use in most enterprises are unsanctioned, Netskope advises that there could be an even larger scope of malware in cloud-based applications. This malware can then infect the entire business networks if the proper security measures are not in place. Additionally, employees often access the company network using personal mobile devices. What happens if the device is lost or stolen, or the employee leaves the company? An organization can be left vulnerable if it can’t deny access to unauthorized people.

The bottom line is that the uncertainty surrounding the use of SaaS applications causes a lot of consternation among those who need to assure data security. Where is my data? Who can access it? Has it been compromised? How can I protect it?

To answer that last question, companies have turned to a variety of technologies that attempt to replicate the on-premise security capabilities for cloud apps. Next generation firewalls (NGFW), unified threat management systems (UTM), secure web gateway (SWG) and cloud access security broker (CASB) services all attempt to fill the need for visibility, control and data security for cloud-based applications. However, these solutions have limited effectiveness because they are designed to only see traffic as it passes through.

Some of the more mature CASB services provide the fullest range of security protections for SaaS, but even they have their limitations. For example, a CASB can only see cloud-destined traffic if it runs through the CASB’s proxy. It might entirely miss traffic going out of a branch office, or over a mobile device on a non-company WiFi connection—unless complex configurations are used to force traffic from SaaS applications to “bounce” through the CASB. CASB vendors are also dependent upon SaaS application providers to have an API that allows the CASB vendor to control activities on the application. Since there are tens of thousands of cloud-based apps, no CASB vendor can possibly provide full coverage for all of them.

Now consider how Cato can address these SaaS visibility and control issues.

The nature of the Cato Cloud solution is that a company routes all of its traffic – from the on-premises data center, remote branches, mobile devices, cloud apps (SaaS), and cloud data centers (IaaS) – to and through the Cato Cloud. This gives Cato the advantage of having full visibility of what is actually happening on the network. Cato can see exactly what SaaS applications are being used and provide a comprehensive report back to the customer company. This solves the mystery of “what Cloud applications are we using?” Then policies can be applied to restrict access to only sanctioned applications, if desired.

Cato is building a full security stack for enterprise-grade security that will rival or exceed the type of security functionality that a CASB can add. This includes data-aware capabilities to be able to provide granular policies and control over data. For example, suppose an employee is attempting to upload a credit card number to a cloud service. Cato will see who is doing what, from where, and when. The company can specify a policy that determines what is allowed to happen with this regulated data.

Users on mobile devices that want to get to SaaS applications will have their traffic routed through the Cato Cloud, so policies can be applied to their activities. Also, it’s possible to restrict SaaS applications to access from a specific range of IP addresses. By telling an app that the only IP address that can access it is the one used by the Cato Cloud Network, a customer organization can effectively block out any traffic that doesn’t route through the Cato Cloud. Thus mobile users and branch offices can’t get directly to the SaaS app; they must go through the Cato Network or their connections don’t go through at all.

Another piece of the Cato security stack is infection prevention. This can prevent the malware-laden SaaS applications from infecting the customer’s network.

So to sum up the issue of cloud sprawl specifically as it relates to SaaS, there are a lot of great cloud services that people want to use, and companies want to enable the use of those services. However, there are challenges that have to be overcome in order to use these cloud applications securely. With Cato Networks, companies can use the benefits of cloud services but still stay fully protected and have full visibility of what is going to the cloud and what is happening within those cloud services.