How to overcome the cloud services challenge of shadow IT

By Brandon Cook

A recent report by Skyhigh Networks stated that the average organization used a whopping 1,427 cloud services in Q3 of 2016, representing a 23.7 percent growth over the same quarter in the previous year. These numbers clearly illustrate the extent of the shadow IT problem. Cloud services provide several advantages of improved agility, productivity and user experience, but they also represent significant risk for the IT and security teams.

Across the 20,000 cloud services in use today, only 8.1 percent meet the strict data security and privacy requirements of enterprises as defined by Skyhigh’s CloudTrust Program. When employees choose a cloud service, they often ignore its security limitations. In many cases, this can result in the unauthorized access of corporate data. A large conglomerate faced this problem when members of its legal team uploaded contracts to online PDF converters, whose terms of service stated that they assumed complete ownership of all documents uploaded into their systems and that they had the right to distribute data to any third party. The legal team put its company at significant risk by uploading sensitive information to a service that could freely distribute it to any interested party.

Average number of cloud services in use

Companies attempt to address the shadow IT problems by blocking the known risky services as they pop up. This “whack-a-mole” approach may partially address the problem, but it also increases the risk of employees finding other cloud services that are lesser known and possibly riskier. In order to overcome the challenges imposed by risky shadow IT services, CIOs and CISOs are looking for security solutions to address key challenges. Consider these four steps:

1. Gain visibility into shadow IT services

Enterprise CIOs are looking to get visibility into all cloud services used by employees within their company. Though existing proxies and firewalls provide some level of visibility into cloud services, it’s not adequate for IT to make any actionable decisions, as they miss the bulk of cloud services. Furthermore, for informed decision-making, IT leaders are looking not only for visibility into all cloud services, but also related data points including users or teams accessing each service, data uploaded or downloaded and usage trends over time. And, with the increasing growth in the usage of infrastructure-as-a-service (IaaS) platforms, enterprises are also looking to get similar visibility and metrics on their IaaS deployments, including user accounts, custom apps and data volumes exchanged.

Skyhigh cloud service key findings

2. Understand risk associated with cloud services

Given that there are more than 20,000 cloud services in existence, mere visibility into services used within the company does not help in meeting security requirements, especially if companies start to block cloud services that are helping employees get their work done. IT teams need to understand the risk associated with each service so they can enforce policies accordingly.

The process of due diligence in evaluating security controls built into cloud services is a tedious one, and most IT teams do not have resources to spend on performing these analyses. Given that enterprise cloud adoption is only going to grow from here on, CIOs are looking for solutions to analyze security controls built into cloud services and use this information to provide the risk associated with them. By categorizing cloud services based on risk, they can enforce governance policies based on their companies’ risk tolerances.

Information security message

3. Enforce governance policies

As enterprises see increased cloud adoption, they’re looking for ways to enforce governance policies to regulate this adoption. Risk information associated with cloud services helps IT teams implement governance policies based on risk categories. A basic example is to divide the cloud services into high-, medium- and low-risk buckets, then implement policies to block high-risk services and enforce data loss prevention/compliance policies on medium-risk services and sanctioned selected low-risk solutions.

Some companies may want to enforce more granular policies, such as permitting selected cloud apps for specific teams such as engineering, then blocking them for HR or marketing. This requires cloud security solutions to integrate with existing IT infrastructure such as Active Directory as well as with security solutions such as firewalls and proxies. IT leaders often point out challenges associated with security solutions that work in silos and the additional work involved in monitoring multiple dashboards to understand cloud usage risk.

4. Apply data loss prevention policies

A number of cloud solutions could fall into the “permitted” category, which means they don’t have the security controls required for an enterprise-grade solution, but they add value by improving work processes or increasing productivity. For these solutions, companies choose to enforce data loss prevention policies to prevent the upload of sensitive data that could be accessed by unauthorized users. For example, IT can enforce policies that prevent confidential data such as personal information or health information from being uploaded into Evernote, or restrict employees from uploading source code to selected GitHub repositories. This allows employees to remain productive while keeping corporate data secure.

Gartner put the size of the public cloud services market at $208.6 billion in 2016. The growth of cloud adoption indicates that the cloud market is still in its early stages, and there will be many more solutions with varied capabilities. Enterprises that build out their governance policies and streamline their cloud usage early on are able to realize more returns on their cloud investments and better secure and govern their usage.

This article was originally published on Mobile Business Insights.