As enterprises adopt cloud apps across virtually every business function, integration across apps is critical. App vendors have built robust APIs so partners can deliver solutions that enable enterprises to execute business more efficiently, facilitate important workflows, and make better decisions. The statement 'The sum of the whole is greater than the sum of the parts' describes the paradigm well — so much so that Salesforce.com has attributed more than 50 percent of its £2 billion revenue to its APIs. These easy integrations have given rise to ecosystems, or groups of satellite cloud apps that orbit popular 'anchor tenant' apps.
Organisations that are concerned about protecting sensitive data in the cloud need to go beyond securing the anchor tenants and incorporate those apps' ecosystems into their cloud app monitoring and policy regimens.
This report examines the ecosystems surrounding Box, Dropbox, Google Apps, and Salesforce (for purposes of this report, we will call these 'anchor tenants') and highlights usage statistics observed based on tens of billions of events seen across millions of users in the Netskope Active Platform during the three-month period between November 1, 2014 and March 1, 2015. While we point out apps that support an integration with the anchor tenants, this does not mean that each of those integrations are live in each enterprise.
A tangled web
Each of these anchor tenant apps has hundreds, and in some cases, thousands of ecosystem partners. Within the data, we observe active usage in dozens of ecosystem apps per anchor tenant. The average enterprise actively uses 28 Box, 20 Dropbox, 19 Google Apps, and 26 Salesforce ecosystem apps. These numbers are likely underreported as we did not differentiate between enterprises that had large and small deployments of these apps, and ecosystem deployments are heavily weighted in environments with strong investments in anchor tenants. This analysis also doesn't include second-level ecosystems (eg, the ecosystem apps of Zendesk, which is an ecosystem app of Box and Salesforce), which would increase vast, intertwined web of interconnected apps.
One of the first things we observed is the richness of these ecosystems. For example, in the Box ecosystem, cloud apps represent 40 of the 55 different categories that we track, ranging from collaboration apps like WebEx to business intelligence apps like LucidChart to customer support apps like Zendesk. Each anchor tenant's ecosystem tells a similar story.
How these ecosystems work
Ecosystems can create important business solutions. Take DocuSign, an e-signature and digital transaction leader. When a sales contract is executed in Salesforce and requires approvals from executives in other departments such as finance, sales operations, client services, and billing, DocuSign can initiate a process to route the contract to special folders in Box, Dropbox, or Google Drive, and manage the process of obtaining the e-signatures required from across the organisation. Similarly, Slack, a platform for team communication, lets its users share files from Dropbox with other platform users, as well as quickly share Slack files to Dropbox.
These examples highlight both the usefulness of these integrations as well as how easy it is for business data to travel between apps, some of which are sanctioned, but many of which are not. While IT may have tight controls in place for the anchor tenant, they likely don't have such controls for the ecosystem apps orbiting — and sharing data with — that app.
People love ecosystems
When looking at usage data, we found that more than one-third (35.1 percent) of all app sessions occur across these four ecosystems. Of these, 59.3 percent are in the ecosystem apps alone (not including the anchor tenants). Given that IT underestimates cloud app usage by about 90 percent, it's likely that much of this usage occurs in enterprise IT's blind spot.
Data: boldly going wherever ecosystems allow
Drilling down into Salesforce's ecosystem, arguably the most mature in the market, we find significant activity involving business data. Our analysis revealed that 15.3 percent of data that's downloaded and 13.5 percent of all 'shares' (defined as someone sharing, sending, or emailing content to others from within an app like cloud storage or social media) are from a Salesforce ecosystem app (exclusive of Salesforce).
Perhaps the most striking is that 44.4 percent of data loss prevention (DLP) policy violations (defined as a policy involving a content profile such as 'Personally Identifiable Information,' 'Protected Health Information,' 'Payment Card Information,' source code, or other sensitive information that's been set by an administrator and subsequently violated by a user) occur in the Salesforce ecosystem (exclusive of Salesforce). We believe this is high because the vast majority of DLP violations occur in storage and social media apps, two of the top three categories represented in the Salesforce ecosystem. This underscores the importance of extending data security policies beyond Salesforce (or another anchor tenant) to the entire ecosystem.
People will find a way to build ecosystems
As we were performing our analysis, we noticed that there are precious few apps that are completely unconnected from these ecosystems. Lack of needed integration has given rise to a market for apps (most of which are hosted in the cloud) that play the role of modern day middleware. These apps include popular cloud 'recipe' solution IFTTT or app integration tools Zapier and itDuzzit. Where integrations are late in coming or, for competitive reasons, just aren't built, these apps easily act like “glue” and bridge the gap so people can sync data and enable workflows for their lives and work.
If the number of unsanctioned apps in the four ecosystems doesn't make IT sit up and take notice, these cloud integrators certainly will. Ecosystem exclusivity will soon be a thing of the past (if it isn't already). In a world where 88.1 percent of all cloud apps aren't enterprise-ready, the existence of these apps creates a strong call to action for enterprise IT to enforce its security policies in not just sanctioned apps, but also across the vast array of unsanctioned apps in use in their organisation.
Contributed by Rajneesh Chopra, vice president, product management at Netskope