vali_111 - Fotolia


How to mitigate shadow cloud services security risks

Shadow cloud services are an unavoidable part of the modern enterprise, but they present fresh security challenges. Expert Rob Shapland discusses some mitigation methods.

One of the key challenges of embracing the cloud is knowing where data is stored and in which cloud services. By necessity, most enterprises allow data to be stored in a number of sanctioned cloud services, such as Office 365, Dropbox, Google Drive or one of the major infrastructure as a service providers. These services can be accurately monitored and controlled with the use of a cloud access security broker to ensure that enterprise policies and security controls can be applied to cloud services.

However, a growing challenge for most organizations is tracking the use of unsanctioned or shadow cloud services. These services are not covered by the CASB and are therefore outside of the control of the enterprise security team. Not only does the security team usually not know what data is being stored in these services, but they may not even be aware how many are used. Research by Ciphercloud suggests only 14% of cloud applications in use by the enterprise are sanctioned. This creates a significant risk that data is stored on insecure services and increases the risk of an accidental data breach. The natural reaction is to block access to all shadow cloud services, but is this is an outdated approach.

What to do about shadow cloud services

First, the organization needs to determine how many shadow cloud apps are in use by employees. If all enterprise traffic is routed through the corporate web proxy, then app usage data is available to the IT team. This may only be one part of a combination of methods required. Remember that all traffic sent to and from the cloud must leave the enterprise's network, so there will be a method that can track the traffic data.

The next step is to investigate what the apps are and why employees are using them. It could be that a malicious employee is using shadow cloud apps to send data out of the network without detection, but it could also mean that the current cloud services aren't providing all the functionality required and that by using shadow services, the team is actually being more productive. In this case, the service needs to be examined to see if it can become sanctioned.

One of the greatest weapons against the use of shadow cloud services is security awareness training for employees. This is true for many areas of enterprise security, as long as the training is delivered in a believable, interesting and relevant manner. All data that is stored on shadow cloud services is done so by employees, so by training them on the risks, communicating which services are sanctioned, and giving employees a say on whether certain shadow apps should be sanctioned, the problem can be stopped at the source. Try to avoid the temptation to use internal resources to deliver the training or to do it via e-learning. Awareness training should always be delivered live and by outside trainers who can present the risks outside of the remit of a normal IT presentation, as this is the only way to really increase employee buy-in. Back up the training with accurate monitoring of shadow cloud services usage and the enterprise should begin to feel in control of its cloud data.

Next Steps

Discover the key steps to reducing the threat of shadow cloud

Learn why shadow cloud risks are greater in hybrid cloud environments

Find out how shadow cloud apps threaten IT data governance

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices