Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud & The Fuzzy Math of Shadow IT
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
[email protected],
User Rank: Author
7/14/2014 | 9:17:00 PM
Re: Does no one ever question these numbers before publishing..
While it is hard to believe Gartner's prediction on technology spend outside of IT, it is one that may be a reality even before the end of the decade. One has to only look at the procurement process of cloud apps - it is very simple to self sign in a portal and pay for it using a credit card. We are seeing lines of businesses within an enterprise sign up for multiple apps without IT involvement. Based on cloud app usage data that we processed over a wide range of industry verticals last quarter, we found an average of 461 cloud apps being used in an enterprise. And to top it - this was 9-10x more than the number the IT dept had estimated. So you can see the 90% number is not out of the realm of possibility.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
7/14/2014 | 3:06:56 PM
Re: Shadow IT's "share button"
Thanks, Krishna. Not long-winded at all, but very useful information. It sounds like a bit of a process from identifying & evaluating  potential risk and then educating the users. 
User Rank: Guru
7/14/2014 | 3:05:38 PM
Does no one ever question these numbers before publishing..
or do you look at these quotes like "Gartner predicts that by the end of the decade, 90% of technology will be procured outside of IT" and let the source take the hit? 90%, really?

That's not even realistic, yet it gets published anyways. We all know what they say about statistics, but should we seriously put stock in companies that are constantly wrong? I guess if you work in meteorology, economics or as an "industry analyst", you can keep doing your job poorly and still make money. Guess I should have picked a different profession.

Gartner may be a big name, but does anyone ever actually research how often they are right, or does the name give it more weight by default?

[email protected],
User Rank: Author
7/14/2014 | 2:20:39 PM
Re: Shadow IT's "share button"
Excellent question Marilyn. IT departments can use the following methods to get an assesment of their cloud apps.

- analyze the log files of egress FW/proxy to identify the cloud apps that are being used in their enterprise (least intrusive - no need to add new eqipment/software)

- once the apps are identified, they can assess the risk associated with these apps. Not all apps are craeted equal. There are over 150 cloud storage apps and their risk exposure is all over the spectrum. The risk rating of apps dpends on a a variety of criteria and is also sepcific to the category of apps (storage vs CRM vs productivity)

- a notch up is to have am in-line cloud access gateway that can not only provide visibility into usage of cloud apps in an enterprise but can do it at the activity level. In my previous post I had given the example of how a share activity in cloud storage can be very risky compared to an upload or download. The inline solutions will provide a more accurate picture of the risk exposure.

- after getting the current state of cloud app usage, IT depts can then coach users to move away from risky apps to more secure sanctioend apps that they procure.

This is a win-win solution for the IT dept and the users. The users get to use the cloud apps and the IT dept is in control of the risk exposure.

It was a long winded answer - but I hope I addressed your question.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
7/14/2014 | 8:07:24 AM
Re: Shadow IT's "share button"
Thanks for these best practices, Krishna. I'm wondering what suggestions you might have for IT departments in identifying and deploying enterprise cloud apps that employees like and will use without "going rogue" posing serious security risks. 
[email protected],
User Rank: Author
7/14/2014 | 1:54:54 AM
Re: Shadow IT's "share button"
The discussion in this thread highlights the catch 22 situation with Shadow IT. The benefits of adopting cloud apps to a business are quite clear. It helps collaboartion, business agility, simpler processes which imply faster time to market and provide competitive edge to enterprises. The pitfalls and risks of cloud apps are also quite evident as has been highlighted in this thread. 

Here are some best practices(handy tips) to tackle this catch-22 situation

- first of all discover the extent of cloud apps proliferation in your enterprise and the associated risk.

- get visibilty to the activity level of these cloud apps. For ex sharing a document outside the enterprise is more risky than uploading the document to a cloud storage app.

- develop and enforce policies that govern the cloud apps usage. This should include general access control policies as well as content-aware policies like DLP. This will address the compliance requirements highlighted in this thread.

- continuously monitor and tweak the polcies that have been set based on business requirements.

Thanks for sharing your thoughts on this topic - keep them flowing.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
7/11/2014 | 2:30:42 PM
Re: Shadow IT's "share button"
Of course, HIPAA would be the stumbling block. (duh) But I can't imagine working in an environment where pagers, paging, and phone tag is the rule. Healthcare definitely has an uphill climb...
User Rank: Moderator
7/11/2014 | 2:03:41 PM
Re: Shadow IT's "share button"
I was talking about SMS texting with the CIO and the discussion was focused on healthcare, so it's a very specific industry example. Hospitals don't want physicians or nurses texting each other via standard texting since it's not secure or HIPAA-compliant -- yet hospital medical staff get fed up with the standard means of communication (things like pagers, paging, and endless games of phone tag). As an alternative, they may invest in secure texting apps that give the same immediacy as SMS but meet HIPAA rules.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
7/11/2014 | 9:45:55 AM
Re: Shadow IT's "share button"
Interesting, that the hospital CIO singled out SMS texting. What was their reasoning? Or is that just an example of a rogue app flying under the radar. It's hard to imagine texting as a rogue app since it's so ubiquitous and ingrained. 
Charlie Babcock
Charlie Babcock,
User Rank: Ninja
7/10/2014 | 4:25:01 PM
And who cleans up the data breach mess?
It's always fun to be the rebellious end user, but what if someone in IT is fired due to a data breach caused by Shadow IT activity? More likely, the business user causing the breach would get fired, but it's hard to say where responsibility begins and ends with so many parties able to opt out and choosing to do so. It's an old problem but I've little doubt professional IT gets called in in the end to clean up the messes.
Page 1 / 2   >   >>

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-09-28
Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk...
PUBLISHED: 2022-09-28
readelf in ToaruOS 2.0.1 has some arbitrary address read vulnerabilities when parsing a crafted ELF file.
PUBLISHED: 2022-09-28
A stored Cross-Site Scripting (XSS) vulnerability exists in version 1.0 of the Expense Management System application that allows for arbitrary execution of JavaScript commands through index.php.
PUBLISHED: 2022-09-28
A vulnerability has been found in Open5GS up to 2.4.10 and classified as problematic. This vulnerability affects unknown code in the library lib/core/ogs-tlv-msg.c of the component UDP Packet Handler. The manipulation leads to denial of service. The exploit has been disclosed to the public and may b...
PUBLISHED: 2022-09-28
IBM QRadar User Behavior Analytics could allow an authenticated user to obtain sensitive information from that they should not have access to. IBM X-Force ID: 232791.