Enhancing visibility and control of Shadow IT
By Sean Duca June 23, 2015
- ‘Our goal as security professionals should be one of enablement, not curtailment’
- Two realities need to be confronted: Lack of visibility, and the BYO‘X’ trend
SHADOW IT is a trend that is catching the attention of CIOs (chief information officers) across the Asia Pacific region, as they consider its security implications and how to best stay on top of the situation.
Put simply, the term ‘Shadow IT’ refers to employees using IT solutions without corporate approval.
The concern is understandable, as unauthorised technology could create new vulnerabilities in the network.
It’s important to acknowledge however that this trend shouldn’t be feared. We live in an era where individual SaaS (Software-as-a-Service) vendors maintain an increasing amount of our corporate data.
And for good reasons, as these cloud-based services provide organisations with near-instant access to advanced capabilities that allow teams to remain a step ahead of their competition.
Our goal as security professionals should be one of enablement, not curtailment. Therefore we need to approach Shadow IT with a pragmatic view: How can we better support the business’ needs while keeping risk in check?
Visibility is key
An effective strategy must confront two realities. First, most security operations lack the transparency needed to keep a close eye on an organisation’s use of SaaS offerings.
Simply put, you can’t control what you can’t see. That’s not to say you want to ransack the company in a search and destroy mission against rogue cloud-based users; that could very well lead to you disrupting business growth.
But you may want to identify usage patterns that can be used to drive corporate-level adoption of specific services.
If these services benefit one group, they might benefit the entire company.
Here’s where it becomes important to have a security solution in place which can safely enable the applications that are critical to a business’ success, while blocking applications that bring unnecessary risk.
To achieve this, next-generation firewalls were built to recognise thousands of unique applications, including those delivered over a SaaS-based model.
This not only brings visibility into the services Shadow IT organisations are firing up, it can also be used as an effective means of establishing control.
In some cases you might make the quick determination that a SaaS offering simply introduces too much risk.
A next-generation firewall provides the ability to enforce usage through both application and user-based policies. This provides the granular control needed to enable access for a single individual (your CEO who demands access to his Box account), a group (e.g. HR), or an entire company.
Some organisations have tied these policies to compliance programmes to ensure teams undergo basic usage training before they’re given access.
The ‘BYO’ conundrum
The second reality we need to confront is the one created through corporate Bring Your Own ‘X’ policies.
This is particularly relevant in Asia, which as Google’s Consumer Barometer study highlights has some of the highest adoption rates for mobile devices of anywhere in the world.
The combination of BYO ‘X,’ an exceptionally mobile workforce, and an increasing array of cloud-based services has completely eroded our traditional perimeter.
The new perimeter should be defined by two simple elements: Our individual identity, and the data we have access to.
This new perimeter can be protected through a careful orchestration between cloud-based applications, the applications that remain within the enterprise, and the devices that are being used to access those applications.
For your on-premises employees you can rely on the visibility and control gained through the next-generation firewall to reduce risk. This can be achieved by establishing more transparency across the organisation, ensuring use of only accepted SaaS offerings.
It’s also crucial to implement what Forrester defines as a ‘Zero Trust’ architecture to prevent lateral movement of an adversary by establishing protected zones around sensitive data segments.
Once the sensitive data segments are defined, user and application based policies should be set to ensure only the approved identities and their devices have access.
This way if you’ve opened access to a particular team like HR (human resources), you can be assured that only HR will have access unless you change the policy.
Three priorities for mobile
For your off-premises mobile employees there are three priorities to consider. These priorities are based on the simple premise that users should receive the same level of protections that are provided when inside the network.
This begins with ensuring devices are safely enabled while simplifying deployment and setup. In doing so you can ensure proper settings are in place, such as strong passcodes and encryption.
Those employees need to also be protected from exploit and malware-based attacks just as they would if they were inside of the network.
Finally, you must be able to control both access to, and movement of the data. This means you need to control access by the application, by the user, and the user’s device state.
Those data movement controls need to be extended to the device to ensure data stays within the accepted applications. This enhances your ability to apply better visibility and control to reduce risks.
When implemented properly these tools not only protect your users from cyberthreats, they also provide needed transparency to reduce risks associated with Shadow IT.
These capabilities all exist today in tightly integrated solutions. It’s just a matter of stepping back and designing an architecture that meets your objectives while providing the business the freedom to innovate and adopt these latest SaaS-based offerings.
Sean Duca is the Asia Pacific vice president and regional chief security officer at enterprise security specialist Palo Alto Networks.
Beware ‘street BYOD,’ say Gartner analysts
The rise of the superuser, and managing shadow IT
Security no longer about ‘no,’ but ‘know’
BYOD: Corporate security and global users’ privacy rights
Palo Alto Networks appoints Sean Duca as APAC chief