It happens in every company. Employees find a cool new online service that makes them more productive. They create free or low-cost accounts on devices they use for work, and get all their friends and colleagues to join up. The new cloud service is great. The interface is a joy to use, it comes with mobile apps, and it spreads like wildfire.
The bad news is that these unauthorized cloud apps and services become part of the organization’s shadow IT, bypassing its IT, compliance, and procurement departments. The app may violate industry regulations or expose the company to significant security risks. Because it’s so entrenched, however, it's too hard to get users to stop using it.
How big a risk are shadow cloud services?
According to a cloud usage report Netskope, Inc., released last month, employees at the average enterprise use 1,022 different cloud services, and more than 90 percent are not enterprise-grade, meaning that they don't offer the management, security, and compliance features that companies need. For example, 67 percent of cloud services do not specify that the customer owns the data in their terms of service, and more than 80 percent do not encrypt data at rest.
A survey of 900 knowledge workers released last month by Harmon.ie found that 48 percent of respondents admitted that they used apps not sanctioned by their IT department, including apps for note-taking, project management, and file sharing.
Optiv Security, Inc., provides cloud risk assessment services where they'll monitor a company's web usage for a certain period of time and then report to the companies about the cloud apps being used. "We find literally thousands of applications being used inside an organization," says John Tuner, the company's senior director for cloud security. "That's often quite a shock to the IT folks. And it is often quite a shock when we detail out not just the thousands of apps, but the usage of those apps, the amount of data that's going back and forth, and the type of data going back and forth."
Trying to shut it all down just forces users underground, and the problem only gets worse — or there's so much push-back from the business units that the effort is abandoned. "In most cases, the productivity benefits are often business priorities of the organization," Tuner says. "If they block it, the team that blocks it will get four or five requests a week to unblock new applications. In many cases, they are overridden by someone above the security department."
"There is a proliferation of cloud-based solutions for almost any problem facing any company in almost any industry," says Alvaro Hoyos, CISO at OneLogin, Inc. "If one of your teams has a pain point, there is likely a solution out there for them."