Netskope Solutions

Business Challenges

Shadow IT

I am concerned about Shadow IT within our organisation. How can Netskope help me manage the risks without stopping the business?

The adoption of Cloud continues to gain momentum with more than 1,000 cloud services used by employees in a variety of environments from retail to healthcare and everything in between.

Fewer than 5% of these cloud services are approved with IT having administrative access and the ability to manage or secure the deployment.

Sanctioned cloud services often include suites such as Office 365 and Google G Suite and apps like Salesforce, Box, and ServiceNow. While the sanctioned cloud services often have most of the enterprise focus, Netskope claim that more than 95% of cloud services used by enterprises are unsanctioned, shadow IT services and are either introduced by lines of business or brought in by individual users that sign up for them because they are easy to access and use.

Unsanctioned cloud services often fly under the radar of IT and Security personnel. Many of these unsanctioned services are IaaS (e.g. Amazon Web Services, Microsoft Azure, and Google Cloud Platform) solutions being used by DevOps teams building apps that access critical systems and contain sensitive resources to support the business. When misconfigured, IaaS resources such as S3 buckets in AWS may expose sensitive data leaving it easy for malicious actors to take advantage of the data or introduce threats.

So, the key question given the lack of visibility and control is, what do the IT and Security teams do about shadow IT?

This is often a difficult decision between extracting value from the cloud and being secure. Below are some of the potential impacts resulting from an allow or block decision.

ALLOW Risks:
BLOCK Risks:
Loss of sensitive data via unsanctioned cloud services. Many of the thousands of unsanctioned cloud services are used by employees to house and transfer sensitive data. Top categories for DLP violations include webmail, cloud storage, and collaboration and this represents more than 100 unsanctioned cloud services alone. And with IaaS use on the rise, storage like S3 buckets exposed to the internet and improperly configured present huge opportunities for hackers. If your data loss prevention focus only covers on-premises and cloud-based, sanctioned services then you are leaving a big hole. Data loss does not discriminate between whether a cloud service is managed and secured by IT teams. A DevOps engineer using an unsanctioned Microsoft Azure instance with misconfigured settings can just as easily allow for data leaks as while using an IT-sanctioned Box account.​
We will be blind to more than 50% of cloud usage. Legacy security tools like firewalls and secure web gateways were not architected to adequately cover the way people work today. More than 50% of cloud usage takes place with users that are mobile and remote, outside of the perimeter that these tools are protecting. The other issue is that many cloud services cannot be detected by legacy tools and users often learn how to bypass these tools. If you block Dropbox, they use lesser-known alternatives and these services are often riskier than the ones being blocked. ​
Out-of-compliance. Whether your concern is PCI, HIPAA, GLBA, SOX, FINRA or GDPR, compliance considerations should be extended to shadow IT as well.​
For the apps and/or services you can block, the number of firewall exceptions can explode. Even if you can adequately block cloud services with your firewall, there will likely be departments that demand access to certain services in order to get their job done. Perhaps they need to access that Google Drive shared by a partner or they need to test out a marketing app to support an important campaign. Before you know it, there are hundreds of exceptions in place on the firewall, creating complexity and management overhead.​
Data exfiltration taking place from sanctioned to unsanctioned cloud services. A common data loss scenario is when users download sensitive data from a sanctioned cloud service like Office 365 or Salesforce and upload that sensitive data to their personal cloud service. This is a blind spot and obviously presents risk tied to another form of data loss. ​
We will likely impact the company’s ability to move fast and innovate. In addition to the technical challenges faced by trying to block the cloud with legacy security tools, there are the business implications. Taking a heavy- handed approach to blocking the cloud could have a negative impact on productivity, ability to innovate, and employee morale. The cloud enables your employees and teams to move fast, collaborate, and be more innovative.​
Malware and ransomware infection via unsanctioned cloud services. User-led cloud services presents a perfect opportunity for various strains of malware like ransomware to hide and spread to unsuspecting victims. One example is the cloud malware fan-out effect that takes place with the combination of shared folders and local sync clients. When malware makes its way into that environment it often goes undetected and spreads quickly to the users that are connected to the share and have a sync client installed. More than 50% of malware in the cloud is shared – with an increasing number of malware targeting resources in public clouds like AWS, Microsoft Azure, and GCP.

The Solution: Safely enable unsanctioned, but permitted cloud services

Fortunately, there is a better option. The Netskope Security Cloud is the only cloud access security broker (CASB) that was architected to safely enable unsanctioned cloud services instead of forcing you into difficult allow or block decisions at the perimeter. Netskope advocates a granular and comprehensive approach to securing shadow IT by preventing risky actions while still allowing the cloud service to be used and covering all methods of access to these services.

I have heard about CASB – How could it help me to safely enable and control Shadow IT?

