Is Shadow IT Still Lurking Inside Your Organization?

In a recent blog post, Analyst and Network World Contributor, Linda Musthaler, discussed the dangers of Cloud Sprawl, or what many call shadow IT:

“SaaS-induced cloud sprawl creates a number of challenges for organizations. For instance, the company might not even know what applications its workers are using. This results in little visibility and control over what people are doing with company data. This is of paramount concern for highly sensitive and/or regulated data and information.”

This is a problem that has plagued organizations for years, ever since consumer applications like Box, Dropbox and Google Docs were introduced with the purpose of making it easier for people to share documents with one another. While these applications succeeded in their mission to simplify the exchange of information, they were not originally intended to be used for business purposes. Yet, once the exchange of personal information became so easy, it’s only natural that people would expect the same functionality at work. The freemium business models of these applications made it easy for employees to skirt around IT and use the services as needed, without the knowledge of their employers. Hence, shadow IT was born.

Over time, many file-sharing applications adapted to accommodate business needs, but few met the security, privacy or regulatory demands faced by organizations. Many organizations now ban these applications or have strict policies outlining what type of information can and can not be shared on these platforms. But, if it means getting their tasks done more efficiently, many employees still choose ease-of-use over following company policy, and their IT departments remain in the dark about the continued use of these applications.

READ

Device Attacks, Network Scanning Compromise Healthcare Data

Mark van der Linden, UK country manager at Dropbox, was recently quoted in ITProPortal supporting this idea, saying “users know what they want, and they’ll use whatever the best is for their use cases. Most of the time these are knowledgeable users who know what they want, and we think there’s a lot of benefit in that adoption.” But while this thinking might make employees feel less guilty about shadow IT, it makes those in charge of IT security shudder.

Dropbox does not exactly have a proven history of keeping data secure and has proven to be a very effective backdoor for hackers to penetrate organization networks. A few examples of this include:

In 2011, Dropbox publically admitted that all files stored on the platform were publically visible for four hours due to a bug
In 2012, someone stole usernames and passwords and used them to sign in to a “small number of Dropbox accounts.” Just this week we’ve learned that the size of the hack was grossly misstated and that 68 million records were compromised
In 2014, hackers claimed that they stole the login information for almost 7 million users and held passwords ransom. The same year, secure content collaboration company, Intralinks, inadvertently uncovered a vulnerability via a routine Google Adword campaign, which revealed that Dropbox allows third-parties direct access to private files. The problem still exists today

So what will it take to finally put shadow IT to rest? Here are a few tips:

Awareness: Make your employees understand the risks of using unsanctioned services with enterprise data. Even if you don’t crack down on usage, it can help employees make better decisions
Visibility: Use network monitoring tools to identify cloud application usage. This will help you understand the extent of the usage and potentially what is being shared and by whom
Control: Enforce control based on context, selectively blocking the upload of enterprise data to unsanctioned services. For example, some firms allow download but not upload of content. Some scan incoming content for malware.

The cloud creates an enormous opportunity for improving business agility. The sentiment of the Dropbox executive is not wrong – shadow IT often shows the way for improved business workflows. However, simply trusting employees to do the right thing will only continue to support bad behavior. The key to a balanced solution is to provide employees with tools, connectivity, and security that support productivity and allow them to get work done safely and efficiently.