How to best limit potential breach risks of 'Shadow IT'
The cloud is growing. There were 1,427 cloud services in use at organizations in 2016, an increase of 23.7 percent from 2015. Approximately 18 percent of the data that goes into the cloud has some form of sensitive information, whether that's personally identifiable information or trade secrets.
With the typical organization facing 23 cloud security threats every month, there are many opportunities for a breach. In fact, last year, the number of threats rose by 18.4 percent. What is even more troubling is that insiders are becoming increasingly responsible for these breaches, whether through negligence or malicious intent.
Some of those risks are associated with shadow IT, which refers to employees who use their own technology—in this case cloud services—without the approval or knowledge of the IT department or any other entity involved in cloud application governance. IT security teams evaluate the risk profiles of approved cloud applications more comprehensively than individual employees. Non-IT users don't follow the same security considerations, leading to threats, data breaches and legal issues.
One example of a problematic shadow IT app is a PDF converter that includes a legal statement that anything uploaded to their cloud service becomes their property. If personal data or corporate data is uploaded to such a service, the company data is placed at significant risk.
Cloud computing offers too many benefits to eliminate it from your organization due to safety concerns. A solid plan is needed to deal with the risks, such as following best practices for cloud security and implementing cloud security tools.
There are several ways to cut down on shadow IT within an organization. Visibility provides better insights into the cloud environment in the company, cloud compliance improves overall security standards, threat prevention employs proactive techniques to approach vulnerabilities, data security policies reduce low-hanging fruit attack surfaces, and access control policies make sure that only authorized parties get access.
Visibility: Implement monitoring and cloud services visibility into the practices of your company. The first step in reducing Shadow IT issues is figuring out how much of a problem it actually is with the help of data. You do need to ride the line between security and privacy when you monitor employee activities, as you don't want to be perceived as doing something unethical. Try to limit the use of unsanctioned cloud services.
Cloud compliance: Make sure that your company is compliant with security standards. You need to encourage and promote the use of cloud standard compliant applications, as you can't reduce your risk profile without getting everyone on board with this process. Ensure the protection of sensitive information, such as social security numbers, medical records and fingerprints.
Threat prevention: Employ machine learning to identify unusual behavior that could indicate a threat in progress. For example, repeated downloads of sensitive information or excessive privileged user access could indicate a breach. Monitor for events that stand out, such as access during unusual time periods or locations, attempts to bypass security measures, and inactive accounts logging in.
Data security: Require frequent password changes, ideally every 30 days. Password and user-end security are some of the most important ways you can protect yourself in the cloud, as the service itself can have high levels of built-in security. If your endpoint security isn't up to par, you don't get to benefit from those measures. Use encryption algorithms that are peer and academically reviewed as being effective, but stay away from proprietary algorithms.
Access control policies: You need access control policies to stay safe in a cloud-based environment. For example, you can put restrictions in place that only allow file access in certain geographic locations, or the user must be on a VPN to gain access. Make sure that the encryption algorithms have the required functionality for the services they protect. They must have their own encryption keys. Before you encrypt the data, ensure that you still retain the original functionality. You also need to verify users only have access to the files they need to do their job.
Aside from following those best practices for cloud security, there are several key tools needed to ensure a completely safe cloud implementation.
- Cloud firewall: This firewall stops many low-level threats from compromising the connection between your organization and the cloud provider.
- Cloud data encryption: Protect your data by making it impossible for a hacker to read if they manage to break into the network and steal information.
- User access control: You give access to cloud resources based on what users actually need based on their role and responsibilities, rather than using a one-size-fits-all approach.
- CASB: Cloud Access Security Brokers provide your organization with another way to secure your cloud operations. They deliver several security features that help you maintain consistent security standards across multiple cloud providers.
- Point solutions: You improve security on the endpoints that connect to the cloud services.
- Platform providers: The cloud security vendor you work with should take a platform approach in offering security capabilities that can protect several SaaS services.
A comprehensive cloud security strategy is necessary for safely and securely operating in today's business environment. You have access to a diverse group of security controls and best practices, and your main focus should be on securing the workload in the cloud.