For most organizations, two things are true; first, cloud usage is proliferating, and second, much of that usage...
is happening "under the radar" of IT oversight.
The reasons for this aren't that mysterious; because cloud is often billed in a "pay-as-you-go" fashion, it can be adopted in small increments (for example, just a few users at a time), and can provide value without large, expensive integration efforts. As a result, business teams sometimes -- purposefully or otherwise -- adopt cloud without engaging with IT.
The security challenges that can come about as a result of unauthorized cloud use are well known: leakage of data outside the organization in unexpected ways, unknown and unmanaged supply chain dependencies, inefficiencies resulting from non-centrally-negotiated contracts, and more.
As a result of these potential impacts, finding and controlling "shadow" cloud usage is a high priority for most enterprises. But actually accomplishing this is more difficult than it might sound on the surface.
While there are a number of different strategies for "cloud discovery" (i.e., finding areas of this untracked cloud usage), many of these strategies have blind spots or limitations. Understanding where each of the strategies excels -- and where it might have blind spots -- can give organizations an opportunity to select and implement the combination of strategies that work best for their business needs.
In this tip, I will outline a few strategies organizations might consider when it comes to identifying and managing cloud app usage within the enterprise, and discuss some of the pros and cons of each approach.
Cloud discovery strategies
The old adage "you can't manage what you don't measure" is a truism generally, but it's particularly apropos in the cloud world. To be able to manage cloud usage, enterprises need to know something about what that usage is -- and, of course, the first step to doing that is confirming it exists in the first place.
For those of us in IT, the first path that calls to us is to take a technical approach to the problem. When it comes to cloud discovery, there is no shortage of technical approaches. Not only are there vendors that provide cloud discovery as part of their product set (including SkyHigh Networks and Skyfence Networks Ltd., among others), but there are other technical approaches as well. For example, enterprises might use firewall logs, Web proxy logs and data loss prevention tools, or adapt any number of other network-aware monitoring tools for this purpose.
The main advantages of a technical approach are that they can be automated. For example, an enterprise might set up an automated process to alert admins about new cloud usage as soon as it's discovered. A technical approach can also often be deployed rapidly with minimal disruption to -- or required input from -- the business. On the downside, though, keep in mind that there might be areas where visibility is limited. For example, a software-as-a-service offering users might employ that doesn't traverse the enterprise network (for example, a SaaS app they might employ from a personally owned mobile device) might not be visible to these automated tools.
So, how can an organization find usage that's not traversing its network and therefore is invisible to automated tools? It's here that more procedural approaches have an edge. For example, an organization might consider canvassing business areas and asking them about the applications they use in an attempt to find which SaaS applications are in use. In other words, ask users directly. This can be done as part of an intelligence-gathering activity (such as a security risk assessment, IT audit or business impact assessment) or on its own as a separate activity. An advantage of this approach is it's not dependent on how users access the application or service, which might be the case with a technical discovery method. That said, keep in mind that you're relying on users to accurately report usage. Employees might fail to mention services that are only used by a handful of folks or that they don't see as critical.
Another strategy is to enlist allies in other areas that might have visibility an enterprise's IT or security teams do not. This could be, for example, the accounting or expense department. Why accounting? Keep in mind that users need some way to pay for subscription services; they might employ a corporate card to do that. Having an ally in the department that has oversight of this can be a useful way to gain additional visibility. Alternatively, for larger organizations, the audit team can be a valuable ally to cultivate. Because of their role, auditors see quite a bit of how business activities get done. Enlisting them as "eyes and ears" for new cloud usage can lead to some unexpected finds.
What happens next?
Understandably, nobody has infinite time -- or budget -- to assess shadow cloud use; it's rare for an organization to be able to do all these things. Therefore, the approach (or combination of approaches) an enterprise chooses will be based on factors unique to its business needs. Enterprises must consider what it is good at, what existing relationships it does or doesn't already have, technical acumen, ability of resources, etc.
The important part is recognizing the issue and doing something to achieve this additional visibility.
Once an organization has visibility into shadow cloud use, the next step is doing something with it. Specifically, put in place a process to track, evaluate and manage the usage. Be careful about taking a "hard-line" stance with business teams once cloud shadow usage is discovered; shadow usage is often reflective of suppressed demand for something they need to solve a business challenge. Just asking employees to stop using the service "cold turkey" can leave them without a solution to that business problem. Instead, consider whether there's a way to centralize that service, either by consolidating usage with other areas using similar (or the same) apps, or by employing a centralized managed tool or service that provides similar functionality.
About the author:
Ed Moyle is the director of emerging business and technology at ISACA. He previously worked as senior security strategist at Savvis Inc. and as senior manager at Computer Task Group. Prior to that, he served as vice president and information security officer at Merrill Lynch Investment Managers.
Learn the risks of shadow IT moving to the cloud