Shadow IT: Mitigating Security Risks

Shadow IT evokes images in CISOs minds of employees sneaking new technologies into the organization right under the noses of corporate IT.  In most cases there is no malicious intent by lines of business in wanting to deploy unapproved technology and applications as-a-service. They are just trying to be as productive as possible and they often see IT as an impediment to forward progress.  

However, the proliferation of easily provisioned cloud applications has resulted in security and compliance risk to organizations. A study conducted by Frost & Sullivan and Intel Security found that more than 80% of survey respondents admit to using non-approved SaaS applications in their jobs. found that just 8% of companies know the scope of shadow IT at their organizations.

Even more alarming, 23% of respondents in a 2016 Intel Security survey said their departments handle security without IT’s help. Without proper education and controls, users can unwittingly transmit and store sensitive business information increasing regulatory and compliance risk for the organization.

Fortunately, IT security teams can contain much of the risk through a combination of sound policies and technology – steps that will also help them gain a measure of control over shadow IT.

Put sound practices in place

Good security practices begin with education – and persuasion. In a world of simple self-service, being known as the department of “no can do” just doesn’t work. Most IT organizations want to become the department of “yes, we can help you with that,” but they worry about the risks to security and compliance. The more that IT partners with the business in enabling self-service and cloud capabilities, the more the security team becomes a key part of the conversation.

Fortunately, once most users understand the damage that data leaks can cause to the organization, they’re more willing to embrace some basic protection and prevention practices.

You’ll want to start by providing basic training and simple checklists that cover best practices. Education is the single most effective way to improve information security. Make sure cloud services are covered in your curriculum. Effective training can take many forms, from monthly newsletters to real-life scenarios delivered through short videos or simulations.

You’ll also want to put controls in place. Don’t block access by default, but focus on controls such as authentication through the corporate directory or centralized billing. This allows IT to track which accounts exist without imposing any burden on users. In fact, it makes things easier for those users

Another important step is creating a list of sanctioned cloud services and acceptable/unacceptable practices. Make this list fluid. Offer to evaluate new services to then expand the list based upon user requests. Consider designating services on the approved list as safe for users to provision without approval. Where approval is required, put in place a fast-path process to grant access. If approval times stretch out for days, users will simply ignore the rules.

For services that are popular with users but carry a high level of risk, offer alternatives that you can control.

Monitor and administer

Despite your best efforts, some people will ignore the rules. That’s why you need to monitor activity. One low-tech but effective technique is to have your finance department monitor expense reports for evidence of unauthorized applications.

Secure web gateways are often used for malware prevention, but they can also be a tool to spot shadow IT instances. Analyzing web access logs can uncover destinations that are receiving a large amount of outbound traffic, and some gateways will even include the application names in their reporting so you can take action. Gateways permit you to filter and block prohibited URLs and ports, which means they can be used to block access to unapproved cloud services. If you require authentication to be done through the corporate directory, your gateway can easily be configured to look for login prompts that indicate an unauthorized service is being used.

One approach that is gaining traction to secure data in the cloud is the cloud access service broker (CASB). CASBs allow for the centralized control and enforcement of security policies, giving CISOs control and visibility, with consistent security policies applied wherever the data is stored, shared, or accessed otherwise.

The biggest risk of shadow IT is unintentional disclosure of data, and cloud providers still have some trust-building work to do. Intel Security’s State of Cloud Adoption survey found that just 13% of IT decision-makers said they completely trust public cloud providers to secure sensitive data. Share that information with your colleagues on the business side.

Other data-focused tactics you can take include the following:

  • Prohibit data exchanges between internal and cloud applications without IT approval. If necessary, you can configure your firewall or a proxy server to block uploads of a certain file type. You can also apply functionality controls to high-risk cloud apps at the IP level to restrict activities like uploading, posting, and downloading.
  • Use data loss prevention (DLP) software to restrict the flow of data to cloud apps. DLP software can be configured to recognize and restrict the transfer of sensitive data like personally identifiable information (PII), payment card information (PCI), and personal health information.
  • Use published APIs for application interconnection, with data stored behind the firewall. APIs minimize data transfer and ensure that data is never stored on cloud provider servers.
  • Encrypt data behind your firewall, and never send plain text over the public Internet. Most cloud service providers offer strong encryption by default or as an option. Be sure to ask for control over encryption keys.

A combination of technologies and practices like those outlined above can blunt the risk of shadow IT.  The balancing act is to choose security controls that will protect vital data while enabling line of business to have the IT services needed to drive growth and innovation. Business users will be more satisfied and productive if they’re empowered to make their own choices. By developing an environment that transitions the IT department into a service-delivery organization that says yes, not no, you can reduce the risks associated with shadow IT, reduce the risk of cloud-based services, and protect your core business assets regardless of where they reside.  


Copyright © 2016 IDG Communications, Inc.