The very thought of it is enough to keep CISOs up at night. All across your company, in every department, employees are using apps that you haven't tested, secured or sanctioned.
As workers become ever-increasingly IT-savvy and the number of cloud-based, often-free solutions to their specific problems become available, more and more of them are bypassing the IT department for a quick fix.
As cloud applications become easily accessible at low cost, employees who seek to be as efficient, productive and collaborative as possible are able to easily make technology decisions without consulting IT. Compounding the problem, is that outsourced and managed service providers can often slow the pace of technology adoption, further prompting business units and employees to seek solutions outside of IT control. Welcome to the age of decentralised IT.
It's little surprise that employees are taking things into their own hands and using their own department budgets to find solutions to work processes in the cloud quickly and easily. A 2015 survey of UK CIOs from enterprises with over 1,000 employees, found that 60 per cent said there was an increasing culture of Shadow IT in their organisations. Some 84 per cent are worried that cloud is causing them to lose control over IT.
So where does that leave CIO, CTOs and IT directors with regard to ensuring a secure environment? And how can you secure all the company and customer data that is sitting on third-party servers or moved between various third party providers / suppliers?
Clearly, the solution cannot be simply trying to stamp out Shadow IT. It's no use reprimanding those that use it, relegating the strategic function of the IT department to that of stern schoolmaster. Frankly, it's also far too late for that.
Moving to a cloud-based solution means that sensitive data now moves between the enterprise and the cloud. The use of unsanctioned cloud applications has created an intensified risk of internal/external data exposure, malware attacks from suspicious cloud providers and the problematic visibility and security issues caused by Shadow IT spinning out of control.
CIOs are now required to manage demands from business units for services to be provisioned from outside the organisation; they have to bring together disparate services, locations and implementations into something cohesive. Sensitive information that is uploaded and shared in cloud apps without the knowledge, consent or control of IT security teams may put an organisation at risk of a costly or highly embarrassing data breach, or in violation of local or regional regulatory requirements.
Uncovering and rating cloud services, which most Cloud Access Security Broker (CASB) vendors do, is the first step in managing and securing your cloud attack surface. Once an organisation decides to embrace particular apps, or "sanctioned apps," the next critical stage is to understand the data flows and types of data within those apps, or what is now being termed "Shadow Data."
Sign up for CIO Asia eNewsletters.