Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What to do when shadow IT risks move to the cloud

Shadow IT isn't new, but now it's climbed into the cloud. Get a grip on it the old-fashioned way, with discovery, monitoring and interdiction.

Who knows what evil lurks in the heart of IT? The Shadow knows ...

The reality of individuals or business units outsourcing their technology needs to the cloud without organizational approval or involvement from central IT departments is hitting enterprises hard. The value of innovations that shadow IT often brings to organizations is partially offset by the cloud security risks that come with it.

Shadow IT has been around for years, starting with Microsoft Access databases hiding on departmental PCs and making the leap to the Internet with Salesforce.com, Yahoo Mail, and on to Google Docs. Fast-forward to today: The widespread adoption of Workday, Concur, Dropbox and other Software as a Service (SaaS) applications means that both value and risk are spreading throughout organizations. It's time to get a handle on shadow IT the old-fashioned way: through discovery, monitoring and (lightly applied) interdiction.


The first step to taking control of shadow IT is to deploy application-aware appliances inside your enterprise. It is crucial to understand the extent of the shadow IT challenge and, for the typical organization, it is large. Secure Web gateways (SWGs) and next-generation firewalls (NGFWs) provide basic functionality to identify the SaaS applications in use inside of an organization. Cloud-based SWGs can extend that reach to mobile users as well. These appliances typically match the URL to a maintained list of applications.

The value of innovations shadow IT brings is partially offset bythe security risks that come with it.

The SWG and NGFW operate under allow/deny decisions when connection requests are made. There are thousands of identified and classified Web applications available; through this step, the typical organization discovers many of them are in use, whether or not company policy allows it. Discovery is also the first stop for "cloud application control" systems, whose value is enhanced further through monitoring.


Some organizations may value the benefits of shadow IT applications and simply find ways to harness it in a framework that manages the IT risks. Newer security products in the cloud-application control market provide the opportunity to drive SaaS activity through a gateway. This SaaS monitoring approach allows the organization to review all of the traffic flowing through the gateway between multiple users and applications. Rather than the simple allow/deny decision of a firewall, these systems offer insight into the applications' full spectrum of capabilities. The systems collect data to monitor user activity across multiple applications as well as application usage across multiple users.

Architecturally, cloud-application control systems may be deployed on-premises as typical proxies (forward and reverse) or on span ports. But the real value lies in breadth of insight for mobile users as well. Cloud-based gateways provide that extra coverage by tying into single sign-on systems or managing service access through configuration of the application.

The benefits of cloud-security monitoring are manifold: Its tools can be used to address compliance concerns and aggregate logs for further analysis of usage, and they can apply machine learning techniques to identify malicious attacks and anomalous insider behavior.

Vendors on the shortlist (which is also the complete list) in this burgeoning arena include SkyHigh Networks, Adallom, Netskope, Imperva (Skyfence), Bitglass, Elastica and FireLayers.


The final step in corralling shadow IT is interdiction. The willingness of users to bypass traditional controls should concern security practitioners and force a review of the services provided. At this stage, it is useful to find more granular policies to enact. Applying more specific controls associated with, for example, geographic locations, device type in use, time of day, file types or functional activities is likely to provide better productivity (through fewer false positives) along with the sought-after reduction in IT risks.

The Shadow knows the true benefits of computing resources to an organization. It is important to acknowledge this driving force in the marketplace while creating an operating framework to appropriately manage the risks.

About the author:
Pete Lindstrom is principal and vice president of research for Spire Security. He has held similar positions at Burton Group and Hurwitz Group. Lindstrom has also worked as a security architect for Wyeth Pharmaceuticals and as an IT auditor for Coopers and Lybrand and GMAC Mortgage. Contact him via email at 
[email protected], on Twitter @SpireSec or on his website, www.spiresecurity.com.

This was last published in February 2014

Dig Deeper on Software and application security