Shadow IT is a growing threat, largely because organizations vastly underestimate the size and scope of the issue. According to one Cisco study, large organizations use an average of more than 1,200 different cloud-based applications and services — more than 13 times the number recognized by their IT departments.
Cloud proliferation has contributed to the problem by making it a snap to purchase apps and services without the approval and support of the IT department. A new study from Snow Software finds that vice presidents and C-level executives are among the worst offenders, with 57 percent reporting they regularly use cloud apps without IT’s permission. Most said going through IT’s provisioning process slows them down and negatively impacts productivity.
In a previous post, we noted that shadow IT increases the risk of cyberattacks and data loss, while also disrupting business processes and operational efficiency. It also makes regulatory compliance extremely difficult. Organizations can’t pass compliance audits if they don’t know what applications are being used, where the app data is being processed, or how that data has been shared.
In some instances, simply using a cloud-based service creates violations. A third-party provider’s terms and conditions often state that the provider will be processing your data. Such third-party data handling is expressly prohibited under many data privacy regulations, including the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Both regulations mandate potentially crippling fines for such violations.
With a better understanding of the root cause of the issue, organization can take a variety of steps to mitigate risks while still supporting apps and services that help people do their jobs. Here are three practices to consider:
Standardize Collaboration. Free cloud-based file-sharing and collaboration services such as Box, Dropbox and Google Drive are frequent sources of data leakage. Consider upgrading to the business-class versions of these services. They will require a subscription., but they offer significant security improvements, including encryption, authentication, monitoring, auditing, policy management, electronic document signing and customizable storage configurations. Another option would be to standardize on an in-house solution such as Microsoft’s OneDrive for Business.
Practice Prevention. Data loss prevention (DLP) platforms help IT discover, monitor and manage sensitive data in flight across the network. DLP solutions can also prevent unauthorized users from downloading or copying data onto an endpoint device and can inspect communications to ensure that confidential data is not transmitted via email, instant messaging or chat.
Control Access. Cloud access security brokers (CASBs) help control access to cloud applications and data. Deployed as a cloud-based application, physical or virtual appliance, or both, a CASB sits between an organization’s on-premises IT infrastructure and the cloud. CASBs provide visibility into traffic moving to and from the cloud and enforce IT policies and access controls. They may also provide additional security features such as firewall capabilities, user and entity behavior analytics, data encryption and tokenization, data loss prevention, and risk and compliance management.
Shadow IT creates significant risk, but it also carries some benefits. Luckily, it is possible to balance the flexibility of cloud-based services with security and compliance requirements. Verteks can help you evaluate your current environment to identify potential vulnerabilities, and design and implement a plan for regaining visibility and control of your IT resources.