Is Shadow IT the Real Problem? It’s Really About Connected Apps! It is inescapable: the hot topic in cloud security dialogue is Shadow IT. CISOs are increasingly concerned with what public cloud applications…

Is Shadow IT the Real Problem? It’s Really About Connected Apps!

Bernd Leger

As Chief Marketing Officer, Bernd drives CloudLock’s go-to-market strategy, including inbound marketing, product marketing, content marketing, public and analyst relations, marketing communications and sales enablement.


It is inescapable: the hot topic in cloud security dialogue is Shadow IT. CISOs are increasingly concerned with what public cloud applications their employees are leveraging. With the consumerization of IT, employees are self-selecting and enabling third-party apps independently of the traditional provisioning model, blurring the lines between sanctioned and unsanctioned IT.

Many of the third-party apps leveraged by employees have many benefits, including increasing efficiency and productivity. The challenge for security teams is not only knowing about all of these apps, but, more importantly, which ones actually connect to the corporate environments.


At CloudLock, we’ve discovered over 9,000 connected apps that are being leveraged by employees but may pose a risk to organizations without the security teams being aware of them.

A quick example: an employee might install a project management tool by providing their corporate Google credentials through OAuth, authorizing the app to gain access to additional corporate data. This can happen in a matter of seconds – without any IT awareness or controls. If that third-party app gets hacked, this is an easy access route for hackers to gain access to corporate information.

So what should organizations do?

1) Discover: Understand which third-party apps connect to your corporate environment.

This is very different than Shadow IT Discovery, which is only helpful to the degree that it shows which SaaS apps are being used by your organization regardless of whether they impact corporate data or not.

We recommend a deeper Connected App Discovery, which identifies potential cloud data risks. This discovery easily reveals which public cloud apps are used by your employees by leveraging authorization mechanisms of your corporate systems.

2) Classify and Control: Determine which applications you would like your employees to leverage … and which you do not want in your domain.

This is a fairly straight forward process. CloudLock’s Apps Firewall solution gives you the ability to easily group apps you either trust, don’t trust ( i.e. ban), or which ones you want to restrict access to for some of your users or organizational units.

3) Benchmark: See which applications other organizations trust and ban.

CloudLock’s Apps Firewall solution allows you to easily benchmark your organization versus your peers. We give each application a Community Trust Rating based on how our customers are classifying these apps. Quickly see which apps other organizations trust, block, or restrict in some capacity and leverage that insight to determine your own next steps.

CloudLock Apps Firewall is a simple easy-to-use security solution that provides instant time to value for a problem that often goes underestimated or not even recognized at all. Having visibility and control over apps connected to your domain is critical.

CloudLock Apps Firewall Just Got Better

With our latest update, we’ve significantly enhanced CloudLock Apps Firewall to make it even easier for organizations to easily control access of connected apps in their domains. The release offers enhanced automation, more granular controls, and increased security. There are three new features we’re particularly excited about:

  • App Whitelisting (in addition to blacklisting)
  • Auto Classification
  • Enhanced App Revoke Controls

1) App Whitelisting

CloudLock Apps Firewall has always provided the ability to Blacklist specific users and organizational units (OUs) from specific apps. With Apps Firewall’s new classification type (“Restricted: Allow”),AppFW-AppClassification-001_borderlight CloudLock administrators are now able to also Whitelist specific users, OUs, and/or domains for each app individually. Whitelisting is a valuable feature for administrators who want to provision app usage based on appropriate needs and exercise risk- appropriate controls.

For example, let’s say your marketing team needs a particular third party app for a project. The ability to Whitelist the marketing OU explicitly without granting domain-wide access to the app allows organizations to exercise a more exacting approach to third party app security within Google, thereby minimizing risk without denying the benefits of the cloud.

2) Auto Classification

The new Auto Classification feature automatically classifiesAppFW-AutoClassification002_border any new app as soon as it is detected in the environment. CloudLock admins now have the ability to control the classification of new apps proactively, rather than waiting for an app to be installed in order to classify the application.

For organizations seeking powerful security controls, this feature can be leveraged to classify any new app introduced into the environment as banned, thereby denying it access to accounts within the domain. Now, administrators can classify apps on their timeframe, but remain confident they haven’t left any vulnerabilities within their domain in the meanwhile.

The same degree of control seen in manual classification can be automatically applied to new apps, including completely blacklisting the app for all users within the domain (“Banned”), whitelisting the app for all users (“Trusted”), or enabling the app for a specific set of users, OUs, and/or domains through the restricted classification (“Restricted: Allow” or “Restricted: Deny”).

This functionality ties in with our new Auto Revoke feature, as users denied new apps will have the app automatically revoked.

3) App Revoke

Increased functionality around app revocation now allows CloudLock admins to apply the same level of granularity to the revoke process as the provisioning process. It is now possible to whitelist, as well as blacklist, specific third-party apps based on specific users, OUs, and/or domains.

What third-party apps are users running in your domain? Contact us for a free security assessment to find out how secure your environment really is and gain control of third-party apps in your environment. We will review and audit your organization’s Google Apps, Salesforce and other SaaS application domains, as well as of the usage and consumption of third party applications connected to them to:

  • Provide metrics, considerations, and recommendations that lead to the analysis
  • Recommend actionable next steps for instituting Acceptable Use Policies (AUPs)
  • Compare your Security Score to other customers

Get started today.


Browser Not Supported

Your browser version is outdated.

We would recommend you upgrade to a recent version to ensure that you have a good experience on the CloudLock site. Outdated browsers also increase your security risk. So please update your browser and come back later!

Click on the icon below to download the latest version of your browser