Imagine you’re a radiology patient. Something hurts and needs to be fixed. An X-ray informs the diagnosis which informs a treatment plan. Let’s apply the same diagnostic approach to shadow IT!
If you’re unfamiliar with the term, shadow IT is any computing resource or service used without IT’s blessing. Examples might include an engineering employee using an unsanctioned file sharing solution to collaborate on confidential schematics, or an operations employee using free SaaS-based process mapping software. Shadow IT occurs completely outside of IT’s purview and ignores the necessary oversight, governance and internal controls set forth by business leaders. See the problem?
You, fearless IT leader, are the doctor. Time to diagnose!
You’re the CIO of a burgeoning, ten-location retailer beholden to Level 4 PCI standards. You’re very serious about adherence, so little wonder that you have a QSA combing through your systems and processes every year. You configured each of your next-gen firewalls and web content filters, and users are expressly forbidden to use any cloud applications! If they require a specific application, they can put in a support ticket and provide a solid business case for access. Provided the business case has merit, they’ll receive access within a week.
Why, then, are you receiving a call at 3 a.m. from your CISO?
“Marketing launched a small web campaign to test the viability of our core product in a new market.”
“OK, what’s the problem?”
“They built the campaign on AWS, and customer credit card numbers sat in an unencrypted and publicly-accessible S3 bucket.”
You’re lucky. The S3 logs show very limited access from your corporate IP range, so this information didn’t go public…this time.
This leak was just the swollen lymph nodes. Where is the rest of the infection? How frequently is IT sidestepped by other lines of business that see your department as a barrier, not an enabler, of productivity? According to a recent Cisco study, most enterprise IT departments assume they run 51 cloud services. The actual average is around 730¹! That’s 679 potentially unsecured points of data loss or compromise. No matter the size of your business, is it reasonable to expect that you’re the exception?
You need to do a head-to-toe assessment of your processes and security, and fortunately there is an excellent tool in your medical bag: CASB.
The Treatment Plan
A Cloud Access Security Broker (CASB) is the answer to your shadow IT woes. Unlike traditional security tools focused on prescriptive allow/deny frameworks, CASB is focused on empowerment not only for IT, but also the lines of business it supports. CASB converts employees into security advocates while removing productivity impediments. A modern CASB accomplishes this in several ways:
- By allowing a CASB to monitor network traffic over time, IT gains visibility into which cloud applications users are accessing and a corresponding risk rating for each. This addresses two critical questions: how exposed are we, and what do my users actually need to do their jobs?
- Several CASB platforms offer cloud DLP, which ensures PII or confidential data doesn’t make it outside your network and onto sanctioned or unsanctioned cloud platforms.
- IT administrators can customize end user interactions, including gently denying access to unsafe cloud applications while redirecting them to sanctioned and governed equivalents.
- Security within popular sanctioned cloud applications can be enhanced to include threat protection and remediation for compromised accounts.
In our AWS scenario, IT would have been able to prevent the rogue workload while helping marketing achieve its campaign goals through secure means.
The patient is not only healthy, but thriving!
The best part? Unlike many on-premises security solutions that require major integration, CASB is generally SaaS so the POC-ability factor is extremely high.
It is difficult to avoid catching a cold, but an ounce of prevention is worth a pound of cure. CASB can provide the framework for healthy cloud practices in your organization.
For the latest and greatest in cloud trends, check out BizTech Magazine for more information.
¹Cisco Cloud Consumption Services