Although traditional threats – such as rouge access points, removable media, unauthorized printing, etc., – still exist, one of the most prominent new IT threats is the cloud itself and the emergence of what is being referred to as Shadow IT. Shadow IT refers to IT devices (such as USB drives and external hard drives), software, and services outside of the control and ownership of an organization’s IT department. It’s been around as long as IT departments have been providing services, but as technology has transformed and evolved so have the threats and risks that Shadow IT presents.
Shadow IT, unfortunately, presents a difficult challenge for most enterprise IT departments to manage and is almost impossible for the average SMB. With the explosion of smart phones, tablets, apps, and Internet-based services such as OneDrive, Gmail and others the threat of Shadow IT is imminent and real. In the majority of cases, these risks come to light due to a desire for convenience and efficiency, notintentionally malicious behavior – although even the most innocent behavior can put company data and resources at risk.
As “Millennials” begin to enter the workforce, they bring high expectations for their working environment that includes a work-life integration and the ability to work anytime and anywhere. The reality is that these employees will find a way to enable themselves to do their jobs on their terms regardless of whether the IT department deploys safe, proven solutions. They do this by taking actions like downloading items to work on at home to a USB drive or sending documents to themselves via their personal cloud-based email address so that they can access them at another location. With every staff member – from HR to marketing – working independently of the IT department and using various applications to store, sync, and share content, the company incurs significant risks for data loss and possible legal implications.
Areas to consider when dealing with Shadow IT:
- Storing protected information on a cloud service that is located outside your country of origin. This is a regulatory nightmare both in the US and EU/UK
- Protected information being stored on an untrusted service.
- Unreported data breaches or losses (lost USB device, stolen laptops, or compromised data storage)
- Loss of control of data and resources. This is a common problem; a department will move data to an outside service and not notify and/or discuss with IT.
- Employee separation, not fully understanding what access the employee has. Moving data to the cloud empowers the employee to manage the data even after the employee has left the company.
Some quicks statistics from Cisco:
- 80% of end users use software or services (cloud) not officially cleared by their IT
- 83% of IT staff admit to using unsanctioned software or services
- Only 8% of all enterprises know the scope of Shadow IT risks within their organization
These threats are real and increasing every day, however they’re not impossible to mitigate. As with any risk assessment, you need to identify the threat and what the associated risks are with those threats. Below are simple steps that can be put in place without conducting a formal risk assessment, which is always advised. Risk assessments don’t need to be a long drawn out process, in many cases, they can be done in a few days for the average small business.
Reduce the Risk: The Human Factor
- Start off with a written security policy that addresses Shadow IT and the use and management of company data and resources. This is the first place to start, you cannot hold employees responsible if they are unware of the risk and associated policies.
- Educate; if an employee is unaware of their responsibility then you cannot expect them to understand how to identify, manage, and avoid risks when dealing with company data.
- Listen to employees and department managers. If employees are working outside the scope of currently available tools that IT has provided, there is a reason for it. Understanding why they’re taking such actions helps identify a solution that meets everyone’s needs.
Reduce the Risk: Technical Controls
- Deploy a next generation firewall that can block applications such as OneDrive, Gmail, Dropbox, etc. In a business environment, the need for public services such as email and storage is not needed. If an employee cannot access these services, they won’t be tempted to use them.
- Review firewall logs and evaluate what people are accessing. Insight into the habits of the end-user is key to identifying and blocking unauthorized services.
- Deploy advanced end-point controls (AV) to block removable media, restrict access to web sites and services, as well as blocking attachments to public mail services. These are some of the controls found in most end-point protection clients, not to mention anti-virus and malware software.
- Deploy device management software such as Microsoft Intune, which allow a business the ability to inventory (looking for authorized applications), patch, and push applications to ensure systems are up-to-date, as well as restrict data transfer and employ selectable wipe data as needed.
- Block external access to unapproved devices to corporate data. For example, if you are using Office 365, block access to things like email, OneDrive, SharePoint, etc.
- Force Multi-Factor Authentication to access resources. This ensure people cannot access data without the proper credentials, and increases security against cyber-threat.
- Take the position of deny by default. This means securing the data and only granting access as needed. Take this philosophy and apply it to cloud computing, internet access, and mobility.
The goal is not to prevent people from doing their jobs, it’s to ensure the data is safe and maintained. Leveraging cloud services can help the average IT department to provide a highly available, secure computing environment and should be embraced.