Shadow IT: Embrace Reality – Detect and Secure the Cloud Tools Your Employees Use

1 comment

Cloud tools such as Dropbox, Google Docs, private email, social media and other sharing services create problems for employers. On one hand they allow employees to work across multiple locations without expensive collaboration tools. On the other, they often lack adequate security and create backdoors into the corporate network. For most IT departments a flat-out ban is not an option, so they need to find ways of managing this new way of working.

Where’s the harm?

The dangers are real. Many ransomware attacks have been distributed through free cloud storage sites where access is not adequately controlled. While many employees (though not all) have learned not to open suspicious email attachments or documents from the web, there is a general assumption that file sharing sites are safe – which leads people to open links to documents shared through such platforms.

Malicious attacks are just part of the problem. Backing up documents to these platforms means the data is now outside your company network and outside of your control. So how safe is it? Can it be accessed from employees’ private devices, which could be lost or left unlocked? Could their password be easily guessed? Might they create links to privately shared folders, which hackers can identify?

Lock up your data or set it free?

When it comes to addressing this, there are two broadly different approaches. You could lock everything down, provide approved tools, and forbid staff from installing anything new. Or, you could tell employees you trust them, give them some security advice and hope they don’t make any terrible mistakes.

The first approach is absolutely correct if you are a defense company or a law firm dealing with M&A. But for most businesses – especially SMBs – it is unnecessarily restrictive, not to mention prohibitively expensive. The second way, however, carries very obvious risks of the type outlined above.

Most businesses want a happy medium, which balances security with fostering a collaborative and trusting working culture.

What is needed is an intelligent, adaptive approach, which recognizes that not all information is equal. Many documents are fine to share. Few bosses want to tell an employee they can’t work from home to look after their sick child because the off-site meeting plan can’t leave the corporate network. But equally, they don’t want multiple copies of salary lists or intellectual property documents existing in email attachments and cloud drives. Furthermore there are other documents which would be ‘safe’ to share if specific pieces of information were not included. For example sharing an order with a logistics partner, but not the credit card or bank details used.

An adaptive approach to data

Assuming you’re not in a high security industry and have come to terms with the fact that your employees want to use cloud tools, here’s how we advocate managing this challenge:

First, know what you’re up against. What is your critical information and where is it located? Easy enough to ask, but the answers might surprise you. You cannot adequately protect information in a cost effective manner if you don’t know what it is to protect and where it needs protecting.

An effectively configured Data Loss Prevention (DLP) system can monitor the boundaries of your network and data transfer activity. IT professionals can use this to spot data leaving outside of known channels, for example which collaboration sites are in use and by who. With this knowledge, they can make intelligent decisions about whether these collaboration tools and working practices are acceptable, and educate employees on how to use them safely.

Understand which content can and can’t leave the corporate network. You don’t need to lock everything down, but you can set up your security system to completely stop or redact only specific information (credit card numbers, Social Security numbers, customer databases, etc) if it passes across the company boundary. This applies to both email and cloud based collaboration platforms.

Policy based decisions on what is and isn’t allowed don’t just have to be based on content, they can also be context-aware. If Ted in Legal uploads IP documents to his IP attorney’s collaboration platform, it’s probably fine. If Bill the intern sends the same document to his Google Drive, it’s probably not.

Today’s malware is frequently delivered inside innocuous looking documents, which employees inadvertently open. An innovative adaptive DLP solution can automatically strip out active content from incoming documents to prevent malware infections. This secures against the Dropbox ransomware problem: if someone has downloaded or received a document containing an executable file designed to run a virus, it will be removed as it enters the network.

Equally, stripping out meta-data and revision history information from documents as they leave the network can also protect you from problems. Few people realize that their documents contain hidden information about who worked on the document which is useful to phishers and the document’s revisions have been used in a number of high profile data leaks. The best approach to prevent the problem is to remove it by default.

Of course technology can only do so much, there needs to be employee education and awareness around the risks. They need help to understand what tools they can and can’t use, and what information they can and can’t share. Technology is great for backing up the decision and preventing mistakes, but education can create a cultural shift.

A collaborative and secure organization

The technological solutions I discuss here – and naturally I count Clearswift’s innovations among them – are more cost-effective than ever before, and can be easily added to existing security infrastructure, removing the need for a rip and replace strategy. SMBs in particular, who once lacked the budget for specialist security tools, are now able to take advantage of cost effective new technologies to deal with today’s threats.

By combining such technologies with policies and training, organizations can take an adaptive approach to collaboration, keeping the critical information safe while benefitting from the wealth of new tools which today’s agile organization needs.

About the Author

Guy Bunker, Clearswift. Credit: Professional Images

Guy Bunker, Clearswift
Credit: Professional Images

Dr. Guy Bunker, SVP Products, Clearswift

Guy has over 20 years’ experience in information security and IT management. Before joining Clearswift in 2012, Guy was a Global Security Architect for HP. Previously, Guy was Chief Scientist for Symantec and CTO of the Application and Service Management Division at Veritas.

Guy is a frequently invited speaker at conferences, including RSA, EuroCloud and InfoSec. He is a board advisor for several small technology businesses and holds a number of US patents He has published books on utility computing, backup and data loss prevention. He has recently authored a paper on security for the Elsevier Information Security Technical Report and co-authored the European Network and Information Security Agency (ENISA) report on cloud security.

Add Your Comments

  • (will not be published)

One Comment

  1. Thank a lot.This article is really very helpful.