Tip

What to do when shadow IT risks move to the cloud

Who knows what evil lurks in the heart of IT? The Shadow knows ...

The reality of individuals or business units outsourcing their technology needs to the cloud without organizational approval or involvement from central IT departments is hitting enterprises hard. The value of innovations that

    Requires Free Membership to View

shadow IT often brings to organizations is partially offset by the cloud security risks that come with it.

The value of innovations shadow IT brings is partially offset by the security risks that come with it.

Shadow IT has been around for years, starting with Microsoft Access databases hiding on departmental PCs and making the leap to the Internet with Salesforce.com, Yahoo Mail, and on to Google Docs. Fast-forward to today: The widespread adoption of Workday, Concur, Dropbox and other Software as a Service (SaaS) applications means that both value and risk are spreading throughout organizations. It's time to get a handle on shadow IT the old-fashioned way: through discovery, monitoring and (lightly applied) interdiction.

Discovery

The first step to taking control of shadow IT is to deploy application-aware appliances inside your enterprise. It is crucial to understand the extent of the shadow IT challenge and, for the typical organization, it is large. Secure Web gateways (SWGs) and next-generation firewalls (NGFWs) provide basic functionality to identify the SaaS applications in use inside of an organization. Cloud-based SWGs can extend that reach to mobile users as well. These appliances typically match the URL to a maintained list of applications.

The SWG and NGFW operate under allow/deny decisions when connection requests are made. There are thousands of identified and classified Web applications available; through this step, the typical organization discovers many of them are in use, whether or not company policy allows it. Discovery is also the first stop for "cloud application control" systems, whose value is enhanced further through monitoring.

Monitoring

Some organizations may value the benefits of shadow IT applications and simply find ways to harness it in a framework that manages the IT risks. Newer security products in the cloud-application control market provide the opportunity to drive SaaS activity through a gateway. This SaaS monitoring approach allows the organization to review all of the traffic flowing through the gateway between multiple users and applications. Rather than the simple allow/deny decision of a firewall, these systems offer insight into the applications' full spectrum of capabilities. The systems collect data to monitor user activity across multiple applications as well as application usage across multiple users.

Architecturally, cloud-application control systems may be deployed on-premises as typical proxies (forward and reverse) or on span ports. But the real value lies in breadth of insight for mobile users as well. Cloud-based gateways provide that extra coverage by tying into single sign-on systems or managing service access through configuration of the application.

The benefits of cloud-security monitoring are manifold: Its tools can be used to address compliance concerns and aggregate logs for further analysis of usage, and they can apply machine learning techniques to identify malicious attacks and anomalous insider behavior.

Vendors on the shortlist (which is also the complete list) in this burgeoning arena include SkyHigh Networks, Adallom, Netskope, Imperva (Skyfence), Bitglass, Elastica and FireLayers.

Interdiction

The final step in corralling shadow IT is interdiction. The willingness of users to bypass traditional controls should concern security practitioners and force a review of the services provided. At this stage, it is useful to find more granular policies to enact. Applying more specific controls associated with, for example, geographic locations, device type in use, time of day, file types or functional activities is likely to provide better productivity (through fewer false positives) along with the sought-after reduction in IT risks.

The Shadow knows the true benefits of computing resources to an organization. It is important to acknowledge this driving force in the marketplace while creating an operating framework to appropriately manage the risks.

About the author:
Pete Lindstrom is principal and vice president of research for Spire Security. He has held similar positions at Burton Group and Hurwitz Group. Lindstrom has also worked as a security architect for Wyeth Pharmaceuticals and as an IT auditor for Coopers and Lybrand and GMAC Mortgage. Contact him via email at 
PeteLind@spiresecurity.com, on Twitter @SpireSec or on his website, www.spiresecurity.com.

This was first published in February 2014

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.