The phrase “shadow IT” conjures up images of shady employees secretly using banned cloud services from a supply closet. The reality, however, is that unsanctioned cloud use occurs every day at all levels of an organisation, even at the office of the Secretary of State of the United States, for a presidential candidate no less.
The revelation that Hillary Clinton relied on a personal email address during her tenure made headline news worldwide and has been the subject of heated debate, but it won’t come as a shock to anyone who has followed the upward trend of self-enabled cloud services in the workplace.
Whatever the political outcome of Clinton’s use of private emails for official use, the episode has put shadow IT into the global spotlight. There has probably never been a more high-profile example of shadow IT to date and, although Hillary Clinton is currently the face of shadow IT, more incidents like this will surely follow.
While some IT leaders may believe their organisations are hermetically sealed from the cloud, this is an impossible and highly undesirable goal for today’s enterprise. Government agencies are surprisingly similar to private sector companies when it comes to cloud use.
Research by Skyhigh Networks found that that the average US public sector organisation uses 721 cloud services (as compared to 897 in the commercial enterprise), which is still more than ten times as much as IT expects.
In the vast majority of cases, these unsanctioned cloud applications serve a legitimate business need, and are used because they are liked by employees and help them be more productive – a hugely positive development for any organisation.
In this case, Clinton claims to have used a personal email address out of convenience. While this may sound somewhat frivolous coming from a top diplomatic official, the vast majority of employees make similar decisions every day.
It would also be a dangerous fallacy to claim unsanctioned cloud use occurs only among workers ignorant of technology and security. No worker is immune to the productivity and usability benefits of cloud applications, no matter their job title or place of work. Employees simply want to be able to use the cloud applications that allow them to get their jobs done as simply and effectively as possible.
Positives aside, there are potential pitfalls of shadow IT. The biggest issue is that users don’t always have the information and knowledge needed to select the most appropriate services themselves, but often do so anyway.
The result is that organisations can have thousands of employees using high-risk cloud services with histories of breaches, compromising legal terms and conditions, or a lack of security capabilities – when appropriate alternatives are indeed available.
For instance, of the many thousands of cloud services available to users, only around 10% encrypt data at rest. This doesn’t include many incredibly popular cloud applications such as Gmail, Hotmail and AOL Mail either – indicating that consumer email service providers can be insecure repositories for corporate data.
While Clinton used a private server, enterprise employees are much more likely to rely on consumer email services for convenience. Ultimately, IT needs visibility to prevent the use of high-risk services and high-risk behaviours in relatively secure services.
This issue is not unique to the US either. There are likely to be many as yet undiscovered examples of this kind of activity in the UK. It’s easy to imagine an MP or senior political figure sending confidential emails from a personal account, sharing documents via unencrypted file-sharing websites or creating a presentation using a service like Prezi without first reading the terms and conditions relating to intellectual property.
So, is the answer to block all unsanctioned cloud services? On the contrary, blocking a service can cause employees to go around IT and find other, oftentimes higher-risk clouds services that aren’t blocked.
The first step is to gain visibility into cloud use and risk, so IT can make data-driven decisions based on actual usage when defining on corporate policies. Security teams should aim for transparent policies and educate users on what constitutes unsafe cloud use.
They should also seek to understand the business need behind use of an unsanctioned service and work to enable strategies to protect data. For example, employees may have a legitimate need to access YouTube, so instead of blocking YouTube entirely, security teams can choose to enable “read-only” access (thereby blocking uploads) as a secure alternative.
Similarly, instead of blocking Prezi, security teams can enforce data loss prevention policies to ensure that sensitive corporate data is not being uploaded to Prezi. In doing so, users will work with IT, not around it, improving the security posture of the organisation.
Employees need to be empowered to do their job in the most efficient way possible. If this means using a notepad from the stationery cupboard, they should be able to take it – and similarly, if this means using a file-sharing tool to collaborate, they should be able to do so.
It is only in very rare instances that an employee uses a cloud service for a malicious end and, as such, the demand for these cloud services is coming directly from a need to get the job done.
Shadow IT should be embraced rather than feared, even when it’s the subject of more negative headlines.
Sourced from Nigel Hawthorn, Skyhigh Networks