It’s important to acknowledge that “shadow IT” shouldn’t be feared. We live in an era where individual SaaS vendors maintain an increasing amount of our corporate data. And for good reasons as these cloud-based services provide organizations with near-instant access to advanced capabilities that allow teams to remain a step ahead of their competition. Our goal as security professionals should be one of enablement, not curtailment. Therefore we need to approach shadow IT with a pragmatic view – how can we better support the business’ needs while keeping risk in check.
An effective strategy must confront two realities. First, most security operations lack the transparency needed to keep a close eye on an organization’s use of SaaS services. Simply put, you can’t control what you can’t see. That’s not to say you want to ransack the company in a search and destroy mission against rogue cloud-based users; that could very well lead to you disrupting business growth. But you may want to identify usage patterns that can be used to drive corporate-level adoption of specific services.
If these services benefit one group, they might benefit the entire company. Here’s where a next-generation firewall can play a very unique role.
Next-generation firewalls were designed to safely enable the applications that are critical to a business’ success, while blocking applications that bring unnecessary risk. To achieve this, next-generation firewalls were built to recognize thousands of unique applications, including those delivered over a SaaS-based model.
This not only brings visibility into which services shadow IT organizations are firing up, it can also be used as an effective means of establishing control. In some cases you might make the quick determination that a SaaS service simply introduces too much risk. A next-generation firewall provides the ability to enforce usage through both application and user-based policies. This provides the granular control needed to enable access for a single individual (your CEO who demands access to his Box account), a group (e.g. HR), or an entire company. Some organizations have tied these policies to compliance programs to ensure teams undergo basic usage training before they’re given access.
The second reality we need to confront is the one created through corporate Bring Your Own “X” policies. The combination of BYO “X”, an exceptionally mobile workforce, and an increasing array of cloud-based services has completely eroded our traditional perimeter. The new perimeter should be defined by two simple elements - our individual identity, and the data we have access to. This new perimeter can be protected through a careful orchestration between cloud-based applications, the applications that remain within the enterprise, and the devices that are being used to access those applications.
For your on-premise employees you can rely on the visibility and control gained through the next-generation firewall to reduce risk. This can be achieved by establishing more transparency across the organization, ensuring use of only accepted SaaS services.
The next-generation firewall can also be used as a segmentation gateway within a “Zero Trust” architecture as defined by Forrester. This helps prevent lateral movement of an adversary by establishing protected zones around sensitive data segments.
Once the sensitive data segments are defined, user and application based policies are set to ensure only the approved identities and their devices have access. This way if you’ve opened access to a particular team like HR, you can be assured that only HR will have access unless you change the policy.
For your off-premise, mobile employees there are three priorities to consider. These priorities are based on the simple premise that users should receive the same level of protections that are provided when inside the network. This begins with ensuring devices are safely enabled while simplifying deployment and setup. In doing so you can ensure proper settings are in place, such as strong passcodes and encryption.
Those employees need to also be protected from exploit and malware-based attacks just as they would if they were inside of the network.
Finally, you must be able to control both access to, and movement of the data. This means you need to control access by the application, by the user, and the user’s device state. Those data movement controls need to be extended to the device to ensure data stays within the accepted applications. This enhances your ability to apply better visibility and control to reduce risks.
When implemented properly these tools not only protect your users from cyber threats, they also provide needed transparency to reduce risks associated with shadow IT. These capabilities all exist today in tightly integrated solutions. It’s just a matter of stepping back and designing an architecture that meets your objectives while providing the business the freedom to innovate and adopt these latest SaaS-based services.