How can we manage shadow IT?
7 June 2018
Jay Barbour, Director of Security Product Management at Masergy offers advice on coping with and embracing the reality of shadow IT.
As Software-as-a-Service (SaaS) adoption accelerates and enterprises shift more applications to the cloud, security and IT decision makers face the critical challenge of securing their environments.
In fact, with Gartner’s Magic Quadrant for Cloud Access Security Brokers (CASB), estimating that cloud will consume a larger portion of enterprise IT budgets over the coming decade – the challenge is only set to increase. But, there’s an even bigger issue bubbling under the surface – the reality of shadow IT.
With an abundance of consumer-focused applications available on the market today, it’s common for employees to install software on the sly, without it being vetted by the IT department. In many instances, sensitive enterprise data is being uploaded to these services, which puts the entire organisation at risk of a data breach.
But, it’s not just a productivity app here and there, shadow IT also includes the personal technology employees use at work, such as employee-owned laptops, mobile phones and other connected devices, or specialist systems which meet the needs of individual business units.
With today’s easy access to cloud-based applications, it’s virtually impossible to prevent shadow IT within an enterprise. So, in order to keep employee engagement and productivity levels high, organisations should look embrace it rather than stop it, putting policies and mechanisms in place to ensure the technology is beneficial, rather than a source of vulnerability.
The need to boost productivity
Most companies want to ensure that employees have the technology they need to be successful. It’s important for IT professionals to understand why employees may choose to use alternative services versus the ones supported by the organisation. Often their reasons are not malicious and, instead, their desire stems from the need to enhance productivity and performance.
Procuring new tools and applications through normal enterprise IT channels can be a time-consuming process. And, as a result, employees will seek outside resources to accelerate new technology integrations. Based on this, it makes sense for enterprises to understand what staff are trying to accomplish and evaluate tools that accommodate their needs.
File sharing applications are a good example of a shadow IT technology found in many enterprises. While they may offer a useful service which enhances productivity, they are also ripe to deliver malicious payloads that can permeate a network infrastructure.
Instead of shutting down these types of applications, IT teams and employees should collaborate to find mutual ground so that appropriate tools can be identified and applied to the enterprise environment. There’s also the possibility to work with the technology vendors themselves to develop enterprise-level versions of that particular tool.
It’s important that IT professionals remain vigilant even though these tools may have some value. While many applications can seem beneficial and benign, the simple reality is that convenience can sometimes bring undesired outcomes or consequences.
For instance, the possibility of unauthorised access of IP, ransomware, lateral movement within a network and data exfiltration are very real and can be detrimental. Additionally, technologies that run without the IT department’s knowledge can negatively impact the user experience of other employees, either affecting bandwidth or creating situations in which software and network application protocols conflict.
As a result, Cloud Access Service Brokers (CASB) are gaining widespread adoption to tackle SaaS security challenges. Effectively a CASB is a software tool that sits between an organisation's on-premises infrastructure and a cloud provider's infrastructure.
Acting as a gatekeeper and allowing enterprises to extend the reach of their security policies beyond their own infrastructure. Like many other security tools, their ultimate effectiveness depends upon having the right expertise and resources, including 24/7 security monitoring and response to support these tools.
As shadow IT further complicates the ability to gain visibility and control of the applications that employees use every day, CASBs have quickly become a mandatory tool for addressing security risks to enterprise data and helping organisations to quickly mitigate the landscape. By utilising data and user behaviour analytics, CASBs are able to enforce security policies and monitor data access and usage across the entire network. Ultimately, this prevents unauthorised devices or suspicious users from accessing critical data and cloud services.
With much of the security responsibility now shifting to cloud vendors, including security architecture, implementation, testing, and vulnerability management. Now, more than ever, IT security teams must effectively secure all data residing outside of the network boundary. While these are inherently difficult competencies to measure from the ‘outside’, CASBs provide effective controls for all of these SaaS associated risks.
Managing the movement of sensitive data without compromising the user experience and enabling businesses to safely harness cloud applications – whether enterprise or employee led - without the threat of compromised data is the ultimate goal. So, rather than introducing ineffective security policies that blanket ban the use of personal devices and applications on the network, it’s time that businesses accept and prepare for the inevitable by embracing the reality of shadow IT.
For more info, go to Masergy.