Security Experts:

How Cloud App Visibility Helps Wrangle Shadow IT

What Does an Organization Need to do to Get Shadow IT Under Control?

Shadow IT and sanctioned cloud apps are gaining ground in the enterprise. At last count, employees at enterprise-class organizations were using 841 different apps on average, according to Blue Coat Elastica Cloud Threat Labs. It would seem that these days the only thing growing as quickly as the proliferation of cloud apps are the security and compliance issues accompanying them. For companies that adopt cloud apps faster than they apply effective security there are dangerous implications, but risks associated with use of cloud apps can be mitigated with technologies available today through CASB gateways, CASB cloud app API integration, and secure web gateways.

Cloud Apps and Shadow IT

As we’ve seen, cloud apps are already an essential part of business in our digital and connected age. The adoption rates of SaaS are fast and only accelerating, and it’s viewed by many in the executive suite as the #1 disruptive technology currently at play in the enterprise. The benefits of cloud apps are many. Compared to the older client-server model of actual software licenses and installations, cloud apps are very cost effective, boast far easier remote access, they spin up and adapt very quickly, and they can improve both productivity and collaboration.

As many of us in the security industry already know, the presence of Shadow IT can wreak havoc on compliance. When data is going through third-party SaaS applications, for instance, it’s important to understand what security risks those applications pose and whether those risks fall within the guidelines accepted by the relevant compliance standards. These, in many cases, include SOX, PCI-DSS, HIPAA and COBIT, among others.

Compliance is but one example where Shadow IT can cause problems. We’re now in an environment where there’s a great deal of cloud app adoption and often times with executive sponsorship. But the problem for IT security and risk professionals is they often have no way of actually knowing which cloud apps are running on their infrastructure and which employees are using them. Security teams many times just don’t have the tools to monitor and control any of these cloud apps — and that’s a big and at times very costly problem.

So what does an organization need to do to wrangle Shadow IT and get it under control?

Here are four steps you need to take to solve this problem.

1. Visibility. As I’ve stated above, you need to know which cloud apps are being used. You will need an audit solution such as the Blue Coat Elastica Audit. By taking logs from proxies, firewalls and logs from other appliances on the network, an audit solution will generate a report that will detail all the different cloud apps running on your infrastructure and the associated users. A good audit solution will also provide you with the characteristics around those apps. Once this is in place, you’ve gone from having no information whatsoever to to knowing exactly which cloud apps are being used in your organization — it’s now no longer Shadow IT. These characteristics are very important to know: what are the risks associated with these apps and how do you evaluate each of these apps based on a myriad of different attributes. Ultimately, you want to be able to assign an app some sort of rating: the higher the number, for instance, the less risk it carries and the more business-ready it is. You also want a solution that allows you to set varying levels of characteristics and attributes, such as multifactor authentication, compliance and encryption requirements, among others.

2. Analysis. Here you really need to dive in and explore exactly what are the risks associated with these apps you’ve identified in step 1 above. What precisely makes these apps risky, do they meet varying compliance requirements, have you solved for issues of data sovereignty? A quality audit solution will be able to provide an extremely detailed report with all the needed information to undertake the next step.

3. Decision making. OK, you’ve gained visibility, analyzed, and now you’re ready to decide which apps can remain in your environment and which must be shut down. You now have the information to decide which apps you’ll monitor, which will be completely green-lighted and which must be banished to protect your organization. Ideally, you’ll also want an audit solution that allows you to perform a comparative analysis, side by side, of alternative apps to find the one(s) with a lower risk profile. An added bonus is that the decision-making step also can enable cost cutting by consolidating multiple accounts used by different departments within the same organization or by eliminating access to non-sanctioned apps.

4. Enforce controls. This is the step where you really dial things in and control cloud app activities as they’re ongoing. You’ll want to set your policies based on your audit solution feed and, also, to be able to set those cloud app policies with your proxy. To accomplish this, you will also need the detailed characteristics of those apps — business readiness ratings, risk attributes and the like — fed through the network to your proxy.

Of course, it’d be great if this were all you needed to do. But there’s one final step that I didn’t include above because it’s something that will always be ongoing: continuous monitoring. This whole process doesn’t come to an end once you’ve completed the above four steps. You’ll need to monitor because cloud apps change all the time, are updated, cloud app risk ratings will increase or decrease, and new functions of cloud apps will need to be properly vetted, among a host of other always-changing variables.

The steps I’ve outlined above are a great way to get your arms around the big issues of Shadow IT today. The cloud is here to stay, and so long as employees use cloud apps from within an organization’s firewall, we’ll always have to wrangle with Shadow IT, Shadow Data and the attendant problems and risks. Because of this, you’ll need an integrated visibility and control solution that provides the integrated CASB and proxy capabilities listed above.

view counter
Aditya K. Sood (Ph.D) is, director of Security and Elastica Cloud Threat Labs at Blue Coat Elastica, now part of Symantec. Dr. Sood has research interests in malware automation and analysis, application security, secure software design and cybercrime. He has worked on a number of projects pertaining to penetration testing specializing in product/appliance security, networks, mobile and web applications while serving Fortune 500 clients for IOActive, KPMG and others. He is also a founder of SecNiche Security Labs, an independent web portal for sharing research with security community. Dr. Sood obtained his Ph.D from Michigan State University in Computer Sciences.
Previous Columns by Aditya Sood: