Shadow IT & Cloud Access Controls

By Doug Cahill

Doug Cahill is a senior analyst covering cybersecurity at Enterprise Strategy Group drawing upon more than 25 years of industry experience across a broad range of cloud, host, and network-based products and markets. Prior to joining ESG, Doug held executive leadership positions at security firms Threat Stack and Bit9, where he launched market leading products and forged strategic partnerships. 

The “consumerization of IT,” a term coined in the early 2000s with origins dating back to the introduction of the personal computer, continues to be manifested in corporate computing in a multitude of ways and thus represents one of today’s IT meta-trends. What can be summed up as the use of consumer technologies in a business context is, to be sure, compelling for business units, and challenging for IT, especially CISOs. Perhaps the most notable byproduct of this phenomenon is “shadow IT,” which is a term for the use of mobile devices and cloud applications without the involvement—never mind the approval and oversight—of IT. Recently completed market research conducted by The Enterprise Strategy Group (ESG) (Note: I am an ESG employee) highlights the prevalence of shadow IT apps, with 65 percent of research participants stating that they are aware of either a significant or moderate number of non-sanctioned cloud apps in use in their organization.

There are multiple dimensions to the shadow IT revolution that impact business models, the role of IT, regulatory compliance, and technology purchasing decisions. At the center of these dynamics is the data being uploaded, downloaded, and shared vis-à-vis these unauthorized applications. We all know the use case: this file is too large to email to my business partner, so I’ll Dropbox it to them. Is this problematic? It depends. Since not all data is equal relative to its intrinsic value to an organization, it is the sensitive data assets on a migratory path northbound to the cloud that should be of concern. Absent encryption and other data loss prevention (DLP) controls, this data is at risk, organizations are complicit and liable, and CIOs and CISOs are rightfully concerned. Fifty-three percent of respondents in ESG’s survey stated that they are very concerned about storing sensitive data in the cloud. This concern transcends industries and impacts regulations, including FISMA, for which NIST has published standards for the use of technical controls for securing data.

In order to secure data assets associated with cloud app usage, organizations need to gain visibility into what cloud apps are in use, who is using those apps, and the sensitive data being stored and shared with those apps, so controls can be applied.  Such visibility and control require both a pragmatic methodology and purpose-built technology. The yin to the shadow IT yang is “sanctioned IT”—apps that are approved, controlled, and governed by IT. To navigate a smooth transition from the use of shadow IT apps to those that are sanctioned, a pragmatic approach is required, one in which IT embraces the role of enabler by collaborating with the lines of business on the secure use of cloud apps. On the technology side, cloud access security brokers (CASB) provide the visibility and control capabilities to help facilitate this transition. While the CASB product category is relatively new, there is broad agreement on its role in providing greater control over cloud applications, with 66 percent of respondents in ESG’s research stating that a CASB is either very important or critical in meeting this objective.  

CASB products are quickly evolving from tools into platforms by aggregating the requisite functionality and integrating with other security controls, such as network proxies, identity and access management (IAM) services, and threat intelligence feeds. Support for a broad range of cloud apps, including enterprise file sync and share (EFSS), office productivity, and collaborative messaging, is also essential for coverage across the range of cloud apps in use by most organizations.

Architecturally, a CASB must be implemented in a way that allows it to intermediate end-users’ access to cloud apps, with deployment options that include host agents and integration with native cloud app APIs, single-sign on (SSO) services, and network-based security controls, including proxies and firewalls. Organizations considering a CASB solution should understand that these options are not mutually exclusive, since a multi-mode deployment provides the greatest breadth of coverage and depth of functionality.

Shadow IT apps are accelerating the journey to the cloud for many organizations while others are embracing a cloud-first orientation, whereby all new IT initiatives are deployed via cloud services. Both approaches are driving more sensitive data north to the cloud where there is inherently less initial visibility and control. Saying no to cloud apps is simply not an option for most in this new manifestation of the consumerization of IT, but the gap and data security concerns can be addressed with the right approach and technology. The sanctioned IT construct, along with the data loss prevention controls of cloud access security brokers, allow for the safe and agile use of the cloud apps already in use by many organizations across the private and public sectors. 

Tagged with:

Related Articles

Search

Close