Cloud Computing Security

Skyhigh Aims For Clouds with Risk Register

How many cloud services does the average enterprise and its users run? You might, thinking of the big names like Salesforce.com and Workday answer “a few” —or a couple of dozen if you expand your horizons to include consumer services. The right answer: 588 active services on average.

That’s if you believe Skyhigh Networks, a company that, admittedly, has an axe to grind as it sells a way to mitigate risk when deploying cloud (and other) services.

“The CISO of a bank we talked to said his users were using on average 46 cloud services,” says Rajiv Gupta, Skyhigh’s affable, cerebral CEO when we meet at the Covent Garden Hotel in London. “He needed to know the precise number for data privacy reasons and he thought the environment was very locked down. It turned out they were using a total of 968 cloud services.”

The numbers are big and stretch the definitions of enterprise cloud deployment to include personal users deploying iTunes, Skype for ad hoc communications and marketing across Twitter, Facebook and other networks. But it’s hard to challenge Gupta’s contention that all these constitute a risk vector in the age of bring-your-own-device and the consumerisation of IT.

This is what Skyhigh sets out to fix, via a service that through automation and human intelligence creates a model for assessing risk when deploying services. Cupertino, California-based Skyhigh’s mantra is to discover, analyse and secure companies across their cloud adoption lifecycle, and it’s a formula that’s winning favour with partners like Salesforce.com, Box, Jive and others.

Malware, compromised accounts and rogue employees, such as sales execs downloading customer data, are all threats. Skyhigh helps by spotting odd behaviour such as high levels of requests to certain services and identifying user, device, data, business, service and legal risks through continuous assessment via software on premises at customers or via a proxy/gateway in local datacentres.  Are there encryption, security controls, certification in place? When was the last time a compromise occurred? Skyhigh staff members find out and apply a rating to a scorecard so CIOs can show good information governance.

“It’s not a fixed meal,” Gupta says. Companies can give their own weightings to create customised risk profiles and the goalposts move regularly. For example, many would argue that US services, in the wake of Edward Snowden, are now higher-risk entities than six months ago. And Evernote’s risk profile upped itself from 4/10 to 6/10 when it suffered a password breach. It even scores itself (3/10, now you ask).

The company, founded two and a bit years ago, is adding 500 services per month to its roster to become a sort of Wikipedia of IT risk and back up its pledge of “cloud without risks”. Twenty staff make up Skyhigh’s ‘cloud intelligence team’ backed up by automated metrics and processes. In a little over a year, the company has won 200 corporate customers as it focuses on the world’s largest companies and some midsized ones too.

Skyhigh also works with a group called the Cloud Security Alliance that helps develop best practices, but surely the scale of its task would be better served by an industry consortium rather than a private organisation? Gupta demurs, noting that there is historical precedent where a private enterprise has stepped in and it has become successful. He points to VeriSign for example, and the way online payments were bolstered by its checks.

Gupta has an interesting background. He was in early at a big attempt to automate web services when he led the eSpeak project at HP in the late 1990s. Later he sold companies to Oblix/Oracle (Confluent for an undisclosed number of shares in 2004) and Cisco (Securent for $100m in 2007). But he thinks Skyhigh has more legs.

He points to the stat that 30% of IT is shadow IT and the “revenge of the business department” trend whereby IT is being forced to cede control and the need for governance to which these trends lead. The goal is to create “a game-changing company”, he says, and the opportunity is like the company’s name, sky-high.


Martin Veitch is Editorial Director at IDG Connect


« Typical 24: Christian Lanng, CEO, Tradeshift


Crowdsourcing Innovation: Oliver Csiszler, CEO, Memolyzer »
Martin Veitch

Martin Veitch is Contributing Editor for IDG Connect

  • twt
  • twt
  • Mail


Do you think your smartphone is making you a workaholic?