Shadow IT. Everyone’s favorite buzzword – unless, say, you work in IT and have to resist the urge to sprint out of the room every time you hear it. I’m not going to bore with you a horror story about an employee bringing an iPad to work and the inevitable collapse of life as we know it as a result.
What I will talk to you about is the “Shadow IT” that matters. We know public cloud applications are taking off for both businesses and the everyman. We’re going to focus on the intersection between those two worlds.
Vendors will talk your ear off about how they can discover thousands of “Shadow IT” applications your employees are using. What they won’t tell you is that 95% of these apps quite simply don’t matter – they’re not touching core, sanctioned cloud applications, they’re not in scope for audits, and they’re distracting you from dealing with real risk.
If your employee logs in to Evernote at work to update his grocery shopping list at lunch, is it worth spending time and resources to address it? I’d argue not. On the other hand, if your employee is using corporate credentials to connect a third-party cloud app to core, sanctioned cloud apps – like Google Apps or Salesforce – that’s worth knowing, especially if the apps contain sensitive information you’d like to keep under wraps.
Many third-party applications have surprisingly extensive access scopes (including the ability to view, edit, delete, and manage data in your environment). These apps are self-selected by users and unvetted by security pros. In some instances, they’re malicious by design. They’re also becoming prized targets for hackers looking for access to corporate environments.
Shadow IT Meets Cloud Data Protection
Cloud data protection solutions offer a means of addressing Shadow IT. While some vendors focus solely on discovery, others offer granular control over what apps are allowed within the environment, and for whom. In that case, what should a CDP solution do for you? And what should it not?
1) Eliminate noise to manage Shadow IT risk efficiently. Efficient risk elimination comes down to identifying the applications that matter by focusing on ones that touch corporate systems rather than overwhelming security operations pros with a list of every SaaS app accessed on the network. Also, cloud data protection solutions should surface all connected apps regardless of where they’re being accessed.
2) Support informed decision making. Eliminating the noise of irrelevant cloud apps is a great first step, but odds are you’ll still be looking at a decent-sized collection of apps worth evaluating. Determining which apps are “good” or “bad” is a challenge, as this varies widely not only from company to company and industry to industry, but from department to department. Streamline this process with a CDP solution designed to make decision making easier by providing data on what apps other organizations – particularly those in your industry – have deemed trustworthy or not.
3) Help you ditch the black and white mindset. What’s good for the goose is good for the gander, but what about the duck? Or the turtle? Many employees may use third-party apps for productivity gains, and the apps may be ingrained in their typical workflow. Rather than revoking useful third-party apps (and driving employees underground to unmonitored channels), allow need-based usage. CDP solutions that allow granular whitelisting or blacklisting of apps encourages this.
4) Deploy quickly with minimal setup and overhead. Consider an API-based approach that offers scalability and a high time-to-value factor, avoiding dependencies on time-consuming hardware deployments or network reconfigurations (and their performance implications).
Forrester on Cloud Data Protection
Found this useful? Want to learn more? Learn more about Cloud Data Protection in Forrester’s industry report, available for download right here.