'Shadow IT' is a phrase we hear more and more often, but it isn’t something to fear. We live in an era where individual SaaS vendors maintain more of our corporate data than ever. It is these cloud-based services, providing organisations with near-instant access to advanced capabilities, which push teams to remain a step ahead of their competition.
Our goal as security professionals should be one of enablement, not curtailment. We need to approach shadow IT with a pragmatic view, so we can ask ourselves how we can better support businesses needs while also minimising risk. Luckily, we have the needed tools already.
> See also: How CIOs can overcome the risks of shadow IT
Next-generation firewalls were designed to safely enable the applications that are critical to a business’ success, while blocking applications that bring unnecessary risk. To achieve this, next-generation firewalls were built to recognise thousands of unique applications, including those delivered over a SaaS-based model.
This not only brings visibility into which services shadow IT organisations are firing up, it can also be used as an effective means of establishing control.
In some cases you might make the quick determination that a SaaS service simply introduces too much risk. By providing the ability to enforce usage through both application and user-based policies a next-generation firewall provides the granular control needed to enable access for a single individual, a group, or an entire company. Some organisations have tied these policies to compliance programs to ensure teams undergo basic usage training before they’re given access.
Another consideration is the Bring Your Own Device (BYOD) phenomenon. Organisations have exceptionally mobile workforces using a mind-boggling array of cloud-based services to access corporate data. There is no more 'traditional' security perimeter – there is the identity of the individuals trying to access data, and the data itself.
> See also: Why CIOs shouldn't fear shadow IT
So how do you consider security both for on-premise and off-premise employees accessing data on the go?
Start by using a next-generation firewall to evaluate what’s on your network by applications, users and content. Then consider the simple premise that users should receive the same level of protection than if they were working inside the network.
This begins with ensuring devices are safely enabled while simplifying deployment and setup. During this process it is important to ensure proper settings are in place, such as strong passcodes and encryption. Those employees need to also be protected from exploit and malware-based attacks, just as they would if they were inside of the network.
Finally, you must be able to control both access to, and movement of the data. This means you need to control access by the application, by the user, and the user’s device state. Those data movement controls need to be extended to the device to ensure data stays within the accepted applications. This enhances your ability to apply better visibility and control to reduce risks.
Shadow IT is a reality, but it doesn’t have to hold back your security.
Sourced from Scott Gainey, Palo Alto Networks