Mitigating Risks of Shadow IT with CASBs

According to the RightScale “2018 State of the Cloud Report,” 81 percent of companies are now using the cloud, an indication that it has more than delivered on its promises of efficiency, convenience and cost optimization. Despite mass adoption, there are recognizable security gaps resulting from both misconfiguration issues and shadow IT.

Shadow IT leaves organizations vulnerable for two reasons, the first of which is limited visibility. Security and IT teams need to know the tools and solutions in use to take proper risk mitigation actions. Yet, companies often lack a full line of sight into all the cloud applications their employees are using. As a result, they have only baked in the proper security layers such as data loss prevention software or data encryption for the cloud apps that they actually know about.

Because they have no way of knowing where that data travels to, where it is stored or how it is protected, they are faced with the second threat of data exfiltration. When employees endeavor into unapproved applications with no security controls—even with something as seemingly innocuous as a document management app—both security and compliance can be compromised.

Insufficient levels of automation and a dearth of in-house experts who can identify misconfiguration issues in real time often results in a lack role-based access control policies associated with their cloud infrastructures and solutions, according to Christine Meyers, Alert Logic’s director of product marketing.

“Companies cannot overlook the fundamentals with access control policies. Oftentimes it comes down to human error; for instance, an individual gained access to a cloud environment and data from which they should have been restricted. That individual may not possess great security hygiene, using weak passwords and limited authentication, creating a potential opening for hackers to come in and take advantage,” said Meyers.

How Can CASBs Help?

There are certainly ways to mitigate the risks of shadow IT, which involve a combination of technologies and practices including putting sound policies in place. Cloud access security brokers (CASBs) can help because they allow for the centralized control and enforcement of security policies and provide CISOs with control, visibility and consistent security policies that are applied wherever the data is available, Meyers said.

Some CASBs consolidate cloud security policy enforcement and solve SaaS security problems, offering a fully managed CASB paired with 24/7 monitoring and response. Depending on the established access rules, a CASB can identify an abnormal IP address and stop an attack, as was the case when a CASB provider helped an executive team reset compromised accounts and implement a step-up multifactor authentication (MFA) for unusual log-in attempts, in addition to auditing the password policy throughout the organization, said Jay Barbour, director of security product management at Masergy.

In another use case, a healthcare provider employee was attempting to share personal files with a third party. “After identifying thousands of records with exact data matching as well as other unstructured data sharing, the CASB was able to halt the transfer and audit-related file-sharing activities,” said Barbour. “The security operations center (SOC) implemented unstructured data DLP rules and enforced data containerization for the third party (an agentless browser).”

Barbour offered additional use cases that included a disgruntled sales employee who started offloading sensitive product documentation, but the file offloading activity was above predetermined baselines, which triggered an alert. “Through watermarking and beaconing, the CASB SOC determined the files were being viewed by a competitor. The customer was able to immediately suspend the employee account, and lock all activity for a pending investigation,” Barbour said.

CASBs are built to extend control and visibility to any application. The first step with respect to shadow IT is identifying the apps in use within the organization and which of those apps pose the greatest risk. “From there, a CASB enables one-click sanctioning, wherein a secure sanctioned instance of the app is created so employees can log in with their corporate credentials,” said Mike Schuricht, VP of product management at Bitglass.

With a CASB sitting between endpoints and all cloud apps in use, organizations can leverage critical capabilities such as access controls, session management, cloud encryption and malware protection, all to protect corporate data as it moves to these managed and shadow IT apps.

Alternative Risk Mitigation Solutions

Not all cloud security solutions are made equal. There are a number of best practices that all organizations should have in place regardless of whether they have deployed a CASB solution. “Identity management, for example, is table stakes in any modern workplace. If an unauthorized user is able to access your cloud applications, great damage can be done. To thwart attempts at unauthorized access, organizations can limit access to the most sensitive data, require multi-factor authentication and leverage technology to stop anomalous logins,” said Schuricht.

Traditional security solutions are largely inadequate for today’s cloud and mobile-first world. Shadow IT applications are always emerging, which means security needs to be evolving constantly to protect against new threats. Ideal deployment methods can differ between and among organizations, so companies must take care in evaluating solutions against their needs to ensure that they are not only secure but also in line with compliance standards.

Kacy Zurkus

Avatar photo

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus