3 Ways to Secure Enterprise Shadow IT

By on Jun 20, 2019

Do You Know What’s Lurking in the Shadows

Have you ever used that instant PDF converting service or that random cloud application to share a large file, when in a bind? Well you’re not alone!

In the interest of getting things done, employees often use cloud applications not approved by IT. These applications, commonly referred to as Shadow Cloud Applications, pose a security threat as sensitive corporate data may be exfiltrated via these services.  In fact, the recent McAfee Cloud Adoption and Risk report found that 25% of sensitive enterprise data, including passwords, PII data, legal documents and source code, going to the cloud is uploaded to high or medium risk shadow applications.

Securing Shadow IT is a critical component of an end to end enterprise data security strategy.

Per the McAfee Cloud Adoption and Risk report, the average enterprise today uses 1950 cloud services, of which less than 10% are enterprise ready. To avert a data breach (with the average cost of a data breach in the US being $7.9 million), enterprises must exercise governance and control over their unsanctioned cloud usage.

Finding and Fine Tuning the elusive balance of Shadow IT

The traditional network perimeter has dissolved. Today, networks are a heterogenous mix of on-premise, cloud, containers, serverless and virtualized environments, cloud applications and a highly diversified set of users. This introduces new risks and new rules to gain visibility and control of both East -West and North-South traffic as enterprises transform to a cloud-first world.

One way to control shadow cloud usage is to block all unsanctioned applications. Certain enterprises do follow an approach, where they whitelist a set of allowed applications and block everything else. For most enterprises, however, this is not a practical option as there are several productivity and business function applications used by employees. Blocking these applications negatively impacts business. Enterprise security teams therefore strive to achieve a balance and require a solution that enables restricted use of shadow applications, while maintaining compliance and governance controls.

Enterprises are effectively deploying MVISION Cloud Access Security Broker (CASB) solutions to apply these controls. MVISION Cloud not only provides comprehensive visibility of all Shadow IT applications and usage across SaaS, PaaS and IaaS environments, but also allows IT and Security teams to apply granular controls using the Cloud Application Control capability. Here are 3 types of controls that enterprises can apply on Shadow IT:

Activity Control: Cloud Application Control enables enterprises to enforce granular policies on activities performed within shadow applications to protect against risk of data exfiltration. For example, a Latin American retail company wanted to enable its marketing team to collaborate with a vendor who used Dropbox, so they defined a rule to allow downloads from Dropbox, but blocked all uploads. Similarly, a leading Insurance company blocked uploads to GitHub to prevent exfiltration of source code but allowed their engineers to download code from public repositories.

Personal vs. Corporate Tenant Restrictions: A common problem faced by companies using sanctioned services like Office 365 and Google is that employees can download corporate content from the sanctioned instance of the application and upload it to their personal account of the same application. Cloud Application Control detects and blocks personal access to sanctioned SaaS applications like AWS, Office 365, Dropbox, Box and Slack while allowing corporate access to these cloud applications.

IaaS Governance: Security of IaaS instances is a key priority for many enterprises. Cloud Application Control detects and blocks access to personal accounts of IaaS services like AWS, Azure, and Google Cloud Platform while allowing access to the corporate accounts. Given the plethora of AWS breaches occurring in the recent years (see Dow Jones breach a few months ago), restricting employees to using sanctioned AWS accounts with the right security configurations is a key security requirement.

Securing shadow cloud usage is important, however, security teams also require a CASB solution for ease of implementation. For instance, security administrators prefer not to visit multiple consoles to define shadow control policies, nor do they wish to grapple with creating complex rulesets. MVISION Cloud provides a unified console and a simple policy editor that allows the definition and implementation of policies within minutes. Further, with industry leading gateway performance, enterprises can be assured of an industry leading web and cloud access experience for their end users.

Someone once asked Willie Sutton, the infamous bank robber from the 1920s “why do you rob banks”?, and he replied, “because that’s where the money is”. Today, data is the new currency, and cloud is the bank. As enterprises strive to secure their sensitive data, MVISION Cloud Application Control is an essential tool in their toolkit.

Learn more about enabling MVISION Cloud Application Control in your enterprise environment or call us for a demo

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs