Who’s afraid of shadow IT?
One of the biggest disruptions in the IT world is the quantity and quality of SaaS tools. From email and storage, to phone systems and infrastructure, it has never been easier to use top of the range products and scale when your business does. As empowering as these tools are, there is a risk to adopting SaaS that might not be immediately apparent.
Shadow IT is any system or service used inside of a company without explicit approval and deployed using non-IT resources. It was born out of business necessity – the need to be agile and adapt to change. The shadow IT movement is here, and it isn’t going anywhere any time soon.
How did we get here?
SaaS tools have steadily become more professional and reliable. They usually have a mobile-first approach that gives them the flexibility of using the product on a phone, tablet, or laptop. Businesses have been more relaxed on BYOD, allowing employees to do company work on any device, which has fueled the adoption of unauthorized IT systems.
How to detect shadow IT
Detecting Shadow IT can be difficult, but communication can go a long way in getting employees and departments to voluntarily disclose their unsanctioned usage of cloud products. One key is to understand company processes; this will often reveal the cloud services in use. Additionally you may need to employ education, with some departments not realising what they’re doing is risky.
Other techniques for discovering the extent of your shadow IT problem are technical in nature. You can approach discovery from the cloud itself by using a Cloud Access Security Broker (CASB) that provides app discovery. App discovery is also an available feature in some layer-7 aware networking equipment. You could also implement tools for web traffic analysis, by focusing on usage patterns.
While discovery is important, it may take some time to migrate users and departments to sanctioned cloud services, but by knowing which products are in-use, you can implement policies to mitigate risk. There are CASB providers who specialize in providing very granular controls over business SaaS applications with such tools as anomalous behavior detection, permissions management, and more. Risk can also be mitigated by monitoring endpoint security compliance, using programs with the ability to manage everything on the endpoint, from the state of the installed antivirus, to whether or not the operating system is fully patched.
Managing popular shadow IT tools
Dropbox is one of the most popular Shadow IT tools used by employees, providing a convenient way to transfer files back and forth. Despite these benefits, it may not be setup with security or accountability in mind. Some companies take a draconian approach to Dropbox by blacklisting services like this, but maybe it’s time to ask, why are you circumventing your company’s file share? Is the file server out of space? Is it slow, unreliable, or maybe difficult to reach? Dropbox does offer a business account with audit trails, account transfers, and encryption. It could very easily be made official and embraced by the organization if done properly.
File transfers need to be handled properly, especially if your organization needs to meet certain regulatory requirements such as those enforced by HIPAA, the SEC and the FEC.
Understanding safe SaaS practices
SaaS has changed the way businesses operate and made it faster and easier to get the tools needed without being blocked by business processes. Companies just need to be aware of the decisions they are making by using services that are not managed by their IT department. There are mistakes that can be made when setting up cloud services, and risk and compliancy should always be kept in mind when venturing into the cloud.
Tips for practicing safe SaaS
If using cloud services for production purposes, always separate internal company data from your customer data. Always use the least privileged principle and do not mix development data with production data.
- Make IT accounts that have access to the cloud for auditing purposes.
- Design for failure and plan for contingency. If the service becomes unavailable can your business operate without it?
- Risk exposure goes up when using the cloud. Make sure you understand how the 3rd party protects your data being housed with other company data.
- Tidy up. If you are using cloud services for business, it means your company space has been extended to the cloud. Reduce your attack surface and remove data and systems that are no longer being used. This will help conserve costs and reduce your risk exposure in case of a breach.
- SaaS products usually have a disaster recovery plan, but you should still investigate what would happen if you have a data integrity issue. What steps would you need to take to replace the data or recover?
- Always make individual accounts and make permissions on groups. If individual passwords are not an option, then make sure you share those passwords using a password manager, and never in a document or email.
- Establish acceptable use policies. Define what fair use is and what should never be done.
- Ensure BYOD policies are not compounding your risk and monitor compliancy.
- Set network restrictions to block unauthorized SaaS products.
- Employ a CASB to discover SaaS products used within an organization.
If you are the IT department for your company, try asking business sponsors what problem they are trying to solve with SaaS and show them you want to help. Shadow IT discovery is extremely difficult without talking to employees. Do not persecute users performing Shadow IT. Instead, understand what made them want to use these products. Educate them on the risks and determine if controls can be put in place to protect the business.
If you are the business partner, involve your IT team with the problem you are trying to solve. Invite them into the decision process. By combining their unique viewpoint with your own, you can help the company make the right decision.