Shadow IT: How To Detect And Mitigate Cloud Security Risks

Here’s how to identify shadow IT, find the root cause and provide a secure alternative to users to prevent data loss and security breaches.

There is no shortage of stories in the business press today about the dark and dangerous world of shadow IT where bad guys are stealing corporate data from employees’ personal cloud applications or by hacking into someone’s cell phone or email account. And while this is indeed a real problem, shadow IT can also be much more mundane, albeit just as serious.

For a simple explanation of how shadow IT works, one need look no further than Walt Disney’s 1940 animated film Fantasia. In the famous symphonic number where Mickey Mouse plays The Sorcerer’s Apprentice, Mickey keeps destroying dancing brooms, which simply multiply. In the information security world, one need only replace the brooms with data. When the data multiplies, it simply expands to other locations on the network, be those locations authorized for the data or not.
The recent debate over the use of a personal email account by former Secretary of State Hillary Clinton and thousands of other federal employees for official, government correspondences demonstrates how easy it is for shadow IT to spread when an organization fails to have written policies and procedures on how personal devices are used. But Sec. Clinton is not alone in using Gmail, Outlook and other cloud-based email systems for work. Stories about these types of popular email offerings being hacked have been around for years.

What Is Shadow IT
Consider the ubiquitous iPad. If an employee who owns an iPad opens a file on their device, it is very likely that their iPad will make a copy of that file, sending it to their iCloud account, unless the file is copy-protected or the device is not configured to automatically backup documents, photos and such.

But the iPad is not the only device that can be configured for automatic backups. Smartphones running iOS or Android generally have automatic backup software installed. Some handset vendors and vendors of antivirus apps also add backup apps as a convenience for users. While this might make backups easy, it also makes it possible for corporate data that is viewed on the phone to be moved from secure networks to insecure clouds.

If users have configured their personal devices well from a personal security standpoint, chances are their data is being backed up regularly, albeit not necessarily to a secure server that meets the corporate requirements for protected and personally identifiable data. In doing the right thing of backing up their devices, they might well be storing unauthorized data where it doesn’t belong.

Part of the challenge of defending against shadow IT is determining just what it is. In many companies, shadow IT is considered a hardware issue. In addition to the bring your own device (BYOD) policies, the IT department is on the lookout for rogue wireless devices including unauthorized WiFi repeaters that might enhance a signal enough to pass beyond a company’s physical boundaries, as well as authorized employee hardware that has been modified for wireless communication. A desktop system connected to the corporate network over a wired Ethernet connection can easily become a wireless node with the addition of a simple, USB wireless adapter or a wireless WAN LTE/3G or 4G card to connect to a cellular network. As a result, what had been a locked-down system can now communicate off-site to another LAN or over the air.

Defending Against Shadow IT
There are some simple approaches to eliminating shadow IT infrastructures from blooming where mobile devices are used. The most effective approach is simply to disallow personal devices from being used, although this might not always be a feasible option. But if the mobile devices authorized to access the network are either company-owned smartphones or tablets or personally-owned devices that are preconfigured with mobile device management (MDM) software to create secure links, the company can extend greater control over the data without running into the potential problem of violating the employee’s rights to their personal data.

One benefit of giving users company-owned devices, which forbid the use of private data and the users’ personal clouds, is that it permits the company to conduct a remote wipe of the device if it is lost or stolen without running the risk of deleting the employee’s personal data. This could however become an issue if the employee is using their own device for both personal and business purposes.

Companies should also have an acceptable use policy that describes in detail what the company is allowed to do if an employee who uses a personal device leaves the company. This policy should include language that not only allows the company to examine the device before the employee leaves the company, but it also should have language that requires the employee to check any other computing or storage device they own, or any cloud service they use personally, to ensure that all corporate data is wiped from those systems.

In the case of Sec. Clinton, the federal government did not have written policies about the use of personal devices or personal clouds at the time. New policies, along with federally owned mobile devices, are now required for many, but not all, federal employees.

