Shadow IT is nothing new. Employees have long adopted software applications or cloud services without the knowledge or approval of their organization’s IT department, most often in search of easier ways to get their jobs done. People typically utilize unsanctioned apps not because they’re seeking to increase security risks, but because they’re simply hoping to innovate and enhance their productivity.
Today, however, as organizations across industries are learning to accommodate remote work at scale (and many are doing so for the first time), questions about shadow IT, including how to discover it, manage it, secure it, and when to permit or forbid its use, are pertinent again. And security teams who have already developed strategies for handling the presence of unsupported tools and technologies in the corporate environment will likely find they need to revisit the exercise since workflows have changed so dramatically.
Even before the rapid expansion of the remote workforce, shadow IT represented a significant security vulnerability for many organizations. According to industry analyst firm Gartner, as many as one-third of successful attacks on enterprises target data that are housed in unsanctioned IT resources. As employees grow increasingly accustomed to cloud-based consumer applications—and because spinning up new software at work requires nothing more than a single click of a button—it’s become increasingly challenging for IT and security teams to maintain visibility and control in current hybrid and multi-cloud computing environments.
Beyond that, risks posed by shadow IT are being compounded, especially as remote work drives unprecedented usage of many software-as-a-service (SaaS) apps. These apps can have the benefit of working directly with cloud servers without the need for a virtual private network (VPN) connectivity back to the corporate environment.
This is important as there is increased stress on technologies like VPNs due to the higher percentage (maybe even 100%?) of employees working remotely. It’s worthwhile to take time to ensure you’re still enforcing consistent, unified, risk-based policies that can protect data and allow you to keep tabs on what employees are actually doing—no matter where they’re working or which devices they’re using.
Outside the VPN tunnel: balancing performance and visibility
Organizations that previously set up VPNs may have done so according to the assumption that only a certain percentage of their employees would be working from home at any given time. Now, IT teams and end-users are confronting VPN capacity and bandwidth limitations. One solution is to scale capacity. Another is to increase access to cloud applications to the extent it’s possible. And a third option is to employ split tunneling, in which only the traffic that’s requesting access to local on-premises resources is routed through the VPN, while all other traffic is sent directly to the cloud.
If your organization is employing a split-tunnel solution, you’ll want to ask how much visibility you have into employees’ direct-to-cloud traffic. A solution like the Forcepoint Cloud Access Security Broker (CASB) offers visibility and control over cloud application usage that allows your security team to see which cloud applications are being used most often, which are consuming the most bandwidth, and which pose the greatest risks. This enables you to prioritize those that need your attention first.
In addition to Forcepoint CASB, we include shadow IT reporting capabilities in most of our products (DLP, Web Security, NGFW) because we believe their use provides awareness and enhances the effectiveness of every security solution.
To boldly go where no device has gone before
Many organizations weren’t expecting the transition to remote work and have found themselves needing to improvise. As a result, numerous employees are working from home on devices that had never left the corporate environment before this time—even laptops that were always stored in the office when they weren’t in use. Others are being challenged to adapt their personal devices for professional purposes for which they were never configured or intended.
For security teams seeking visibility into cloud applications across employee-owned devices (BYOD), a full Cloud Access Security Broker (CASB) solution is needed. This allows for real-time auditing and control of your cloud app usage on both managed and unmanaged devices. A CASB solution will also enable you to monitor for and restrict usage of non-corporate instances of cloud applications, as well as to apply individual security policies on a per-device basis.
Just like water flows downhill, employees tend to gravitate toward technologies that allow them to work in the most frictionless ways. If there’s widespread interest in using a particular tool, it may make the most sense to sanction—and then monitor—its usage. Or, you can offer employees an alternative app with better built-in security controls if they’re drawn to one that’s particularly risky.
Want to learn more about how unified cloud security controls can give your organization an edge when it comes to risk management? We partnered with ESG (Enterprise Strategy Group) to do an on-demand webinar that’ll help you understand the latest trends in cloud data protection.