Book a Demo

How to manage shadow IT in the cloud

by Mark Adams, on September 3, 2014

Original article at

How to manage shadow IT in the cloud

The cloud has made applications more accessible than ever, but how can firms best manage and mitigate associated risks?

The cloud can also help. To be effective against combating the shadow IT threat, your security policy needs to bridge the security time gap. That is, how long it takes between malware being distributed and protection against the threat becomes available. By wrapping policy around technology, with a real-time approach to malware pattern detection using cloud threat intelligence services, the endpoint risk can be remediated more quickly.

The cloud can also introduce a whole new problem - that of rogue clouds. It's one thing insisting that there is data separation between home and work on a tablet for example, but quite another if that work data is only being accessed on the mobile device and stored on a non-approved cloud service.

The same problems of potential security breaches, not to mention blowing a hole in any regulatory compliance schemes that apply to your business sector, are to be found wherever any cloud-based application is being used without the approval of the IT department.

These rogue-clouds are, simply put, any cloud-based services being used in contravention of your existing information security policy. This is complicated somewhat by the fact that rogue-clouds are often purchased by the business itself, without realising it. You buy into a service but don't realise it's a cloud-based one, or your SaaS application processed data is stored across multiple cloud providers and you have no idea who they actually are. At this point, when visibility drops to zero, the rogue cloud becomes shadow IT.

Can policy prevent rogue clouds and shadow IT usage? No, it cannot. Blocking and filtering is pretty counter-productive as a rule, and if employees have good reason to be using the rogue services in the first place they will continue to seek an alternative. Companies often discover that blanket blocking all access to unauthorised cloud-based applications hits the bottom line courtesy of this productivity-plummet effect.

Disruptive technologies only disrupt (in a bad, and insecure, way) when they are misunderstood. The solution is, therefore, to understand them. Merging governance with shadow-IT to create a workably secure strategic framework is the way forward. That is best done by enabling the technology that works, by saying 'yes' but with a caveat that it's 'yes and safely like this.'

Businesses must now start understanding the technology that they are using in the cloud - and that means more due diligence and better application auditing - combined with accepting rogue clouds as just another environment within which there is a pressing need to secure data. Being information-centric rather than infrastructure-centric is the key here. These architectures are only rogue because firms have not embraced them, and their data is only at risk because they've not secured it properly in the first place.