Shadow IT and Shadow Data keeping the CISO up at night
Damien Manuel
The very thought of it is enough to keep CISOs up at night. All across your company, in every department, employees are using apps that you haven’t tested, secured or sanctioned.
As workers become ever-increasingly IT-savvy and the number of cloud-based, often-free solutions to their specific problems become available, more and more of them are bypassing the IT department for a quick fix.
As cloud applications become easily accessible at low cost, employees who seek to be as efficient, productive and collaborative as possible are able to easily make technology decisions without consulting IT. Compounding the problem, is that outsourced and managed service providers can often slow the pace of technology adoption, further prompting business units and employees to seek solutions outside of IT control. Welcome to the age of decentralised IT.
It’s little surprise that employees are taking things into their own hands and using their own department budgets to find solutions to work processes in the cloud quickly and easily. A 2015 survey of UK CIOs from enterprises with over 1,000 employees, found that 60 per cent said there was an increasing culture of Shadow IT in their organisations. Some 84 per cent are worried that cloud is causing them to lose control over IT.
So where does that leave CIO, CTOs and IT directors with regard to ensuring a secure environment? And how can you secure all the company and customer data that is sitting on third-party servers or moved between various third party providers / suppliers?
Clearly, the solution cannot be simply trying to stamp out Shadow IT. It’s no use reprimanding those that use it, relegating the strategic function of the IT department to that of stern schoolmaster. Frankly, it’s also far too late for that.
Moving to a cloud-based solution means that sensitive data now moves between the enterprise and the cloud. The use of unsanctioned cloud applications has created an intensified risk of internal/external data exposure, malware attacks from suspicious cloud providers and the problematic visibility and security issues caused by Shadow IT spinning out of control.
CIOs are now required to manage demands from business units for services to be provisioned from outside the organisation; they have to bring together disparate services, locations and implementations into something cohesive. Sensitive information that is uploaded and shared in cloud apps without the knowledge, consent or control of IT security teams may put an organisation at risk of a costly or highly embarrassing data breach, or in violation of local or regional regulatory requirements.
Uncovering and rating cloud services, which most Cloud Access Security Broker (CASB) vendors do, is the first step in managing and securing your cloud attack surface. Once an organisation decides to embrace particular apps, or “sanctioned apps,” the next critical stage is to understand the data flows and types of data within those apps, or what is now being termed “Shadow Data.”
Shadow Data refers to the sensitive content that users are uploading, storing and sharing via cloud apps, often without the oversight or knowledge of IT or security personnel. In other words, just because an organisation has selected a robust file sharing app, like Box or Office 365, does not mean they are out of the woods in terms of data governance or compliance liability.
“We’ve reached a point in the security lifecycle where shadow IT should no longer be the primary focus. By now, organisations should have a grip on cloud applications available and have enforceable policies in place with the ability to control which are in use,” said Rehan Jalil, who founded CASB innovator Elastica (now part of Blue Coat). “It’s time to start focusing on the real problems, which are the need to know what types of information employees are sharing, who is able to access data and how to stop high-risk exposures that lead to data breaches.”
The Blue Coat Elastica Cloud Threat Labs team recently released the Q4 2015 Shadow Data Report, which provides analytics revealing how the threat of shadow data is on the rise as employees use cloud apps to share information within their organisations, among partners, and with customers.
Among the most salient findings was that organisations are not aware that 26 per cent of documents stored in cloud apps are broadly shared, meaning that any employee can access them, that they are shared externally with contractors and partners, and in some cases publicly accessible and discoverable through Google search. Equally alarming are findings showing that one out of 10 documents shared broadly contain data that is sensitive and/or subject to compliance regulations, such as source code (48 per cent), Personally Identifiable Information (33 per cent), Protected Health Information (14 per cent), and Payment Card Industry data (5 per cent).
Analysis presented in the report revealed that there were three primary threats facing organisations using sanctioned and unsanctioned cloud apps: data theft, data destruction, and account takeover.
So how can you get a handle on Shadow IT and Shadow Data?
1.Identify risky applications to ensure your employees are only using secure cloud applications and services appropriate for your organisation. A CASB solution enables visibility by discovering cloud based applications and provides control and management centrally allowing the business to weigh the value of a service against its inherent risks. This enables your organisation to make smart choices regarding which applications to sanction while appropriately managing inappropriate or risky applications by restricting or limiting access. Look for discovery solutions that take advantage of real-time threat information feeds to ensure your cloud risk ratings are as accurate as possible and that can leverage integrated data feeds from other security solutions in your infrastructure.
2.Educate your employees on the security risks of indiscriminately sharing documents both within the organisation and with external stakeholders. The more broadly documents are shared or circulated, the higher the likelihood that someone they don’t know or trust will have access to that data. Similarly, IT can leverage CASB solutions to identify what documents with sensitive or regulated data their employees are sharing and how broadly they are being shared.
3.Know your cloud-shared data. You cannot protect what you cannot see, and that goes for your data as well as the cloud applications themselves. A full-function CASB solution should enable you to drill down into your cloud-stored documents and categorise them as sensitive or compliance-related data, as well as classify them into business categories (i.e. Legal, Business, Medical, etc.). Such identification and classification enables you to more effectively apply appropriate cloud data security measures.