An increasing amount of enterprise activities take place in the cloud -- from payroll to projects, and from backups to business planning. The benefits of cloud-based computing are well-understood: cost savings, ease of setup, flexibility and mobility, to name a few.
However, it has created a challenging security problem that most organizations struggle to solve: shadow IT in the cloud. Shadow IT is hardware or software that is used by employees or teams that has not been unauthorized or approved by the IT department. It creates a situation in which corporate data is placed outside of the protection provided by the organization's IT department team and security controls, leaving administrators in the dark.
While it's unlikely that an HR department would setup a shadow, cloud-based payroll service, when it comes to collaboration services, employees will often spin up a new service for their latest task or project if the IT department is too slow to approve an account for the service, or they think there is a better one suited to their needs. Many online collaboration services offer a free tier that provides most of the essential features a small team needs to manage a project, share files and work from any device or location they choose. New employees may also take this route if they've never used the authorized app and don't want to lose time familiarizing themselves with its GUI.
Research from Everest Group estimated shadow IT comprises 50% or more of IT spending in large enterprises, while Gartner predicted in 2016 that by 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.
How to reduce the threat of shadow IT in the cloud
There are many ways to address shadow IT in the cloud, but it takes a defense-in-depth approach to truly mitigate the problem.
Security awareness training should highlight the risks shadow IT in the cloud introduces to the organization. For example, a home-based email server will lack all the safeguards and physical protection of on-premises servers and may well be in breach of various legal and compliance requirements. When employees understand why they need to use only authorized apps, they are far more likely to comply, particularly if they are aware of the disciplinary consequences of noncompliance. There should also be an easy-to-follow procedure for departments, teams and individuals to request resources for new projects, or have alternative services accessed.
Relying on policy alone is not enough. Enterprises need to be able to track which services are being accessed and block access to those that aren't authorized or supported. Tools such as Microsoft Cloud App Security, Cloud Security Tools from Alpin, and CloudCodes' Shadow IT solution can discover the cloud applications users are accessing and block those that are not approved.
Another layer of security can be added by using data-centric security technologies that deliver tracking and access control in real-time, such as Vera for files. It secures any type of digital content, no matter where it's stored and enables users to revoke access even if it's already been copied, forwarded or shared online.
Organizations that suspect they are at risk from shadow IT in the cloud should declare an amnesty so employees can own up without fear of dismissal or other consequences. This will enable IT to bring the problem under control before bringing in new measures to stop it from spreading again. It also provides an opportunity to discover which services are popular among employees and to build a consensus on which best meet their needs that should be approved and used.