From an IT perspective, whitelisting company-supplied mobile devices that are allowed to access the network will reduce the number of unknown devices considerably. While the task could require a massive effort for large enterprises, SMBs or companies moving to a company-supplied-only approach to mobile devices could benefit.

Network monitoring is essential in determining if any unapproved devices have bypassed existing security defenses in place. The challenge with monitoring log files from edge and intranetwork firewalls, perimeter security appliances, Security Information and Even Management (SIEM) systems and other devices is that someone has to be responsible for analyzing the log files or output from log analyzers and take the time to find the anomalies that show corporate data has been exfiltrated to unauthorized cloud services or servers.

Not all cloud services that are outside IT’s control are dangerous. The IT department should identify and prioritize cloud services that meet the company’s security profile, such as encrypting data at rest or meeting compliance requirements. Cloud service providers can be taken out of the proverbial shadows if the IT or security team first vets the service, putting in place protocols for what data is allowed to access those services.

Just as devices can be whitelisted, so can applications. While it might be inconvenient for a user to not have access to an application on their personal device, it could reduce the possibility of data being put at risk if only approved mobile devices can access company-confidential data.

Cloud Services As Shadow IT
In the Cloud Security Alliance’s (CSA) 2014 Cloud Adoption Practices and Priorities Survey, the group defines Shadow IT as “technology spending and implementation that occurs outside the IT department, including cloud apps adopted by individual employees, teams, and business units.” The survey’s respondents cited these four areas as their chief concerns:

  • Security of corporate data in the cloud (49 percent)
  • Potential compliance violations (25 percent)
  • The ability to enforce policies (19 percent)
  • Redundant services creating inefficiency (8 percent)

Shadow IT, according to the CSA, is not simply devices connected to the corporate network that are unauthorized by IT. While personal smartphones, tablets and other handheld devices certainly are part of the equation, so are the ubiquitous cloud-based applications that employees and corporate guests use every day. As a result, many of these services are being blocked by companies as part of their efforts to eliminate shadow IT and its inherent vulnerabilities.
Among the most popular cloud services being used by more than half of the companies surveyed are Dropbox, Facebook and Apple iCloud. Many of the applications companies block are more consumer-oriented with the possible exception of Skype, which is popular in business environments but is blocked by 40 percent of companies in the CSA survey.
“As companies develop more mature processes for managing cloud usage, they naturally adopt some of the IT governance practices employed for on-premises applications and data,” the CSA report states. “We found that 50 percent of companies have a policy on acceptable cloud usage today.”

Corporate Policies And Shadow IT
While the issues dealing with acceptable use policies are commonplace in corporate environments that have BYOD policies in place, it is by no means limited to personal devices.

Vic Winkler, CTO of cloud security vendor Covata and author of Securing the Cloud: Cloud Computer Security Techniques and Tactics (Elsevier, May 2011), says the aforementioned Sorcerer’s Apprentice problem is magnified when users print cloud-based files as well. Printers essentially make an image of the file being printed, even if its word processing file or a spreadsheet.

If the printer has an embedded hard disk as many enterprise-class printers do, that image is now stored on the printer. Depending on the security precautions a company configures for that printer or the subnet on which the printer resides, it is possible that the image stored on the printer can have a lower security profile than the server on which the original document resides.

When a file is emailed to another person either as an attachment or embedded text, he continues, a copy of the email will reside in the email server. Unless the files are encrypted, he notes, they can be viewed by others — both insiders and potentially attackers on the network — who should not have access to that data.

“Every copy increases the potential for content to be exposed to other parties,” Winker says.

He recommends that data at rest, whether it resides locally or in the cloud, should be encrypted if it is sensitive. Not all data rises to the level of requiring encryption, he notes, but those files that do should be encrypted as soon as they are created so if the data is moved outside the company’s secure networks, it will remain unreadable.

Perhaps the only completely effective answer to the spread of unauthorized data to the shadow IT infrastructure is the one that solved the Sorcerer’s Apprentice problem in Fantasia: Magic.