I am concerned about Shadow IT within our organisation. How can Netskope help me manage the risks without stopping the business?
The adoption of Cloud continues to gain momentum with more than 1,000 cloud services used by employees in a variety of environments from retail to healthcare and everything in between.
Fewer than 5% of these cloud services are approved with IT having administrative access and the ability to manage or secure the deployment.
Sanctioned cloud services often include suites such as Office 365 and Google G Suite and apps like Salesforce, Box, and ServiceNow. While the sanctioned cloud services often have most of the enterprise focus, Netskope claim that more than 95% of cloud services used by enterprises are unsanctioned, shadow IT services and are either introduced by lines of business or brought in by individual users that sign up for them because they are easy to access and use.
Unsanctioned cloud services often fly under the radar of IT and Security personnel. Many of these unsanctioned services are IaaS (e.g. Amazon Web Services, Microsoft Azure, and Google Cloud Platform) solutions being used by DevOps teams building apps that access critical systems and contain sensitive resources to support the business. When misconfigured, IaaS resources such as S3 buckets in AWS may expose sensitive data leaving it easy for malicious actors to take advantage of the data or introduce threats.
So, the key question given the lack of visibility and control is, what do the IT and Security teams do about shadow IT?
This is often a difficult decision between extracting value from the cloud and being secure. Below are some of the potential impacts resulting from an allow or block decision.
Loss of sensitive data via unsanctioned cloud services. Many of the thousands of unsanctioned cloud services are used by employees to house and transfer sensitive data. Top categories for DLP violations include webmail, cloud storage, and collaboration and this represents more than 100 unsanctioned cloud services alone. And with IaaS use on the rise, storage like S3 buckets exposed to the internet and improperly configured present huge opportunities for hackers. If your data loss prevention focus only covers on-premises and cloud-based, sanctioned services then you are leaving a big hole. Data loss does not discriminate between whether a cloud service is managed and secured by IT teams. A DevOps engineer using an unsanctioned Microsoft Azure instance with misconfigured settings can just as easily allow for data leaks as while using an IT-sanctioned Box account.
We will be blind to more than 50% of cloud usage. Legacy security tools like firewalls and secure web gateways were not architected to adequately cover the way people work today. More than 50% of cloud usage takes place with users that are mobile and remote, outside of the perimeter that these tools are protecting. The other issue is that many cloud services cannot be detected by legacy tools and users often learn how to bypass these tools. If you block Dropbox, they use lesser-known alternatives and these services are often riskier than the ones being blocked.
Out-of-compliance. Whether your concern is PCI, HIPAA, GLBA, SOX, FINRA or GDPR, compliance considerations should be extended to shadow IT as well.
For the apps and/or services you can block, the number of firewall exceptions can explode. Even if you can adequately block cloud services with your firewall, there will likely be departments that demand access to certain services in order to get their job done. Perhaps they need to access that Google Drive shared by a partner or they need to test out a marketing app to support an important campaign. Before you know it, there are hundreds of exceptions in place on the firewall, creating complexity and management overhead.
Data exfiltration taking place from sanctioned to unsanctioned cloud services. A common data loss scenario is when users download sensitive data from a sanctioned cloud service like Office 365 or Salesforce and upload that sensitive data to their personal cloud service. This is a blind spot and obviously presents risk tied to another form of data loss.
We will likely impact the company’s ability to move fast and innovate. In addition to the technical challenges faced by trying to block the cloud with legacy security tools, there are the business implications. Taking a heavy- handed approach to blocking the cloud could have a negative impact on productivity, ability to innovate, and employee morale. The cloud enables your employees and teams to move fast, collaborate, and be more innovative.
Malware and ransomware infection via unsanctioned cloud services. User-led cloud services presents a perfect opportunity for various strains of malware like ransomware to hide and spread to unsuspecting victims. One example is the cloud malware fan-out effect that takes place with the combination of shared folders and local sync clients. When malware makes its way into that environment it often goes undetected and spreads quickly to the users that are connected to the share and have a sync client installed. More than 50% of malware in the cloud is shared – with an increasing number of malware targeting resources in public clouds like AWS, Microsoft Azure, and GCP.
The Solution: Safely enable unsanctioned, but permitted cloud services
Fortunately, there is a better option. The Netskope Security Cloud is the only cloud access security broker (CASB) that was architected to safely enable unsanctioned cloud services instead of forcing you into difficult allow or block decisions at the perimeter. Netskope advocates a granular and comprehensive approach to securing shadow IT by preventing risky actions while still allowing the cloud service to be used and covering all methods of access to these services.
I have heard about CASB – How could it help me to safely enable and control Shadow IT?
We have spent significant levels of resource ensuring we are GDPR compliant. Does the use of Cloud services mean we have to start all over again?
One of the biggest problems that arises with the cloud is that personal data is processed in the cloud, with IT and security teams having no visibility or control into what is happening with the data.
Employees are using unsanctioned, and possibly risky, cloud apps and services to get their jobs done. The trend of bring-your-own-device (BYOD) has only made the problem worse, with personal devices accessing personal data and syncing them outside the organisation, or worse still, using them for purposes other than those that the service purports to cover. Regardless, organisations are still on the hook for protecting personal data under the GDPR.
So how should internal IT and security teams secure cloud usage without blocking everything and inhibiting employee productivity?
Working with a European data privacy compliance legal expert Netskope have created a white paper on the GDPR regulations, grouping them under six encompassing principles for the cloud. As you will see below, processors (the term used in the GDPR text) are the cloud apps and services. This checklist provides a list of actions for organisations and processors back to each principle in order to help your organisation to be cloud-ready, secure, and compliant with the GDPR.
Not sure how to contact us?
Schedule a call with one of our certified engineers and pre sales team. Or drop us a line if you have any questions.