How many cloud services is your business using right now?
Whatever number you came up with, the real number is probably two or three times higher, says Eric Christopher, CEO of SaaS management platform Zylo.
“We go to customers and ask them if they think they have a lot of cloud apps. They say ‘oh my gosh, we do’ but they don’t know how many. If they guess 50, it’s actually 180,” says Christopher.
“There are lots of studies that say CIOs say shadow IT is in maybe 40 percent [of companies]; we see it’s in 70 or 100 percent of our customers. it used to be that a company would buy one thing for millions of dollars and it would go through one small group. Not any more. It’s multi-millions of dollars that get rolled up into some budget like marketing where no-one can see it.”
Knowing what cloud services your business is using also gives you the opportunity to see what integration points you should be exposing to those services. If Salesforce is in use across your business, you want it to connect to the right internal systems to make it more useful to users.
That’s where cloud management services like Zylo come in.
Zylo aims to give you visibility into what cloud services you’re paying for and how efficiently you’re using them — because it turns out that you can still have shelfware with cloud services.
“We integrate with all your financial systems, we pull in every SaaS application that’s purchased across your business [including on expense reports], we combine that with data from Okta and we also grab user sentiment — like a net promoter score — and we put it all in one place,” Christopher told CIO.com.
“You can look across your business and see things that are either not being used at all, or are only being used half the time,” Christopher says, adding that, on average, 10 to 20 percent of cloud service subscriptions are underutilized. “Then you can get into redundancy and overspending. We see companies that might have 25 collaboration systems or 20 video conferencing systems. That might be because you have a department that needs different collaboration tools for what they need to do, but you might have compatibility issues and we can surface that for you.”
That’s an opportunity to streamline what services you’re using and reduce waste, but it can also help you find services one team is getting value from that might be useful elsewhere in the business.
Working out which services are underused isn’t as simple as looking at how often users log in, however. “If it’s Salesforce, if you're paying $200 a month for a licence you should probably log into it daily; if it's something like Domo [a dashboard aggregation service] maybe that's a weekly login because you're getting your updates,” says Christopher.
Zylo can get information about your users from Active Directory and pull in more details of how those cloud services are used by integrating with Okta, an identity and single sign-on service that lets businesses manage multiple cloud services and subscriptions.
Speaking of Okta, with it you can assign licences to employees, including who has admin access to different services, or set conditional access policies that use contextual security (like whether the person logging on is where you expect them to be, or connecting from an IP address that’s known to be malicious). That will soon support the emerging FIDO standard (which is built into Windows 10 as Windows Hello), giving you simple two-factor authentication to replace passwords for IaaS services like AWS as well as for SaaS tools.
Microsoft’s Azure Active Directory Premium also includes a cloud service audit tool, along with its single sign-on and multi-factor authentication support for hundreds of cloud services. Rather than looking at your finances, this checks what online services systems on your network are accessing, and Azure AD Premium also has conditional access policies that let you block logins or switch a user to multi-factor authentication if they’re trying to log in from a malicious IP address or a location that they couldn’t physically get to in the time since they last logged in.
These cloud services take a slightly different approach from more traditional cloud access security brokers (CASB) because they focus on managing multiple services rather than securing the information that goes to those services. But CASBs like Skyhigh and Palerra increasingly integrate with them because they’re such a useful source of information, especially as they’re starting to cover more than just straightforward cloud services.
Cloud to cloud
Cloud services are becoming increasingly integrated and interconnected, most commonly via APIs. Software developers can use APIs to call Twilio to send text messages, Bing Cognitive Services to recognize images, Google Maps for location information and Salesforce for customer data and Stripe for payment, and use those to create an app, or to access features from one cloud service inside another. Webhooks let you send a Zendesk service request to a Slack channel, or trigger a Microsoft Flow workflow when a file stored in Box gets updated.
APIs are how a cloud service like DocuSign lets you send documents stored in Box or Office 365 for signature. You can already use Microsoft's Office Online web versions of Word, Excel and PowerPoint to open documents that are stored in Box and Dropbox as well as in OneDrive and SharePoint Online, and now even Google Docs is opening up to alternative storage services — soon you'll be able to open documents from Box in Google Docs, Sheets and Slides.
Okta itself is introducing support for more cloud services by letting admins manage APIs by policy, through integration with Mulesoft and Apigee (which Google is in the process of acquiring). That's not just useful to developers, says Okta’s chief product officer Eric Berg. “Enterprise customers told us that has value for the IT team, because they can centralize access policies for APIs in the same place they do it for users and cloud services.”
For example, Berg says, “if you want to integrate JIRA into Slack, the user has to have admin access to do that. With Okta managing API access, it has admin authority for JIRA so you can do that programmatically. You can have a workflow for users to request JIRA integration.” You could even write a bot for Slack to make that an interactive experience right inside the Slack channel, without waiting for an admin to do the integration.
These integrations would give you some of the features of centralized management for privileged accounts on cloud services, something IT teams are used to having with on-premise software and often find lacking in cloud equivalents.
The Okta example
As a company, Okta is an extreme example of the way businesses acquire cloud services. It uses 150 cloud services to run its business, the new CIO Mark Settle told us. “Most of them were purchased and introduced to the company by different product groups; only 15 percent of Okta’s technology spending goes through the IT team, and the rest is the functions.” Settle jokes that that makes his official IT team the shadow IT team, but he sees a common trend that tools like Okta can help make more manageable.
“The question is what’s the right balance? You want to get out of the command and control, fortress IT mentality. What the business wants is people using technology, and someone in marketing has much more domain knowledge [to choose the right cloud service]. How much is too much? Something that messes up the financial numbers so you’re reporting the wrong thing; something that’s a security problem.”
The cloud services for managing cloud services discussed in this article will help you keep tabs on that.