How a Low Risk Cloud App Can Become a Big Threat


The SaaS economy is in full swing and assessing cloud app risk has become an important topic for IT security pros.  Once organizations have discovered all of the unsanctioned cloud apps adopted by employees, they usually want to take immediate action to mitigate any downside associated with the most risky apps.  If you discover 200 apps and 10 are considered “high risk” then those 10 are a good place to start. Makes sense.

But how can you be sure those 10 really represent the highest cloud risk for your specific environment?

Today’s cloud security tools have done a good job at helping IT staff identify general risks associated with different cloud apps.  For the most part, today’s various Cloud Access Security Broker (CASB) products rely on external log files from a firewall or secure web gateway, for example, and process those log files (containing user info, URLs, volume of traffic and more) to learn which apps are being used. Once the apps are identified, they are compared against the CASB vendors’ database or app catalog which represents their own internal research on the application provider. This research typically categorizes risk factors such as company information, their operational practices and certifications, security technology deployed, and the types of data objects and actions that can be executed within the application, to name a few.  While these are a necessary set of factors to consider, it’s not sufficient to accurately assess risk of your cloud apps. It’s the least common denominator – applicable to most companies, but specific to none.

What’s missing from the picture are contextual risk factors. The capability to combine actionable risk intelligence data that is specific to a company’s cloud users and SaaS configurations.  These factors are invaluable in assessing the true risk for your company, regardless of what the perceived risk of that app is to another company.  Examples of contextual risk factors that are unique for every company include:

  • Who are the admins for all our different cloud apps and how many are there?
  • Which ex-employees still have access to our cloud apps?
  • Are security settings for my individual cloud apps compliant with PCI DSS regulations, HIPAA regulations, ISO, NIST or other internal standards?
  • Am I notified when critical security configuration changes are made by SaaS administrators? Can I audit their actions?
  • What contractors, partners or external users are accessing our cloud data?
  • How do my app configurations compare against best practices benchmarks provided by the Cloud Security Alliance? What is my overall security posture compared to those best practices?
  • What specific configuration changes should I make to be more secure and compliant?
  • Which users have weak passwords for their cloud accounts? Is the correct password change policy enabled?
  • How many dormant accounts do I have for each SaaS application? How much expense is associated with these dormant accounts?

Cloud discovery tools that are unable to consider contextual risk elements may often underestimate the actual risk associated with cloud app usage. In fact, while a given cloud app may generically appear to have the same risk level from one company to another, depending on its actual implementation, the actual risk could be much higher. A “low risk” app could actually be a big threat in practice. In our view, combining all the benefits of traditional app discovery and risk along with contextual risk factors provides the most accurate assessment of cloud risk.

Today, Skyfence is pleased to announce the Skyfence Cloud Gateway version 4.0.  The new version includes innovative new features, including a set of Cloud Risk Governance features that help you more accurately assess risk given your unique implementation of a cloud app, including:

  • User Entitlements Review: Accurately identifies administrators, unauthorized users and excessive user permissions on an app by app basis; dormant accounts that have not been used for a specified period of time; orphaned accounts that represent ex-employees still able to access company data, and external users representing partners or contractors– all of which can increase risk associated with data stored in the cloud.
  • Application Security Configuration Review: Minimizes risk associated with misconfigurations by reviewing the actual configuration and security settings centrally, comparing them to a set of industry best practices and regulatory requirements such as those from the Cloud Security Alliance, PCI DSS and HIPAA, and provides specific remediation suggestions to improve security posture.
  • Integrated Remediation Workflow:Provides a built-in workflow that creates remediation tasks directly from the Skyfence Cloud Gateway dashboard and integrates with third-party ticketing systems.

We hope you’ll check it out.  To request a free trial or demo visit or email