How to Protect Company Data by Managing Shadow IT
It’s time to give power, data, and insights back to IT teams so they can better manage shadow IT and protect company data.
- By Uri Haramati
- September 6, 2022
As more organizations shift to a cloud-first strategy, implementing protocols to protect company data is critical. For many organizations though, there’s one major, yet often invisible, obstacle -- shadow IT.
In Torii’s 2022 SaaS Visibility and Impact study, 69 percent of IT executives named shadow IT (applications purchased and used outside the purview of IT and procurement teams) as their greatest security concern related to cloud app adoption. It’s a reasonable fear considering that so many employees use non-sanctioned apps that may not adhere to their company’s security and compliance policies. Furthermore, 65 to 70 percent of all security challenges in the cloud arise from user misconfigurations.
With a couple of clicks, your employees can subscribe to a cloud software-as-a-service (SaaS) application, using their company credit card if the app’s not free, and configure it. This opens a new channel for sensitive data to flow back and forth.
The name “shadow IT” conjures a dark, ominous image, but it’s not all doom and gloom. There are plenty of upsides: faster employee innovation, fewer access bottlenecks, and the empowerment of choice. Trying to shut it down (which is nearly impossible) isn’t the way forward.
To protect company data, IT needs to develop a shadow IT management strategy.
Step 1: Gain and advocate for visibility
What’s scariest about shadow IT is the unknown. IT staff can’t secure, optimize, or effectively manage what they don’t know exists. According to Torii customer data, most companies have three times more SaaS applications than they realize. That’s a lot of unknown. When you consider additional security concerns such as former employees who haven’t been removed from applications, shadow IT only compounds complications. How can you remove ex-employees’ access to sensitive data when you never knew they were using these tools in the first place?
Visibility is the number one defense against the risks shadow IT poses.
There are several ways to discover shadow IT, such as asking employees to fill out forms when they acquire a new subscription or combing through expense reports. Realistically though, people won’t fill out those forms, and any data you do accumulate will be outdated almost as soon as you get it because new shadow IT apps are constantly being acquired and the applications users access are constantly changing.
Tools built with shadow IT in mind do exist. Some of these SaaS management tools have real-time endpoint discovery capabilities that illuminate the full scope of your SaaS stack, all the usage information associated with it, and intelligence on which applications are most at risk due to data accessibility. You can instantly see who can access (and is accessing) which applications, when, and with what frequency.
Step 2: Educate your employees about shadow IT
Tools enabling the discovery of shadow IT are a key part of the battle to protect data. In addition, every employee needs to be a soldier, trained and educated to defeat the enemy -- data breaches.
Most organizations provide pre-packaged cybersecurity awareness training with basic assessments that employees complete once a year or so, but they are typically missing a chapter about shadow IT.
If you’re going to support democratized application adoption, it’s important to tailor cybersecurity training to account for shadow IT. For instance, Carol from your marketing team may have no idea that when she created a HubSpot account with Google, she engaged in shadow IT, or that doing so could expose her company’s data to risk. Once she knows better, she might think twice and consult with, or at least notify, the IT team next time she needs a new tool.
Step 3: Provide a complete catalog of sanctioned apps for everyone
If your employees are aware of all the sanctioned apps available, they may be less likely to go looking for new ones that end up in the shadows. Best practice is to maintain a centralized, complete catalog of these applications, as well as an automated way for employees to request and gain access to the ones they want.
You may also want to offer a way for employees to submit information about apps they’d like that are not on the list so IT can evaluate them and, as appropriate, add them to the app catalog.
Step 4: Establish and document protocols for shadow IT
It’s common that IT has to secure shadow IT apps after the fact, but by that time there may already be cracks in the data dam. Your knee-jerk reaction might be to panic, shut the app down, and slap up red tape, but that undermines collaborative relationships between IT and application users, not to mention innovation. Instead, open a dialogue with the app owner (if you have that information) to assess unsanctioned cloud applications and understand:
-- Use cases: Why was this tool selected? What problems does it solve for employees?
- Potential security risks: What data does the app have access to? What security measures were used during setup?
- Adoption scale: Is this an app used by one person, a few people, or hundreds?
- Cost: Are people using a freemium version of the app or is there budget allocated for this app?
- IT involvement moving forward: Does the tool have reliable backups in place? What additional security measures should be taken to secure the app and protect the data that resides inside of it or is accessible through it?
In the end, you might find that bringing the app into your official ecosystem is for the best. Stay open to that possibility, and shift into advisor mode to pull tools in line with security and governance policies.
Ideally, businesses will reach a point where these questions are discussed and answered by individuals or department leaders before they go do their own thing. In the interest of collaboration, innovation, and getting ahead of shadow IT, document clear protocols about how to proactively secure new applications and a process for requesting the IT or security team’s review of those apps.
Step 5: Automate visibility and actions
We’ve already touched on the importance of application and usage discovery, but it can’t be emphasized enough. With enterprise cloud apps having overtaken on-premises applications, businesses need tools that can help reveal and manage SaaS applications and protect the data flowing through them -- tools that show who each application owner is, enable you to curate an application catalog that can be self-serviced by employees, make audits of application access easy, and automate removing people from applications when they leave the company or change roles within it.
That may be why 16 percent of IT executives say they already use SaaS management tools and 64 percent are planning to follow suit in the next two years.
The world of decentralized SaaS procurement and management will only become more complex and data breaches more costly in the coming years. It’s time to give power, data, and insights back to IT teams so they can better manage shadow IT and protect company data.