FIELD OF THE INVENTION

[0001] The present invention relates to information technology monitoring.

BACKGROUND OF THE INVENTION

[0002] Organizations need to understand their data and their business processes -- how their data is generated, how it is transformed, where it comes from, and where it goes. Organizations also need to know how their employees access, process and use their data and computer applications, and which data applications and data services their employees use. Failure to monitor data, data applications and data services can result inter alia in loss of data, sensitive data leakage, malicious attacks, uncontrolled spending, redundancy and regulatory compliance gaps.

[0003] To this end, organizations deploy discovery and monitoring solutions that track their data flows and discover data applications and data services being used by their employees. Conventional discovery and monitoring solutions use network traffic inspectors to analyze and discover data flows, data application transactions and data service transactions into and out of an organization. Conventional discovery and monitoring solutions apply network analysis to gain visibility to data applications that run on their networks. Conventional discovery and monitoring solutions rely on network inspecting entities including routers, switches, firewalls and proxy gateways. [0004] However, these conventional discovery and monitoring solutions suffer from several drawbacks, stemming from the fact that a data application, data service or data flow that is not visible to an organization's network inspecting entities cannot be discovered and monitored.

[0005] With the evolution of cloud-based software-as-a-service (SAAS), employees of organizations are adopting cloud solutions without centralized control and even without knowledge of their organizations. Such behavior is referred to as "shadow IT", and arises as users sign up on their own initiatives to data services including inter alia data storage, data applications and messaging services, bypassing information technology (IT) processes, controls and approval of the organizations. Background information about shadow IT is available at http¾://en- jkipe{: a.org/ jki/S adow IT.

[0006] Cloud solutions move data to and from the cloud, which is outside of organization networks, and use application provided by third parties outside of organization networks. Moreover, employees of organizations use these cloud data applications and data services from their homes and from their mobile devices and interact with these cloud data applications and data services over public networks such as the Internet, and generally the data does not flow through the organizations' network inspection entities. Further complicating discovery and monitoring, cloud services use often encrypted network traffic and, as such, even if the traffic is routed through an organization's network inspection entity, the network inspection entity is unable to determine the nature of the traffic and is thus unable to discover shadow-IT traffic. Furthermore, obtaining network logs from network inspection entities such as firewalls, switches, routers, requires inter alia substantial effort and delegation of access rights, which make such network logs difficult to access.

[0007] Reference is made to FIG. 1, which is a prior art system for IT discovery. FIG. 1 shows an enterprise network 100 employing a conventional network traffic inspector 110 to inspect data traffic into and out of an organization, and employees 1 - 5 of the organization. FIG. 1 also shows an Internet cloud 200 and cloud services 210A, 210B and 210C. For example, cloud services 210A, 210B and 210C may include a collaborative document management service, such as OFFICE 365 ^® developed by Microsoft Corporation of Redmond, WA, a file sharing service, such as BOX. NET ^® developed by Box.net, Inc. of Palo Alto, CA, and an e-mail service, such as GMAIL ^® developed by Google Inc. of Mountain View, CA.

[0008] Employees 1, 2 and 5 are working within the organization or within virtual private networks of the organization, and their data traffic is indeed monitored by network traffic inspector 110. Employees 3 and 4, however, are accessing cloud-based services 210A, 210B and 210C directly from locations outside of the organization and, as such, escape monitoring by network traffic inspector 110.

[0009] It would this be of advantage to provide robust discovery and monitoring systems and methods that cover today's cloud/SaaS environments. SUMMARY

[0010] Embodiments of the present invention provide robust discovery and monitoring systems and methods that discover and monitor cloud/SaaS environments.

[0011] There is thus provided in accordance with an embodiment of the present invention a system for shadow IT discovery, including a message monitor monitoring an enterprise messaging service that provides communication between users belonging to the enterprise and cloud services, and discovering a message relating to a specific cloud service, a message analyzer analyzing the message discovered by the message monitor to determine (i) the nature of the specific cloud service, and (ii) one or more enterprise users who use the specific cloud service, and a reporter reporting the results of the message analyzer to an administrator of the enterprise.

[0012] There is additionally provided in accordance with an embodiment of the present invention a method for shadow IT discovery, including monitoring an enterprise messaging service that provides communication between users belonging to the enterprise and cloud services, discovering a message relating to a specific cloud service, analyzing the discovered message to determine (i) the nature of the specific cloud service, and (ii) one or more enterprise users who use the specific cloud service, and reporting the results of the analyzing to an administrator of the enterprise. BRIEF DESCRIPTION OF TH E DRAWINGS

[0014] The present invention will be more fully understood and appreciated from the following detailed description, taken in conjunction with the drawings in which :

[0015] FIG. 1 is a prior art system for IT discovery;

[0016] FIG. 2 is a system for shadow IT discovery, in accordance with an embodiment of the present invention; and

[0017] FIG. 3 is a method for shadow IT discovery, in accordance with an embodiment of the present invention.

[0018] For reference to the figures, the following index of elements and their numerals is provided. Similarly numbered elements represent elements of the same type, but they need not be identical elements.

[0019] Elements numbered in the 1000's are operations of flow charts.

DETAILED DESCRIPTION

[0020] In accordance with embodiments of the present invention, systems and methods are provided for discovery and monitoring of cloud services used by people including inter alia employees, agents and contractors of an organization.

[0021] Reference is made to FIG. 2, which is a system for shadow IT discovery, in accordance with an embodiment of the present invention. FIG. 2 shows enterprise network 100, network traffic inspector 110 and employees 1 - 5 of the organization. FIG. 2 also shows Internet cloud 200 and cloud services 210A, 210B and 210C. For example, cloud services 210A, 210B and 210C may include a collaborative document management service, such as OFFICE 365 ^® developed by Microsoft Corporation of Redmond, WA, a file sharing service, such as BOX. NET ^® developed by Box. net, Inc. of Palo Alto, CA, and an e-mail service, such as GMAIL ^® developed by Google Inc. of Mountain View, CA.

[0022] Employees 1, 2 and 5 are working within the organization or within virtual private networks of the organization, and their data traffic is indeed monitored by network traffic inspector 110. Employees 3 and 4, however, are accessing cloud-based services 210A, 210B and 210C directly from locations outside of the organization and, as such, escape monitoring by network traffic inspector 110.

[0023] FIG. 2 also shows an enterprise messaging system 150 such as an e-mail system, with messages 152, 153 and 154, and a shadow IT discovery system 300 including a message monitor 310, a message analyzer 320 and a reporter 330. Shadow IT discovery system 300 connects, via an application programming interface (API) and/or network protocols to enterprise messaging system 150. [0024] Message monitor 310, message analyzer 320 and reporter 330 may be software modules or hardware modules under program control of a computer processor.

[0025] Message monitor 310 monitors messages for indications of cloud services. Thus when a user starts using a service such as salesforce.com, the user first registers with the service and receives an e-mail from the service authenticating the user's e-mail address and optionally sending the user a message welcoming him to the service. When certain events occur with cloud services, the user receives an e-mail advising him about the events. Message monitor 310 monitors enterprise message system 150 for presence of such messages.

[0026] When message monitor 310 discovers such a message, the message is forwarded to message analyzer 320 which then analyzes the message based on properties including inter alia meta-data, subject, content, links, headers, message destinations, and attachments. Message analyzer 320 also applies pattern-matching algorithms to analyze the message for presence of patterns indicating inter alia subscription to and usage of cloud services. Such in-depth inspection of a message itself and its meta-data reveals the type of usage, enabling granular shadow-IT discovery including sign-up date, first-user discovery recent usage.

[0027] Thus message analyzer 320 may determine that user U is using cloud service S at time T. Message analyzer 320 may further determine additional information, including inter alia (i) if user U has administrator privilege for the cloud service, (ii) if the usage by user U is via a paid subscription or a trial subscription, (iii) existence of external users who collaborate with user U in use of service S, (iv) the first user of the organization ("user-zero") who adopted cloud service S, (v) when cloud service S was first adopted, and (vi) the most recent use(s) of service S. Messages analyzer 320 identifies the nature of the usage of service S, and the people who are collaborating with this usage. For example, message analyzer 320 may determine that an e-mail message from salesforce.com was received from a customer, that user U is using salesforce.com, and that a file from salesforce.com is being shared with another user V. Such information cannot be discovered by conventional discovery and monitoring solutions.

[0028] After message analyzer 320 analyzes a message, reporter 330 reports the results of the analysis to an administrator of the organization.

[0029] Message analyzer 320 may be programmed to detect specific alert trigger events, and reporter 330 may include a policy manager that automatically or manually performs specific actions, such as notifying an administrator or notifying user U, in response to detection of the alert triggers.

[0030] It will be appreciated by those skilled in the art that shadow IT discovery system 300 is not bound to limitations of conventional network traffic analysis. Shadow IT discovery system 300 is able to monitor any person who uses enterprise messaging system 150, and others who collaborate with that person, regardless of how that person connects to cloud services 210A, 210B and 210C, from where that person connects to cloud services 210A, 210B and 210C, and from which device that person connects to cloud services 210A, 210B and 210C. Shadow IT discovery system 300 may be located anywhere, inside or outside of enterprise network 100, and may even be located in the cloud. Shadow IT discovery system 300 may use API calls to remotely monitor enterprise messaging system 150 without actually accessing the network traffic itself.

[0031] It will be appreciate by those skilled in the art that shadow IT discovery system 300 is able to monitor enterprise messaging system 150, even when messaging system 150 is itself cloud-based.

[0032] Reference is made to FIG. 3, which is a method 1000 for shadow IT discovery, in accordance with an embodiment of the present invention. At operation 1010 message monitor 310 monitors enterprise messaging system 150 for presence of messages relating to cloud services. At operation 1020 message monitor 310 discovers a message relating to a specific cloud service. At operation 1030, message analyzer 320 analyzes the discovered message to determine inter alia the nature of the specific cloud service, and enterprise users who use the specific cloud service. As explained above, message analyzer 320 analyzes the discovered message based on properties including inter alia meta-data, subject, content, links and attachments. Message analyzer 320 also applies pattern-matching algorithms to analyze the message for presence of patterns indicating inter alia subscription to and usage of cloud services. At operation 1040, reporter 330 reports results of message analyzer to an enterprise administrator.

[0033] It will be appreciated by those skilled in the art that the systems and methods described above have the ability to discover and monitor all cloud-based services and applications used by employees of an organization. However, according to an embodiment of the present invention an administrator may apply a filter to restrict discovery and monitoring reports to non-sanctioned services and applications; i.e., to services and applications deemed to be shadow-IT. For example, a cloud-based service such as Box.net, or any cloud-based service discovered by message analyzer 320, may be tagged as an approved service, and filtered out of the discovery and monitoring reports generated by reporter 330.

[0034] In the foregoing specification, the invention has been described with reference to specific exemplary embodiments thereof. It will, however, be evident that various modifications and changes may be made to the specific exemplary embodiments without departing from the broader spirit and scope of the invention. Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense.