Mar 1 2019
Shadow IT: Causes, Symptoms, and Cures
Alpin is now CoreSaaS.
A Guide For Security And Compliance Control Freaks: Discover and control what’s lurking in the cloud
Expect Significant Increases In Cloud Spend
What’s your company’s cloud spend trajectory?
Most companies find themselves spending more and more on cloud services. IDC research estimates cloud spend will increase 23% in 2018 to $160B. By 2021, they predict the total will be $277B spent on cloud services.
If you work in compliance or security, you likely have mixed feelings about cloud software. While SaaS has many advantages over onprem software, it can be hard to catalog and audit.
Shadow IT Comprises Much Of Cloud Spend
How many times have you discovered someone in your organization using software you were not aware of?
It could be happening more than anyone realizes:
And that’s just the software being paid for. Plenty more gets used for free. The good news? It’s now possible to find and manage cloud software with ease.
The Cause: How Shadow IT Spreads Fast
Here’s how we understand the most common way shadow IT spreads, based on our experience working with many IT compliance and security professionals.
The Symptoms: Compliance And Security Issues Caused By Shadow IT
Here are some SaaS data security scenarios to contemplate:
- Employees unwittingly upload sensitive information to unvetted or unsecured cloud apps, and no one knows about it.
- A vendor data breach results in a public posting of data about your company’s customers, people, or operations, which is especially scary if no one manages or even knows about a particular vendor.
- Users unknowingly grant permissions that give vendors far too much access to company systems or that outline their employment.
- A vendor’s poor data protections expose sensitive information or expose non-sensitive data that nevertheless can be used to bolster social engineering attempts.
- Cloud storage file permissions make sensitive information public, shared with too many people, or even indexed by search engines.
How can you deprovision software you don’t know about? Former employees may retain access for years, as some of our customers learned.
To prevent these types of issues, companies typically have policies and software review procedures in place. But without oversight, employees bypass policies by signing up with cloud apps.
Symptoms To Really Avoid
Shadow IT can potentially violate regulations.
Many regulations touch on data flows or storage. If there is any kind of breach, even one from a vendor that stores some of your data, your company could face regulatory scrutiny, among other complications.
Storing data in unknown and unvetted places may result violations or a range of other damaging regulatory consequences if audited.
Likewise, some clients may have regulatory flow-down requirements that require you, their vendor, to maintain compliance. Violations by SaaS vendors could not only impact compliance, but client relationships and bottom-line revenue.
Freemium Product Exploitation: employees use a free version instead of a contractually-required paid license. Contract terms may stipulate fees or penalties for this kind of activity.
Vendor Allows Over-Provisioning: SaaS vendors sometimes allow admins or even regular users to add more users than are accounted for in a contract. Why would they do this? Rather than tightly control the number of users, this tactic encourages rapid user growth, especially if employees can easily add themselves or others. Your employees can add themselves as users with the click of a button, not realizing that someone will have to pay for it later.
Multiple Users Access One Account: If there is a service account such as marketing@ domain.com, firstname.lastname@example.org, etc., a group of users can sign up with that single account, which is accessible to many people, allowing all of them to access one paid subscription. This account misuse can be easily tracked and is often prohibited by SaaS license compliance terms. Depending on the contract, it could result in significant penalties, let alone license charges.
The Cure: Discovery And Governance Tools In Alpin
Automated Shadow IT Discovery And Management With Alpin
Alpin offers many methods to quickly discover cloud applications, some less intrusive than others. They include:
API integrations with leading apps, connections with SSO platforms, data extraction from accounting and expense systems, a browser plug-in, an on-device agent, firewall log analysis, and email scanning.
Once one or more of these discovery methods begin running, you will quickly have a better grasp of your cloud software environment, including who is using what apps.
Leverage A Robust Vendor Audit List With Compliance And Breach Information
After discovering apps across your SaaS ecosystem, it effectively creates a detailed vendor list. Alpin tracks over 40,000 cloud apps (and growing).
When viewing specific vendors within Alpin, it’s possible to view recent news, including any recent security or data breaches that have been reported. This kind of news empowers you to swiftly take the proper action to secure your own data.
Alpin is currently tracking the certification status of companies as it relates to Privacy Shield, GDPR, SOC, and ISO. On any vendor’s page within Alpin, you can view the status of these certifications and click links to investigate further.
Quickly Audit Entire Cloud Storage Libraries – Data Loss Prevention (DLP) Tool
DLP is an important consideration for any cloud service provider. Unfortunately, the strong user controls make data leakage a potential issue.
