Shadow cloud apps pose unseen risks

When individuals and departments bypass IT to acquire cloud services and apps, IT and security teams are blind to the security vulnerabilities and compliance issues they present.

cloud apps

It happens in every company. Employees find a cool new online service that makes them more productive. They create free or low-cost accounts on devices they use for work, and get all their friends and colleagues to join up. The new cloud service is great. The interface is a joy to use, it comes with mobile apps, and it spreads like wildfire.

The bad news is that these unauthorized cloud apps and services become part of the organization’s shadow IT, bypassing its IT, compliance, and procurement departments. The app may violate industry regulations or expose the company to significant security risks. Because it’s so entrenched, however, it's too hard to get users to stop using it.

How big a risk are shadow cloud services?

According to a cloud usage report Netskope, Inc., released last month, employees at the average enterprise use 1,022 different cloud services, and more than 90 percent are not enterprise-grade, meaning that they don't offer the management, security, and compliance features that companies need. For example, 67 percent of cloud services do not specify that the customer owns the data in their terms of service, and more than 80 percent do not encrypt data at rest.

A survey of 900 knowledge workers released last month by found that 48 percent of respondents admitted that they used apps not sanctioned by their IT department, including apps for note-taking, project management, and file sharing.

Optiv Security, Inc., provides cloud risk assessment services where they'll monitor a company's web usage for a certain period of time and then report to the companies about the cloud apps being used. "We find literally thousands of applications being used inside an organization," says John Tuner, the company's senior director for cloud security. "That's often quite a shock to the IT folks. And it is often quite a shock when we detail out not just the thousands of apps, but the usage of those apps, the amount of data that's going back and forth, and the type of data going back and forth."

Trying to shut it all down just forces users underground, and the problem only gets worse — or there's so much push-back from the business units that the effort is abandoned. "In most cases, the productivity benefits are often business priorities of the organization," Tuner says. "If they block it, the team that blocks it will get four or five requests a week to unblock new applications. In many cases, they are overridden by someone above the security department."

"There is a proliferation of cloud-based solutions for almost any problem facing any company in almost any industry," says Alvaro Hoyos, CISO at OneLogin, Inc. "If one of your teams has a pain point, there is likely a solution out there for them."

It's a huge problem and only getting worse, says David Holmes, threat research evangelist at F5 Networks, Inc. "Every little service you can think of is getting cloudified," he says. "It's so easy to whip out your corporate Amex card."

The challenge of identity, security, and data protection in a cloud world

It first starts with user identities. When employees sign up for services on their own, they typically create a new, personal user account. "For a long time, all these cloud applications were relying on their own identification and authentication system based on user name and password," says Francois Lasnier, SVP of authentication at Gemalto. "If you wanted to sign up for, you had to create an account within It was basically putting the identity system within these cloud applications."

To continue reading this article register now

The 7 best password managers for business