Who's Afraid of Shadow IT?

One of the biggest disruptions in the IT world is the quantity and quality of SaaS tools. From email, office applications, and storage, to source control, phone systems, and infrastructure, it has never been easier to use the best-in-breed products and scale when your business does. As empowering as these tools are, there is a risk to adopting SaaS that might not be immediately apparent. Shadow IT is any system or service used inside of a company without explicit approval and deployed using non-IT resources. It was born out of business necessity - the need to be agile and adapt to change. The Shadow IT movement is here, and it isn't going anywhere any time soon.

How Did We Get Here?

SaaS tools have steadily become more professional and reliable. They usually have a mobile-first approach that gives them the ultimate flexibility of using the product on a phone, tablet, or laptop. Businesses have been more relaxed on BYOD, allowing employees to do company work on any device, which has fueled the adoption of unauthorized IT systems. Add in the perception of IT as a "blocker" and you can see why it's easier for an employee to sign up for a service to fill a business need than to go through IT.

How to Detect Shadow IT

Detecting Shadow IT can be difficult, but communication can go a long way in getting employees and departments to voluntarily disclose their unsanctioned usage of cloud products. One key is to understand company processes; this will often reveal the cloud services in use. Additionally you may need to employ education and even amnesty, as some departments may not even know what they're doing is risky.

The other techniques for discovering the extent of your shadow IT problem are technical in nature. You can approach discovery from the cloud itself by using a Cloud Access Security Broker (CASB) that provides app discovery. App discovery is also an available feature in some layer-7 aware networking equipment. Finally you could implement tools like ntop for web traffic analysis, by focusing on usage patterns.

While discovery is important, it may take some time to migrate users and departments to sanctioned cloud services, if it can happen at all — but by knowing which products are in-use, you can at least implement policies to mitigate risk. There are CASB providers, like Adallom, who specialize in providing very granular controls over business SaaS applications with such tools as anomalous behavior detection, permissions management, and more. Risk can also be mitigated by monitoring endpoint security compliance. OPSWAT Gears is able to monitor or manage everything on the endpoint from the state of the installed antivirus, to whether or not the operating system is fully patched. Because Gears works no matter where endpoints are located or how they are connected, it can be integrated with a CASB like Adallom for policy enforcement. This is similar to how NAC and SSL VPN have been traditionally used to secure Intranet resources.

Finding the Best Cloud Technologies

At OPSWAT, we embrace judicious usage of cloud technologies. Not all tools are created equal, so we usually have evaluation bake-offs, which involve development and operations weighing in on the values of the tools. It may be hard to let go of the control of the systems and embrace the change, but SaaS companies are able to do things to scale and they are the experts in that particular service, the most forward thinking on their offering.

In my role as the Director of Cloud Operations, I often work with one of our development managers. We are constantly discussing new cloud offerings and tools in order to find a solution that will make things easier for our Development and DevOps teams. During one of our standing meetings, it came up that he wanted to do an analysis of thousands of files totaling around a terabyte of flat file logs. I started to think about the Hadoop cluster I would have setup and the creation of instances on my VMware cluster and giving him enough storage to play around and a reporting server for him. This was a pretty sizable undertaking, but knowing that this was a one-off research assignment, we instead used Amazon's Elastic MapReduce. It took about a day to write up the script to build out the proof of concept, get our results, and tear it down - all for only $16.

Managing Popular Shadow IT Tools

Dropbox has to be one of the most widely-used Shadow IT tools by employees. It provides a convenient way to transfer files back and forth and doesn't require anyone with a strong IT background to set it up. Despite these benefits, it might not be setup with security or accountability in mind. Some companies take a draconian approach to Dropbox by whitelisting and blacklisting services like this, but maybe it's time to ask yourself, why are you circumventing your company's file share? Is the quota too limiting? The file server out of space? Is it slow, unreliable, or maybe difficult to reach? Dropbox does offer a business account with audit trails, account transfers, and encryption. It could very easily be made official and embraced by the organization if done properly.

Along with Dropbox, there are other products that provide a secure way to transfer files. File transfers need to be handled properly, especially if your organization needs to meet certain regulatory requirements such as those enforced by HIPAA, the SEC and the FEC.

Understanding Safe SaaS Practices

Sometimes we become a bit myopic about answering the company's needs with services we have previously setup and maintain, so we end up not checking to see if those needs have changed.

SaaS has changed the way businesses operate and has made it faster and easier to get the tools they need without being blocked by business processes. Companies just need to be aware of the decisions they are making by using services that are not managed or maintained by their IT department. There are mistakes that can be made along the way when setting up cloud services and risk and compliancy should always be kept in mind when venturing into the cloud.

Tips for Practicing Safe SaaS:

If using cloud services for production purposes, always separate internal company data from your customer data. Always use the least privileged principle and do not mix development data with production data.

  • Make IT accounts that have access to the cloud for auditing purposes.
  • Design for failure. If the service becomes unavailable can your business operate without it? Plan for a contingency.
  • Your risk exposure goes up when using the cloud. Make sure you understand how the 3rd party protects your data being housed with other company data.
  • Tidy up. If you are using cloud services for business, it means your company space has been extended to the cloud. Reduce your attack surface and remove data and systems that are no longer being used. This will help conserve costs and reduce your risk exposure in case of breach.
  • SaaS products usually have a disaster recovery plan, but you should still investigate what would happen if you have a data integrity issue. What steps would you need to take to replace the data or recover?
  • Always make individual accounts and make permissions on groups. If individual passwords are not an option, then make sure you share those passwords using a password manager and do not share those passwords in a document or email.
  • Establish acceptable use policies. Define what fair use is and what should never be done.
  • Ensure BYOD policies are not compounding your risk by using products like Gears to monitor compliancy.
  • Set network restrictions to block unauthorized SaaS products.
  • Employ a CASB to discover SaaS products used within an organization.

If you are the IT department for your company, partner with some business sponsors. Ask them what problem they are trying to solve with SaaS and show them you want to help. Shadow IT discovery is extremely difficult without talking to employees. SaaS innovation is happening at a rapid pace. Do not persecute users performing Shadow IT. Instead, understand what made them want to use these products. Educate them on the risks and determine if controls can be put in place to protect the business from those risks.
If you are the business partner, involve your IT team with the problem you are trying to solve. Invite them into the decision process. By combining their unique viewpoint with your own, you can help the company make the right decision.

Tags: Vmware
Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.