An organization’s users can now, with the swipe of a credit card, create their own IT infrastructure. The term for this is “Shadow IT” and it’s growing rapidly in organizations of all sizes. There are two steps to dealing with Shadow IT. The first is understanding why it’s a problem for the organization in general and IT in particular. The second step, once all parties have agreed they have a problem, is for IT planners to identify when and where Shadow IT is occurring.
Step 1 – Admit That You Have a Problem
When we talk to IT professionals, one of the biggest challenges we have is getting them to admit that Shadow IT is a problem, or at least helping them to understand the gravity of that problem. This is because on the surface Shadow IT can seem like a pretty good deal for organizational IT. Users taking the responsibility for their own data or applications allow stretched-too-thin IT personnel to focus on other matters. But in reality it seldom works out this way since users still need IT to help get services set up or to recover data when those services fail. More importantly, the organization has its data exposed, making protection and compliance almost impossible.
The services that users sign up for often are fulfilling a legitimate need. Users are often spending personal or their department’s money to acquire the non-approved service, so obviously it has value to them. IT just can’t “outlaw” the desired capabilities; it has to be able to provide this service in a way that meets organization’s goals, while at the same time providing the users with the capabilities that they want.
The File Sync and Share Dilemma
A good example of the legitimate need for these services is file sync and share services like DropBox. Users need the ability to synchronize data between their various devices. They also need to be able to share data with other employees within the organization or externally with partners and customers. There are several enterprise class file sync and share solutions that securely provide this capability to users while protecting the organization.
But, once the decision on an enterprise file sync and share service has been made, how does IT make sure that the chosen solution is the only solution being used? This is where CipherCloud and their Cloud Discovery Solution comes in.
Step 2 – Shadow IT Insight
With CipherCloud for Cloud Discovery it is easy to discover and categorize all of the cloud applications being accessed by the organization. The solution will identify the risk as well as provide a summary of network resource utilization by service, department or user. It features an intuitive drill-down dashboard that provides detailed information about cloud application usage. Available as a software module, CipherCloud for Cloud Discovery enables user organizations to scan network logs in-house and retain control over enterprise data.
Step 3 – Take Action
Once the various cloud applications have been identified, the next step is to take action. Here, CipherCloud has a suite of products that deliver cloud access control and data loss prevention to a variety of services including: Salesforce, ServiceNOW, Box.com, Gmail, Office 365 and Amazon Web Services. Each of these modules can encrypt or tokenize data, scan for business sensitive information, like social security numbers and credit card numbers, control which data can be shared, and monitor user traffic for anomalies.
Shadow IT is real and a real problem. It impacts an organization’s ability to protect data from either intentional or accidental loss. While in the short term, “self-service” IT in the form of user-initiated cloud-based services may seem like a good idea, in almost every case when that user decides to go outside the organization for an IT service, IT gets roped back in to “pick up the pieces”. A better strategy is for IT to identify the legitimate cloud needs in the environment up front and then offer enterprise versions of those solutions. Part of that strategy requires ongoing identification of unauthorized cloud use as well as the protection of data in approved cloud destinations. CipherCloud’s solutions enable those strategies.