How to ensure that shadow IT doesn't put your data at risk in 2015

The spectre of shadow IT
The spectre of shadow IT

The prevalence of shadow IT is expected to increase this year, so if clamping down on and taking control of this phenomenon wasn't on your work-related new year's resolutions list, perhaps it should have been!

Shadow IT snuck into the spotlight in 2014 and according to research, it will only expand throughout 2015. Our January 2015 Cloud Report found that on average there are now 613 cloud apps in use within an organisation, up from 579 in Q3 2014. Many of these apps are business-critical, but the report shows that 88% are not enterprise-ready. Perhaps most worrying is the fact that the majority of cloud apps are unsanctioned – meaning that IT is totally in the dark about their use (that's shadow IT, for the uninitiated).

Cloud pain

Faced with these sort of challenges, it's hardly surprising that data breaches are on the rise. IT departments are battling to remain vigilant to seemingly invisible threats. Cloud apps are a pain point for three main reasons:

  • Businesses can't manage what they can't see, and unsanctioned cloud apps will remain invisible without careful inspection.
  • Cloud apps are accessed by a growing number of devices, and networks are consequently becoming increasingly amorphous.
  • Many cloud apps enable simple content sharing, making it easy to expose data and potentially sensitive information.

Five steps to heaven

So what can be done to tackle these issues? With careful planning, clever policy and staff coaching, it is possible to enjoy the productivity and convenience of cloud apps without the increased risk of data loss or theft.

Here are five practical steps organisations can take to improve their cloud app security stance.

1. Discover what enterprise cloud apps are in your environment and assess the risks they pose. First uncover what security, auditability, and business continuity capabilities those apps have. Then look to understand which employees are using them and explain your findings to users, educating them on the risks and possible effects. Do these apps offer encryption of data-at-rest, ensuring that data would be protected in the event of a breach?

Apps should also be checked for separation of tenant object stores in the cloud, so that if an adjacent tenant experiences a breach, you can be sure your data will remain secure. It's a good idea to make sure you have a backup and disaster recovery plan so that in the event that information is deleted or corrupted, the business will be operational again without delay.

2. Consolidate low-quality apps in one of the following ways: Create corporate policy and collaborate with users or lines-of-business to refine it. Coaching employees can lead to fewer risky behaviours, so publicise app ratings and usage data to convince stakeholders to migrate to more secure apps. Enforce policies to block risky app activity such as the "upload" or "share" functionality, and advise users to think before committing cloud security sins. Finally, and only if the app offers truly poor security and the risk is simply too great, block the app entirely. The crucial element here is to guide users towards preferable alternatives – if you close one road, you have to provide alternative directions so employees can still get the job done.

3. Understand the information housed in cloud apps. This means finding out what data employees are uploading to cloud apps, but also all data held in other apps. The answers will almost certainly surprise you. Think about customer or employee data sitting in files or database records, intellectual property such as software source code, confidential plans or product information, and non-public financial data – all of which will be out in the open if that unsecure cloud app is breached.

4. Gain visibility into how employees are using cloud apps. This means getting a picture of uploads, downloads, and sharing – but surely downloads are okay? Not necessarily, because this includes users downloading content from a vulnerable or known unsecure app which could contain a malicious entity, or unauthorised users downloading data from, for example, an HR app. IT departments can't spot suspicious or unusual behaviour without knowing what "normal" behaviour looks like, so make sure everyday patterns are observed and monitored for anomalous activity.

5. Mitigate risk through granular policy. Start with business-critical apps or those holding sensitive data and think about implementing the following policies: IT departments can allow the app, but set policy to block the upload of certain data (e.g. personally identifiable information). Or they can allow the app itself, but block the upload of sensitive data to low-quality apps or those without a certain level of security or specific features such as multi-factor authentication.

As a last resort, IT teams could also choose to block apps with known vulnerabilities. Communication with users is especially important in this last case to avoid frustration, but coaching on data policy for all users should be a critical part of an organisation's cloud app security stance.

Get started on these matters now, take things step-by-step, and with a bit of energy and a steady focus, 2015 could be your best year yet for cloud security.

  • Eduard Meelhuysen is VP EMEA at Netskope