CISOs vs. 'Shadow IT'How Do Security Leaders Get a Handle on Data and Apps Outside Their Bounds?
"Shadow IT" has long existed slightly under the radar of enterprise IT and security organizations. The term describes business units that opt to embrace IT systems and applications, including SaaS apps, without the express consent and support of IT.
See Also: 2016 Social Engineering Report
In the past, these transgressions have mainly been overlooked. But now they are starting to raise significant cybersecurity concerns.
In fact, one new report finds that more than one-quarter of enterprise documents are at risk of compromise through Shadow IT file-sharing applications. And one security vendor says that more than 60 percent of enterprise data might be touched by Shadow IT and at heightened risk of exposure.
These concerns now resonate with security and technology leaders, who have to get a better rein on Shadow IT within their own enterprises.
"Shadow IT will significantly contribute to data breaches," says T G Dhandapani, Group CIO, TVS Motors. "As the decisions taken are knee-jerk, standardisation and compliance matters are given a back seat. Besides, standard protection on IT security aren't considered."
The Rise of Shadow IT
Security experts say that while IT leaders are aware of the security challenges posed by Shadow IT, not much is being done to address the challenge.
An example of the challenge: Every enterprise has a business continuity plan that accounts for the approved applications, databases and websites listed as mandatory for doing business. But these plans cannot account for data and applications that exist beyond IT's inventory, and which could be vulnerable to attacks.
A Shadow Data 2H 2015 report from Elastica says that 26 percent of documents are at high risk of exposure due to being broadly shared. The findings indicate it is important to recognize that not all documents within a file-sharing application are owned and managed by your organization.
"The threat of shadow data is on the rise across Asia Pacific as employees use cloud apps to share information within their organizations, among partners and with customers," says Sriram Puthucode, vice president of systems engineering, cloud security at Blue Coat Systems. "We found that 66 percent of documents were shared with everyone in the organization; such broad access increases the likelihood of sensitive data being inappropriately shared, which only opens other avenues for potential risk exposure and data exfiltration."
Shadow IT Challenges
With unregulated data getting bigger across organizations, security challenges will only grow, with no one manning the data as it is shadowed.
The biggest challenge Puthucode sees is that the sensitive content that users are uploading, storing and sharing via cloud apps - often without the oversight and knowledge of security personnel - poses a big threat.
Given that so much data is under Shadow IT, Pune-based Harsha Sastry, practice head-IS/BCM at Tech Mahindra, says security practitioners face these specific challenges:
- Discovery and inventory of the Shadow IT landscape on the network;
- Understanding the business need and utilization of data appropriately;>/li>
- Data breach and compliance gaps, along with implementation issues;
- Knowledge to safeguard, control, monitor and implement measures.
Bangalore-based Raghu V R, president of ISACA-Bangalore Chapter, says it is obvious that shadow data resides outside of IT and hence doesn't adhere to organizational security policies and is not even visible to the team, which poses serious risks.
"Among the many challenges that Shadow IT throws up, compliance, data leakage, data protection, sustenance of process and information are the casualties," Dhandapani says.
Puthucode argues that irrespective of where data is stored, 1-in-10 sensitive, business-critical and compliance-related documents that employees currently share via cloud services are at high risk of loss or theft due to overexposure. A breach, then, could result in much higher remediation costs, compliance related fines and lost reputation.
The Shadow report, which analysed nearly 63 million customer documents to understand if they are stored and shared in popular collaboration and cloud file-sharing services such as Box, Dropbox, Google Drive, and Office 365, found sensitive and compliance-related data being shared publicly.
Of all the documents the average user stored in the cloud, the study found 26 percent were broadly shared, and of those, 10 percent contained compliance-related data such as personally identifiable information, payment card information and protected health information, as well as source code for software applications.
The report said that for the second half of 2015, the potential financial impact of a breach for organizations was $1.9 million.
Puthucode says, "Shadow IT is not a bad thing as long as security teams are able to map the risks and gauge the risk potential of the organization and driven by the people, process and technology centric approach."
Sastry says risks need to be mapped using scientific methods or new algorithms to secure IPR, which provides a good monitoring mechanism.
"One way to map risks or spot shadow data is through indexing data structure and visualizing using analytics," Dhandapani says.
How can organizations get a better handle on Shadow IT risks?
The first imperative that Puthucode recommends is that CIOs should know where the data should go and what is missing in the action of mapping backdoor controls and creating a visibility mechanism.
Raghu says the simplest tool is one that brings business and IT to the same platform and enables them to talk to one another."
"A re-look at practices causing dissonance leading to Shadow IT - which could be poor understanding of requirements, budgeting issues, etc. - and data analytics could help."
Puthucode suggests three tips to address the Shadow IT challenge when data resides in the cloud. Deploying a cloud access security broker (CASB) service can help bring the required measures across the spectrum.
- Identify Risky Apps: Ensure your employees are only using secure cloud apps and services appropriate for your organization;
- Staff Training: Educate your employees on the security risks of indiscriminately sharing documents both within the organization and with external stakeholders;
- Visualize your Data: You cannot protect what you cannot see, and that goes for your data as well as the cloud apps themselves.
According to Dhandapani, the fundamental issue of Shadow IT arises when CXOs feel that IT can't deliver on time or quality.
"As a good security practice, aligning and prioritising IT initiatives with organisational strategies and plan will help," Dhandapani says. "CXO-friendly CIOs who speak more about opportunities than restrictions, using IT to protect and enable business, will thrive in a Shadow IT environment."