Shadow IT is a never-ending challenge for IT professionals on the hunt for unauthorized applications and services running in their networks. While organizations can employ a variety of tools and practices to combat shadow IT, one of the most intriguing is using a cloud access security broker.
What is shadow IT?
Shadow IT is the unauthorized use and deployment of software and hardware that fall outside the policies and standards in use by an organization. Shadow IT examples range from rogue applications to files and data transmitted without proper security or encryption.
Shadow IT is sometimes fueled by users who decide they need or want to use an application they couldn't get from IT. The result is the creation of alternate IT groups operating separately from sanctioned IT activities.
Shadow IT security risks
Shadow IT exposes organizations to a variety of risks and vulnerabilities, including the following:
- Vulnerabilities that could result in data loss and other threats to data management and data integrity.
- Malignant code, such as viruses, which may infect internal networks.
- Unauthorized access to data, which could prevent data administrators from doing their jobs.
- Unauthorized changes to data that should have otherwise been prevented.
- Haphazard patch management that prevents patches and other updates to software that may have errors or other problems.
- Potential compliance issues, especially for regulated organizations that may be subject to fines and litigation.
- Systems not checked or validated by the IT department, which could create negative consequences to the business.
- Cybersecurity risks -- among them ransomware and other threats -- introduced through remote access.
Enter the cloud access security broker
One way to prevent shadow IT -- particularly when fueled by access to cloud-based SaaS resources -- is to screen data traffic generated by users. Many products and services examine data traffic to discover questionable code, but for large organizations that move trillions of bytes of data every day, a cloud access security broker (CASB) is a useful option.
Think of a CASB as a set of powerful eyes that monitor traffic based on internal rules and policies. CASBs can be deployed via the cloud or within the organization's data center. They are available from major cloud providers, including AWS, Microsoft and Google, and MSPs.
CASBs protect data sent to the cloud by first analyzing the log data collected by firewalls and gateways. If the CASB determines the data is sufficiently secure and protected, it is routed to its destination. The same process takes place for data generated by a cloud resource that is headed to a user.
Why use a CASB for shadow IT?
CASBs are well suited to identify shadow IT. They not only highlight suspicious activities, but also offer tools that can mitigate threats before widespread damage can occur. They also help ensure compliance with relevant regulations and standards. A CASB, along with other resources -- among them a SIEM tool -- can also discover and identify activities that frequently underpin shadow IT. For example, a suitably configured CASB may be able to spot situations where user data is being exfiltrated from the IT infrastructure.
Once a risk is identified, policies within the CASB can control further movement of data or applications. CASB monitoring services, meanwhile, make it even easier to spot the presence of shadow IT.
Using a CASB to manage shadow IT offers an additional layer of security to cloud-based services -- both authorized and unauthorized. CASBs provide organizations with a clear view of what is happening with cloud services and applications, enabling companies to spot suspicious activity -- including shadow IT -- before significant damage occurs.
How to select a CASB
While it is not difficult to set up a CASB, organizations must lay the groundwork carefully. Consider the following areas:
- Specific requirements for deploying a CASB, for example, searching for shadow IT.
- Cloud vendor-supplied CASB or third-party option.
- Compatibility with existing network services.
- Compatibility with existing cloud service vendors.
- Location of the CASB, for example, in a data center or in the cloud.
- CASB deployment, for example, a proxy or API CASB.
- A feature set that includes powerful discovery, analysis, monitoring, risk evaluation and identification of suspicious data.
- Extensive library of rules, policies and compliance evaluations.
- User flexibility in modifying rules and policies.
- User management versus vendor management.
- Ease of installation and deployment.
- Use of dashboards and types of reports provided.
- Fees and other service costs.
CASBs let organizations add another powerful layer of security for cloud-based activities. They can be especially useful in detecting suspicious activity that may, in fact, be shadow IT.