Would you allow someone else to delete the apps on your phone? Like many, I have an emotional connection with my device and what’s on it, so woe betide anyone touching my apps. However, I use my device for both work and personal activities, so how can my company balance the risks involved?
As industry experts, we know the risks of using unauthorised aka ‘shadow IT’ cloud apps – and yet we often find ourselves breaking the rules. So what’s the motivation behind our illicit actions? Author Simon Sinek has proposed that our biology is behind our emotional connections to technology. He describes how the limbic system of our brains, which operates in our subconscious, responds at a ‘gut instinct’ level to the gratification we receive from compelling apps.
This emotional connection to apps which ‘feel right’ can overpower our heads which know that our employers have not sanctioned these apps. Hence we break the rules!
Security teams don’t naturally embrace users installing their own software. Malware is the ultimate example of an unauthorised app, and they cannot understand if they represent a risk to the company or not.
Previously, teams used to manage risk in IT in a non-cloud world via control of the endpoint, the network and the servers. However in today’s cloud-based world, security professionals need to develop new methods and tools to manage these risks. The problem is that consumer-grade apps use the internet to communicate, putting data into any number of cloud servers located in unknown countries, and the traffic is all encrypted over super secure SSL links.
So how does a business balance the risk of shadow IT with the needs of the users to innovate and use their own tools to do so?
Not all cloud apps are risky so teams can reduce the workload by deciding which app categories are causing the highest risks, and need to be managed. For example, most businesses would allow a mapping app to be downloaded. It may track a user’s location, but meaningful data cannot be uploaded, so it could be allowed. However, a file transfer app would represent a much higher level of risk and would be a concern.
A challenge occurs if an app has high business value – for example there is a lot of Whatsapp use in the NHS by clinicians who want to transfer patients’ images between teams. The images may not be risky but any patient identifiable information may be. This is an app that is too risky to use and too important not to use – how do you square that circle?
The solution is simple with a CASB (cloud access security broker) product, but in order to make it effective it does require communication between the Infosec teams and the business. One idea is to work cross-functionally on formal processes, in a ‘Cloud Enablement Board’.
Here are four steps Infosec (information security) teams could take to work with the business, saying ‘YES’ to unauthorised application use:
- Infosec can use the Shadow IT reporting offered by CASB vendors. This will highlight the most common high risk applications in use – and who is using them.
- For high risk cloud apps, Infosec teams can survey users to ascertain the business purpose of the app.
- If the business reason for using cloud apps is sufficient, e.g. collaborating on a bid with a 3rd party or perhaps using an instant messaging system to communicate with a partner, then a CASB can be integrated with a secure web gateway or an app can be deployed onto a managed desktop to decrypt and intercept the application traffic, inspect it for data that is too sensitive, or for user behaviour that is inappropriate.
- This process can be repeated on a regular basis as new cloud applications are identified.
Many Shadow IT implementations produce evidence of clearly risky behaviour, but due to a lack of involvement by the business nothing happens. It’s critical that Infosec teams work together with the business leaders, championing a positive model around enabling cloud application use. This tends to work much better than a negative blocking and tackling approach.
Joint teams may even find useful cloud apps in use that could be so valuable they could be adopted across the whole business – which would be a great outcome.