The term “shadow IT” is used in information security circles to describe the “invisible network” that user applications create within your network infrastructure. Some of these applications are helpful and breed more efficiency while others are an unwanted workplace distraction. However, all bypass your local IT security, governance and compliance mechanisms.
The development of application policies and monitoring technology have lagged far behind in comparison to the use of cloud-based business services, as researchers note in SkyHigh’s Cloud Adoption and Risk Report. It states, “The primary platform for software applications today is not a hard drive; it’s a web browser. Software delivered over the Internet, referred to as the cloud, is not just changing how people listen to music, rent movies, and share photos. It’s also transforming how business is conducted.” Recent studies show that businesses that follow this trend of migrating operations to the cloud actually increased productivity by nearly 20 percent above those who did not.
Shifting to a new security model before we determine the rules
Traditional security thinking and products have focused solely on keeping the network and those within it safe from outside threats, and auditing information from users, devices and alerts. The application revolution is now pushing beyond the traditional network boundaries and into the cloud for security teams, before establishing acceptable-use policies and new auditing and compliance parameters. However, it is much more efficient to lay the auditing and policy groundwork first and then allow security operations to adapt to this new element of application awareness.
Why does application awareness change security operations so drastically? Because it:
- Emphasizes outgoing (as opposed to incoming) communication
- Requires relating users and devices to the applications (which older tools can’t perform)
- Shifts the focus away from signature detection and into analytics and policy
- Requires creating network and device use policy and implementing a means to track and measure it
- Requires pulling logs from cloud services
Despite the security implications, there are important governance challenges when developing new application policies. While the discussion of implementing application awareness is mostly technical, the way employees use applications can also be deeply personal. Making a decision to allow or block Facebook, Twitter, Dropbox, Bit torrent, Tor and personal Gmail accounts touches a human factor that goes beyond merely stopping viruses and preventing breaches. Yet, allowing such applications (especially Tor) can increase the level of risk exponentially – even beyond the threats posed by many viruses.
Changing direction to a different point of view – the insider threat
Security follows business, and business is rapidly putting its information in the cloud. Most newer security products have evolved to focus both on what is entering the network and what is leaving the network. However, the shadow IT system often circumvents corporate monitoring and security measures, and allows corporate data to flow outside the organization into the public cloud without proper oversight or control.
Replacing the thread-bare notion that threats could only come into our systems from the outside is an ever-growing (and different) point of view that’s being complemented with products/devices that also monitor outgoing communications. Until recently, this capability has been limited to security interests in data loss prevention, policy filtering and compromised system detection.
Cloud Access Security Brokers (CASBs) are one type of outgoing protection for the network, and it does provide more visibility into network flows. It does add the burden of analysts having to sort through vast quantities of data. One Gartner analyst commented that the competitive forces currently amongst the CASB market providers “is a consequence of newness that limits the consistency and richness of the service they can provide.” He continued, “Data without action is kind of useless. Data has to be automatable so your team can solve the problem and move on to bigger projects.”
At this point, the point of view must pivot to gain vision into both the external threat and the internal or insider threat. The focus here is on your employees and their careless and maybe malicious behavior on network-connected devices. While some workers feel entitled to check social media or personal email applications at work, it is crucial that an organization develop smart and enforceable “acceptable-use” policies, along with regular, relevant training for all workers. This area of governance has lagged far behind the technological solutions; however, it is no less of an important piece of the visibility puzzle.
What about solid, consistent governance?
Governance is all about identifying risk and deciding what is acceptable. What is the risk of non-approved applications in a current enterprise environment? SkyHigh wrote a solid white paper on what they see as the risk in their Q4 2016 Cloud Adoption Risk Report (PDF). It should be noted that this report is biased in terms of the threat, but it does, at a minimum, provide a high-level explanation of the risk.
The above report prominently noted that email/phishing is the number one vector of attack, while web-based malware downloads are rarer by comparison. Buried deep in the SkyHigh study was the reason that we need to effectively capture application usage: while greater than 60 percent of organizations surveyed had a cloud use policy, almost all of that particular group lacked the needed enforcement capability. Roughly two-thirds of services that employees attempt to access are allowed based on policy settings, but most enterprises are still struggling to enforce blocking policies for the one-third in the remaining category that were deemed inappropriate for corporate use due to their high risk.
The ideal standard of control through enforcement is complicated even with a CASB in place, by security “silos,” and a struggle to consistently enforce polices across multiple cloud-based systems. Major violations still occur despite policies, such as: authorized users misusing cloud-based data, accessing data they shouldn’t be, synching data with uncontrolled PCs, and leaving data in “open shares,” in addition to authorized users having access despite termination or expiration. In short, before using a CASB you can implement use knowledge passively with other tools.
Implementing a means to passively detect applications and tracking that activity to the user and device is an essential aspect to governance and risk management. Shadow IT is the term most related to the risk associated with the threat that application awareness addresses, as opposed to the much more arduous task of drafting and implementing policies that could be controversial with fellow staff members.
About the Author: Chris Jordan is CEO of College Park, Maryland-based Fluency , a pioneer in Security Automation and Orchestration.
Source: infosec island