Shadow IT: Not Necessarily Nefarious, but Still Scary
“Shadow IT” is a broad term referring to any software, device, or service being used on your enterprise network without the knowledge of the IT department. Prior to the advent of cloud services, this generally meant more technically inclined employees would install privately-owned software onto their business desktops. Just like everything else, shadow IT has migrated to the cloud, where it has been growing relatively unchecked. SaaS apps are plentiful, free or very low-cost, and easy for anyone to access and use. Over 80% of employees admit to using unauthorized SaaS applications on the job.
Despite its ominous name, employees’ motives for using shadow IT usually aren’t malicious; they feel that their off-grid apps are more convenient, easier to use, and enhance productivity over enterprise-approved apps. Sometimes, the employees may not even know about the enterprise-approved apps. However, that doesn’t make shadow IT any less of a security threat. Cloud apps that haven’t been vetted by your IT team could have security vulnerabilities or pose compliance issues that employees aren’t aware of. There’s also no way to track whether they are being patched regularly.
Rogue apps running behind your corporate firewall are scary enough; a rogue public cloud infrastructure is arguably even worse. Employees or even entire departments may decide to set up their very own public cloud, in which they store and process your data. This puts your data at risk of breaches, could possibly create compliance issues, and broadens the potential attack surface for cyber criminals who could use the cloud service as a backdoor into your enterprise network.
Enterprise security teams cannot secure what they don’t know exists in the first place, and hackers are fully aware of this.
Shadow IT Hides in the Darkness
Comprehensive and consistent security policies and solid governance are key to combatting shadow IT, but they’re of little help without visibility. Employees who are using shadow IT for productivity reasons (the overwhelming majority) think they’re doing the organization a favor by skirting what they perceive to be the corporate red tape of IT department approval; in most cases, they sincerely do not understand the compliance and security risks. Malicious insiders (a small minority, thankfully, but still there) go to great lengths to conceal their activities and are hoping to cause security or compliance problems. Either way, employees who use shadow IT are unlikely to start reporting it regardless of what the company security policy says.
Organizations have to detect and shut down shadow IT on their own, a feat that’s easier said than done. One study found that the average CIO estimated that their organization was running 51 cloud services – but the average actual total was 730.
The good news is that Microsoft 365 has a tool that makes it far easier to detect shadow IT usage.
Productivity App Discovery: A Stake Through the Heart of Shadow IT
The Productivity App Discovery tool, which is accessed through the Microsoft 365 Security and Compliance Center, works by analyzing your firewall logs. Creating a report is easy; you just manually upload a firewall log, select the vendor data source from a dropdown list, then click a button. The tool analyzes the elements of the log that are relevant to cloud app usage, including the date of transaction; source IP; source user; destination IP address, and destination URL, to generate a report, which can be viewed in the Cloud Discovery dashboard.
Based on customer feedback, Microsoft recently rolled out several enhancements to Productivity App Discovery, including more information about which apps are in use, who is using them, and which IP addresses the traffic is coming from. The dashboard’s main tab provides an at-a-glance overview of your top cloud app users, IP addresses, apps, app risk levels, and any open alerts. Three additional tabs – Discovered apps, IP addresses, and Users – provide more detailed information.
The Discovered apps tab provides additional information about the apps the tool found in the firewall logs. In addition to letting you know how many people are using an app, you can find out which users and IP addresses are accessing it and how much data has been uploaded to it, determine when it was last used, and distinguish between different instances of the app in the organization. You can also create custom queries, such as filtering the apps according to how many users access them.
The IP Addresses tab lists the top 100 IPs accessing the discovered cloud services, and the Users tab displays the top 100 users with the same details as the IP Addresses tab. Like the Discovered apps tab, you can click on an IP address or a user for more information, such as which users have used a particular IP or which apps a particular user has accessed. You can filter the data by choosing to exclude certain users or IP addresses.
The Productivity App Discovery tool is very easy to use, and because it analyzes data from all of your organization’s apps, it will help you detect unauthorized usage of approved apps along with the presence of rogue apps.
Microsoft Cloud App Security: Take Your Shadow IT Control to the Next Level
While Productivity App Discovery provides insight into shadow IT, Microsoft’s full featured tool, Cloud App Security, can take it to the next level. Microsoft Cloud App Security is what’s known as a Cloud Access Security Broker (CASB). Not only can a CASB discover cloud applications in use by an organization, but it can also take further steps to block and control access to and data within such applications.
Microsoft Cloud App Security can also discover cloud applications in use through Firewall logs. However, as a result of recent enhancements, it can now also automatically gather this information straight from your organization’s Windows devices with Windows Defender ATP. With an increasingly mobile workforce, this enables us to gather information on shadow IT even when a device is outside of the local network firewall boundaries.
The next step of Microsoft Cloud App Security is perhaps the most important: the ability to take action on and with the discovered applications. Due to cross-industry partnerships, once an application is discovered, an IT admin has the ability to govern access to the applications discovered. This includes applying data classification, labeling, and sensitive information protection policies to the data in the applications, thereby bringing them into compliance. An IT admin can also control and monitor access to the applications using real-time session controls such as Conditional Access from a unified control panel.
Finally, by leveraging the Microsoft Security Graph, Microsoft Cloud App Discovery can automatically detect known cloud threats, compromised accounts, and malicious activity in your cloud applications, and automatically remediate such issues.
Organizational Change Management: Avoiding Shadow IT in the First Place
While these tools provided by Microsoft are important and vital to securing your enterprise, you can also help prevent some shadow IT situations before they even begin. Most users using unsanctioned applications do so because they either don’t know that their IT department provides an equivalent solution, or they don’t believe in IT’s ability to assist with an application.
While disappointing to hear, admins can work with end users through proper change management practices to ensure users know what is available and ensure that they can provide productive feedback and requests for new applications and features. An important piece of this is working with business units on a regular basis to understand their needs; you never know when that feature you have disabled in Office 365 may be of use to them.
Overall, like data breaches, shadow IT is an inevitable side
effect of a digitized world. Once you’ve gained visibility into which apps are
being used in your organization and who is using them, you can determine why
employees feel the need to use these apps, educate them about the security and
compliance risks, and direct them towards company-approved alternatives – and
this scary story can have a happy ending after all.