Skyhigh Comes Out of Stealth – Promises Overall Cloud Visibility and Control

One trait of cloud computing that has IT departments shaking in their boots is the face that since cloud services can often been purchased by end users on a credit card, it is often very difficult for central IT to have any sort of meaningful visibility over the different applications that are used. Indeed one of the main reasons cited for blocking the adoption of cloud is this “rogue IT” tendency.

It’s for this reason that services that promise to discover, analyze and ultimately control cloud services are gaining much attention at the moment – a case in point is Skyhigh Networks who launched recently with backing from one of the Valley’s most venerable VC firms, Greylock. Founded by a group of Cisco veterans, Skyhigh gave its first public glimpse at the RSA conference. Skyhigh is more than just a pretty PowerPoint deck to illustrate a concept however, it already has customers willing to go on record as using the product – including Cisco, Equinix, General Electric and the Torrance Memorial Medical Center.

So what can Skyhigh do? Core capabilities include:

  • Discovery: Log-based discovery and objective, customizable risk assessment of all cloud services in use by employees
  • Analysis: User, service, device, and data behavioral modeling and anomaly detection, utilization, benchmarking, and trending of all cloud service use
  • Control: three-click intermediation of selected cloud services for access control and encryption of data with enterprise-owned keys

At launch, Skyhigh enabled a cloud-based, multi-tenant service integrated with over 2,000 cloud services in over 30 categories such as storage and collaboration (e.g., Box.com), productivity (e.g., Microsoft Office 365), source code versioning (e.g., GitHub), and CRM (e.g., Salesforce.com). In one swoop – Skyhigh provides a compelling answer to most of the issues IT generally raises about cloud computing – visibility, security and control. Rather than extended public testing phase, Skyhigh is sufficiently sure about its product that it came out of stealth and directly went into general availability. So how does it work? From the website:

In minutes, the Skyhigh service discovers all cloud services being accessed and provides detailed ratings on the potential risks to the enterprise presented by each service. These detailed ratings are based on an objective weighted assessment of more than 30 security and legal risk factors. Leveraging a proprietary processing engine powered by Hadoop, the Skyhigh service analyzes all cloud service usage and detects anomalies that may indicate potentially harmful use or information leakage. It compares actual use of services with paid subscriptions, enabling organizations to slash their costs and eliminate unwanted or redundant services.

I’ve written many times previously about enterprises be unwilling to hand over control of services to third party vendors – cloud storage and collaboration is a good example where, despite many vendors efforts to build security into their products, enterprises feel uncomfortable with data leaving their control. By using Skyhigh as an intermediating services, the enterprise can ensure that in all cases, even when stored with third party vendors, encryption remains consistent and in the control of the organization. This concept might not be overly palatable to the storage vendors themselves – who gain part of their value proposition by both reducing storage costs through deduplication and aggregating data and deriving insights from it for customers – but for organizations who want control to remain closely held by themselves – it’s a good solution to the conundrum they face.

Co-founder Rajiv Gupta is obviously effusive in articulating the value of what Skyhigh is doing:

For the first time, enterprises can take advantage of the cloud without treating it as a threat and having it become Shadow IT… We give enterprise IT organizations immediate visibility, insight, and control so that they can enable cloud service adoption without friction to the employee or the provider

While he’s obviously biased, if one abstracts this away from being a comment about Skyhigh in particular, and looks at it more generally as a comment about cloud discovery, analysis and control solutions, the comment rings true.

Skyhigh is an excellent companion tool to single sign on and other broad offerings that straddle the different services that enterprises use, as such it comes into the watch of vendors looking to become broad-based cloud vendors – I’d not be surprised to see one of those vendors snatch Skyhigh up n a move designed to further lessen IT barriers to adoption of cloud services.

8 Comments
  • Well, what is so hard about discovering who is using which cloud application services? If you use an Internet security service, like Zscaler, routine reports would indicate who is going where to do what. If the users are already violating corporate policy, you just block the site and have a talk with the users about it. Officially supported cloud apps should have been vetted and put under IT management. Skyhigh seems like a way to more efficiently police the corporate network and gauge the relative risks and exposures, ostensibly coming from so-called rogue IT in the cloud. It think you need to look at what Skyhigh costs and what it claims to do before making a decision to implement it. Oh, a.And how do customers determine just how good Skyhigh is at their job?

    • Customers are trying to answer a few questions over and beyond what you get from any web proxy product (including zscaler). Two of those questions that come up commonly:
      1. Of all the web accesses captured in the proxy/firewall logs, which of them are to cloud services and what is the risk associated with use of these services? Skyhigh has a risk-based report and dashboard of services used and the associated risk. There are a number of properties of services (such as hosting location, multi-tenancy, certifications, encryption at rest, recent compromises, etc.) that are captured in a comprehensive Skyhigh Cloud Service registry; these attributes are used in computing risk of each service. Think of it as deeper intelligence into each Cloud service in use — rather than just a report of URL matches. None of the web proxy vendors do this today.
      2. Of the millions of accesses to Cloud services, which of them are the ones that are outliers that increases security/compliance risk for an enterprise? Skyhigh has an anomaly detection infrastructure that allows customers to get insight into anomalous or risky usage of any cloud service (including otherwise low risk services). These anomalies are detected based on statistical and behavioral outlier detection techniques. None of the proxy vendors do this kind of big-data analytics today.

      In fact, Skyhigh’s ability to provide these levels of visibility from both firewall and proxy logs, in any format, make this a solution that sits above existing proxy deployments, and is therefore very complementary. It is therefore not very surprising that we have many customers who use zscaler, scansafe, bluecoat, etc. in conjunction with Skyhigh.

      The output from Skyhigh are explicit recommendations of compensating controls to meet compliance/security needs of the enterprise — some of these compensating controls can be applied at an existing proxy/firewall (like blocking access to a service), and other compensating controls such as encryption, device validation, etc. can be applied in Skyhigh’s cloud hosted reverse proxy infrastructure.

      • OK, the Skyhigh “engine” captures and analyzes what is being sent/received in all the web browser sessions. This is a Big Data application…the volume of data is going to be huge. So, based on what the Skyhigh engine discloses about your use of various SaaS services, you can take some action, which might include implementing some policy in Skyhigh affecting certain kinds of web traffic…like encrypting data going into a particular SaaS platform.

        I would be curious about the latency in using this kind of service. I know that Zscaler adds about 8ms of latency, which is not detectable by humans. Zscaler also uses a world-wide network of sites to do what it does. Zscaler does retain some web traffic history so you can do reporting. Not sure how much of your web traffic history Skyhigh keeps around.

        BTW, I think you should indicate in the beginning of your post that you work for SkyHigh. Nothing wrong with that, just get it out there.

        • Tim – I assume your comment about working for Skyhigh was aimed at Sekhar and not me….

          • I think he did. BTW, clicking on my name above takes you to the skyhighnetworks website — so nothing hidden about my affiliation!

            Re. latency: depends on the kind of control you want to enforce on the traffic (encrypt/not, etc.); non-encryption controls are imperceptible to humans & encryption latency will depend on size of content to en[de]crypt. We also have a distributed footprint of reverse proxies that has proven to scale well.

            Re. Web traffic history: We do not proxy all traffic — only to the selected opted-in cloud services (we are a reverse proxy). For these services, we retain detailed access logs.

            • Yes, I could see that clicking on your name would take you to the SkyHigh website. That’s not my point. My complaint is that you did not mention your relationship to SkyHigh anywhere in your post. It is called being transparent. So just do it and don’t assume readers will figure it out.

              • Point well taken. BTW, I read your article on shadow IT (August’12)– it resonates very well with our discovery/risk assessment value proposition that allows IT to quantify service provider’s deviations from Corporate IT best practices (& controls) — that can guide the choice of compensating controls to be applied.

  • Oh! man – this is all big names with no sense. Login to the portal. It has My profile and sign out.

    What logs? how is auto discovery done? It is as cloudy as the word cloud?

    Yes – Cloud is sky high? Can we have some common use cases here where mere mortals can understand.

    So all enterprises are dumb to even realize what is here with Skyhigh?

Leave a Reply