For most organizations, over 95% of apps fall into the shadow IT area where business units adopt them without IT knowledge or administration rights. Considering the average organization utilizes over 1,200 apps today, you likely have well over a thousand apps that are unmanaged with no IT administration rights. For example, based on Netskope Research Labs’ analyses, an HR department will use approximately 130 apps on average working with personal identity information on a daily basis.
If your strategy to solve the application visibility and monitoring issue is with your secure web gateway (SWG) or next generation firewall (NGFW), you are likely to fall very short of your objective. Additionally, if you rely on traditional API-only based cloud access security broker (CASB) solutions for application visibility, you’ll also not meet your strategic objectives. IT managed apps are often less than a dozen, and in many cases a CASB solution may support less via API integration. Also, not every app has a published API, and more importantly a timely response for near real-time policy controls. So, again you are likely facing over a thousand apps not open to CASB API policy controls. For many, you may be using basic web security to allow or deny apps, however, this falls short for today’s app policy control requirements for content and context to limit data loss and theft, plus attacks using apps and cloud services for entry such as cloud phishing.
Consider the case of an employee with a personal instance and a business unit instance of the same file sharing cloud app outside the domain of IT control. Your policy controls will need to know which account or instance the employee is using. You are likely to desire data loss prevention (DLP) on any uploads to the personal account to control data exfiltration while monitoring the business unit account for public file sharing posts or emails. You may also desire threat protection for the corporate account to stop malware from spreading via app file sharing.
Accidents happen, the employee may use their personal account by mistake for confidential company information in this example, or malware infected personal data may be uploaded to