How does it work? Admins grant Alpin additional permissions to read metadata about files and folders in an enterprise cloud storage account. Alpin cannot read document contents, nor can Alpin modify any information, because we do not ask for permission to do so.
Alpin parses the metadata about all files and folders, highlighting files containing sensitive keywords such as “financials,” “payroll,” etc. We then show showing you any files or folders being shared outside the organization, including those discoverable by search engines.
Make Auditing Even Easier With Tagging, Categorization, and Reporting
Inside Alpin, users can add as many tag groups and tags as they desire in order to customize reporting. By adding tags to a software subscription, you can conduct custom searches or reports for only those items containing the tags you specify.
You can tag cloud apps, licenses, or users – all three data record types can be searched for and reported on.
For security or compliance reporting, here are some tag ideas to get you thinking:
- Compliance / Audit – add a tag for every certification you can think of: COPA, GDPR, Gramm-Leach-Bliley, HIPAA, ISO 27000, SOC 2…
- Data Storage Country – Tag where data is stored in each app. USA, EU, globallydistributed, etc. • Information Sensitivity – Customer contact information, financial data, HR data, PHI, PII…
- NSFW / Time Wasters – Adult content, dating, entertainment, gambling, gaming…
- Priority / Importance / Acceptable Downtime – 1 hour, 24 hours, 4 hours, 48 hours, 8 hours, minutes, essential, non-essential….
- Risk – cost inflation, deep permissions, public sharing, unsupervised integrations/extensions…
Send And Score Vendor Assessments In One Place
Tired of using email and Excel files to track vendor questionnaires? Alpin can help automate vendor assessments with templates, sending, scoring, and more. This helps you to quickly send and receive assessments with the benefit of having them all in one place.
Send And Score Vendor Assessments In One Place
You may have policies in place regarding new software acquisition. By receiving alerts for newly activated subscriptions or permissions, you will have more ways to ensure policies are maintained.
Real-Life Shadow IT Scenarios And Cures
While you may be convinced of the need to better manage cloud software, maybe someone you report to or work with needs some extra convincing. We’ve included some real-life stories here, with important details removed for privacy, to make any persuasion you need to do easier
An employee still had access after 3 years – Multiple examples of a scary lack of oversight
A large technology company’s ex-employees – up to three years gone – had access to multiple cloud apps, including the company’s CRM. Not only was this a waste of money, it put years of potentially sensitive information at risk.
An expense and approval system kept IT and procurement in the dark about cloud software purchases. A manager approved employees’ software expenses without intervention or detailed audits of purchases.
Solution: Alpin discovered these mystery users and programs. With knowledge in hand, security and compliance staff could address or correct these issues.
Untrustworthy site had access to executive emails
A gaming site subscription, based in a country known for malicious hacking, had full access to many company email inboxes.
This included access to CEO and CFO inboxes and all their sensitive content.
Solution: Alpin discovered the offending app and permissions that led to the situation, and provided the tools to secure sensitive information.
That shouldn’t be shared… with search engines
A finance director, through a cloud file storage app, was sharing a root-level folder with outside parties. That inadvertently provided access to detailed financial statements that would never be released publicly or shared. Salaries, P&L, and more were unintentionally exposed.
A team’s files, folders, and discussions were made completely public rather than internal and read-only – this made financial files and other sensitive information indexable by search engines.
Solution: Alpin’s discovery and cloud Data Loss Prevention (DLP) tools provided the information needed to pinpoint the data leakage and change the relevant settings.
License compliance and cost overruns – Many duplicate apps
At one company, many teams had their own Slack domains, and they were all unaware that a corporate Slack account existed. Costs overlapped and added up.
Similarly, another organization found not one, but five duplicate project management apps, spread throughout the company. This created massive cost overlap and security vulnerabilities (we don’t know how much sensitive data may have been stored in the other apps).
Solution: Alpin’s extensive discovery tools identified these hidden instances, giving security staff the data and contact information needed to remedy the issues.
Did you know they had a data breach…. and you use them?
After a recent data breach from a cloud software provider, multiple companies wanted to know if they were affected. Without Alpin, they had no way to know, for sure, if their users were exposed by the vendor’s breach. With Alpin, they got notifications about the affected app, as well as who was using it, so they could lock down their exposure.
Another company found over 3,000 SaaS apps when they expected to find a few hundred.
Solution: Whether it’s general discovery or looking for a specific app, Alpin sheds light on cloud software ecosystems. Solving shadow IT problems starts with discovery