Another angle on consumerization: How about using a CASB to decide when to allow shadow IT?

A conversation with CASB vendor Netskope brought up another approach to shadow IT and users choosing their own apps.

Recently I’ve been talking to more people about cloud access security brokers (CASBs), and getting to know some of the vendors in the space.

Since enterprise adoption of cloud and SaaS apps is really growing fast these days, CASBs are definitely something we should pay attention to: Along with EMM and identity management, they give us another tool for keeping everything visible, manageable, and secure as we move into the mobile and cloud era.

What is a CASB? You can read my full article here, but typically they use a combination of traffic inspection and APIs to provide visibility and control across multiple cloud apps.

Right now I’m not trying to do a full head to head bakeoff of all the different CASBs out there, but I am writing about interesting conversations I have or new angles I learn about. (Recently I wrote about Bitglass, which is aggressively marketing their CASB as an alternative to EMM.)

Anyway, let’s get to the conversation I had with Netskope. (I talked to Sanjay Beri, Netskope’s CEO, and Bob Gilbert, VP of product marketing.)

Netskope does the typical CASB stuff, leveraging both cloud app APIs and traffic inspection. Another thing they do is classify cloud apps by how trustable they are. They do this by looking at how good their security policies are, whether they’re a reputable provider, whether their terms and conditions let users keep ownership of their content, and so on. They can also classify content with their DLP engine (which can even look into the traffic of desktop sync clients), and they know about users and their devices (through integrations with EMM and identity management platforms).

Naturally, with all these tools there are a lot of different ways you can build policies. A typical policy might be to block data from leaking into unsanctioned cloud apps, or to use DLP to put more restrictive policies around sensitive content.

But the idea that got my attention was this: instead of just concentrating on stopping data leakage, what about also making policies that are specifically about allowing employees to use un-official personal apps of their choice? This would only take place under certain conditions, of course—Netskope could be used to build a policy that makes sure that the app is reasonably secure (and not some sketchy content-stealing junk) and that the content going into it isn’t sensitive.

This is interesting because it brings a degree of nuance to the conversation about officially-sanctioned corporate apps versus shadow IT and users choosing their own apps.

In the past, we thought of this conversation in black and white terms: Say there’s a company, and its only file sharing option is a traditional network file share. As we know, the users will revolt and go out and get something like the consumer version of Dropbox on their own. But say the company then decides to pay for and deploy their own enterprise file sync and share, like ShareFile or Box. Now the company is finally providing users with a viable tool, so it would be reasonable to make a policy that says users are not allowed to use personal consumer Dropbox accounts, and instead are required to use the official EFSS the company bought.

But now, with this new more nuanced view of personal cloud apps (which can be enabled with a CASB like Netskope) the company’s policy could be updated to also let employees store non-sensitive data in personal file sync and share services, under certain conditions. This could make them happier and more productive.

Of course there are still spots that a CASB can’t see, like personal apps on unmanaged devices that aren’t on a corporate network, but this has always been a known factor for all of our shadow IT conversations. In this case, the policies that protect corporate data in officially sanctioned apps could be tightened appropriately.

Sure, all of this could have been done with various tools in the past, but the point of a CASB is to make this a lot more integrated and practical to implement, since they have so many different ways to get visibility and create policies.

Here’s another interesting use case that Netskope told me about: In the financial securities industry, FINRA regulations mean that employees are forbidden from giving stock advice on social media. For a company to ensure compliance, one option might be to just block all social media sites, but these days social media is a part of many people’s jobs, so this just isn’t practical. Instead, they can use DLP to create a policy that blocks tweets and status updates that include both a stock ticker symbol and the word “recommend” or “guarantee.”


Again, not all of these things are brand new ideas, but the idea that a CASB like Netskope can help wire everything together, give visibility into disparate cloud apps, and provide the intelligence to make all sorts of new types of policies is really interesting. If this means that there are more ways to deal with shadow IT and users that want to choose their own productivity apps, than that’s really interesting, too.

Stay tuned for more on CASBs—like I said, they seem to be especially relevant these days. One of the things I’m planning on writing about soon is how they (along with other newer EUC security products) are leveraging machine learning and AI.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.