CipherCloud’s recent study 'Cloud Adoption and Risk' states 86% of cloud applications in a typical enterprise are unsanctioned by IT but most companies don’t recognise the extent of the shadow IT problem.
David Berman, CipherCloud Cloud Discovery director, says there is an extensive and under-estimated footprint for shadow IT.
He says the rapid adoption of the cloud and the fact that the download model for cloud applications allows individual workers to bypass the IT department is leading to a rise in shadow IT.
“This has led to the dilution of traditional controls in the IT decision-making process and opened the gates for shadow IT to enterprise.
“Unvetted clouds are moving into the company as part of the enterprise’s overall cloud journey,” Berman says.
This raises security concerns as each unsanctioned application is a vehicle for introducing security and compliance risks into the enterprise, says Berman.
“For instance, a phishing email tricks a user into revealing their credentials and then the attacker uses that login information to access the account and steal information.
“One of the most under-discussed regulatory risks is the lack of safe harbor certification,” he says.
According to Berman there are a number of ways to protect against these risks.
He says, “Develop a multi-faceted cloud governance and control framework by combining commercial best practices, regulatory obligations, and line-of-business requirements to form a sustainable cloud governance strategy.
“As part of this governance strategy, take a deep dive into your cloud user activities by department and business function, and understand the business needs for each cloud application.
“Balance these needs with your regulatory requirements to develop a practical and meaningful control framework.”
Furthermore, he says establishing integrated technologies to protect and monitor cloud usage is only the first step, and enterprises need to ensure they have ongoing means to manage cloud access and exert continuous controls.
“In addition, your controls need to be granular enough to meaningfully limit your data exposure to the cloud without hindering cloud functionality.
“Most importantly, discovering, protecting, and consistently monitoring should be integrated functions rather than discrete capabilities that you have to manage separately,” Berman says.
It is important to protect against risks now as shadow IT has a strong footprint inside many enterprises and ‘will not fade’ anytime soon.
“However, the right framework and tools can help companies mitigate against the risks,” Berman says.