1. Discover cloud services in use and assess risk
Discovery and subsequent risk assessment is frequently the first step of any cloud security strategy. This involves the ability to collect cloud usage details and match that against a database of cloud services that have been researched and scored. A first step before safe enablement might actually be to block the highest risk cloud services based on their score.
1. Discover cloud services in use and assess risk
2. Forward proxy deployment options to cover on-premises, mobile and remote users
Getting access to unsanctioned cloud traffic originating from where users are is an important requirement. An agentless forward proxy option for on-premises users can be combined with a forward proxy client for mobile and remote users.
2. Forward proxy deployment options to cover on-premises, mobile and remote users
3. Coverage for all access methods including browsers, desktop apps, sync clients, and mobile apps
Covering all ways users access the cloud is also important. More than 50% of cloud usage takes place in native applications, so supporting browser-only traffic presents a big blind spot.
3. Coverage for all access methods including browsers, desktop apps, sync clients, and mobile apps
4. Granular activity-level visibility and control for thousands of shadow IT services
Getting access to where users are and how they are accessing the cloud is important but understanding that traffic is also critical. Simply adding a forward proxy isn’t sufficient and neither is supporting only dozens of unsanctioned cloud services, given that there are thousands of them per enterprise. You need a CASB that understands activity-level details and can perform granular control for the thousands of user-led cloud services that are being proxied by the forward proxy.
4. Granular activity-level visibility and control for thousands of shadow IT services
5. DLP inspection coverage for thousands of shadow IT services
Having the ability to inspect thousands of shadow IT cloud services with DLP is another key requirement for safely enabling these cloud services. Advanced DLP functionality like fingerprinting, exact match, and optical character recognition (OCR) are important, but if your DLP only supports dozens of cloud services, you are vulnerable to sensitive data loss across the thousands of unsanctioned cloud services that are missed.
5. DLP inspection coverage for thousands of shadow IT services
6. Encryption support for sensitive data going to shadow IT services
There may be scenarios where you allow certain data to go to unsanctioned cloud services, but you first want to secure that data with encryption to ensure it does not get into the wrong hands. A CASB should support the ability to encrypt certain data going to unsanctioned cloud services and only allow that data to be viewed by users going through the CASB.
6. Encryption support for sensitive data going to shadow IT services
7. Malware protection for shadow IT services
Supporting real-time malware inspection on traffic going to and from unsanctioned, shadow IT cloud services is a key requirement to help protect against various strains of malware such as ransomware. There are two sides to ransomware protection. One is both static and dynamic analysis to help prevent ransomware infection, and the other is post-infection remediation with the ability to introduce a remediation workflow enabling you to seamlessly roll back your files to the last known “good” version.
7. Malware protection for shadow IT services
8. Category-level policies
Given that there are, on average, over 1,000 cloud services in the enterprise, having a policy infrastructure that enables you to easily triage your cloud services is important. This starts with support for category-level policies, where you can choose categories such as ‘cloud storage,’ ‘collaboration,’ and social media,’ and be able to secure potentially hundreds of cloud services with one policy entry. Without this capability, you would have to perform policy one-by-one for over 1,000 cloud services. That is unrealistic.
8. Category-level policies
9. Layered policies with allow / block actions
In addition to category-level policies, triaging shadow IT via policy also requires layered policies that support both allow and block actions. For example, if you want to block PCI data going to all unsanctioned cloud storage services, but allow PCI data to go to the IT-sanctioned Microsoft Office 365, you would create two policies—the first would be tied to an ‘allow’ action of PCI uploads to Office 365 and the second policy would be a ‘block’ action of PCI uploads to ‘cloud storage’ at the category level (while still allowing use of services in that category).
9. Layered policies with allow / block actions
10. Instance awareness
The final requirement is tied to the previous one. In order to thread the needle and perform policy on unsanctioned versus sanctioned cloud services and vice-versa, your CASB needs to understand the difference between instances of a cloud service. Which is the sanctioned OneDrive vs. the shadow IT OneDrive? Which instance of Google Cloud Platform is the production one and which one is just being tested by a line of business? Which version of Box is the Marketing version? The CASB needs to understand this and be able to bring that instance awareness into policy.
10. Instance awareness

We have spent significant levels of resource ensuring we are GDPR compliant. Does the use of Cloud services mean we have to start all over again?

One of the biggest problems that arises with the cloud is that personal data is processed in the cloud, with IT and security teams having no visibility or control into what is happening with the data.

Employees are using unsanctioned, and possibly risky, cloud apps and services to get their jobs done. The trend of bring-your-own-device (BYOD) has only made the problem worse, with personal devices accessing personal data and syncing them outside the organisation, or worse still, using them for purposes other than those that the service purports to cover. Regardless, organisations are still on the hook for protecting personal data under the GDPR.

So how should internal IT and security teams secure cloud usage without blocking everything and inhibiting employee productivity? 

Working with a European data privacy compliance legal expert Netskope have created a white paper on the GDPR regulations, grouping them under six encompassing principles for the cloud. As you will see below, processors (the term used in the GDPR text) are the cloud apps and services. This checklist provides a list of actions for organisations and processors back to each principle in order to help your organisation to be cloud-ready, secure, and compliant with the GDPR.

View the EU GDPR Cloud-Readiness and Compliance Checklist

Netskope Events

Scroll to Top

Discover More

Learn more about our solutions and the digital landscape

Need help?

If you have questions, we have answers. Get in touch.


Experienced Project Management and Professional Services team
We have a team of over 15 certified consultants in Splunk and all of our products we deliver.

An online questionnaire designed to gain an understanding of your current Cloud Strategy.

Our Project Managers are responsible for the full life cycle of our projects.

Solutions Team

Learn more about our industry leading solutions and delivery team.