Cloud services are easy to use; just type in a credit card number and you have access to a vast array of virtual infrastructure components (IaaS) and powerful software-as-a-service applications (SaaS). This low barrier to entry has given rise to a phenomenon known as 'shadow IT,' where individual teams and lines of business begin using cloud services without IT's involvement or oversight.
It's rare for non-IT personnel to understand the security and compliance requirements around corporate data, and thus shadow IT represents a risk that businesses cannot afford to take. Read on to discover five common misconceptions that reflect important considerations for any organization that does business in the cloud.
1. The problem isn't that big
In a study of IT professionals conducted by Tech Pro Research earlier this year, 23% of the respondents said there is zero unsanctioned SaaS activity happening in their organization. The average across all respondents was 14%, that is, they feel the vast majority of their SaaS engagements are above-board.
According to Gartner, however, enterprises spent 35% of their IT budgets on shadow IT in 2016, and a survey by mobile software firm Canvas found that 61% of business teams admitted to developing and launching apps without IT's involvement.
All of these findings underscore the fact that it behooves IT leaders to get serious about bringing shadow IT out from the shadows.
2. We have it under control
While you might think traditional firewalls are inspecting traffic thoroughly, legacy security tools don't offer the kind of visibility and control organizations need when sending data back and forth to the cloud. For example, cloud resources are accessible by any user, anywhere. An on-premises firewall cannot register that exchange of information.
What's needed are advanced security tools, like those available in a Next-Generation Security Platform. These have the ability to inspect every data packet coming into and out of your virtual environment, and to apply security and access policies consistently across physical and cloud resources. Products like App-ID from Palo Alto Networks identify all traffic and apps, so the IT team enjoys end-to-end visibility.
In the Tech Pro Research survey, only 47% said they use next-generation firewalls for SaaS access, and only 18% said they'd partner with an expert security provider to keep IaaS resources safe. Without these kinds of tools in place, shadow IT will only proliferate.
3. It's easy to detect
Okay, you'll say, so we have to start paying attention to shadow IT. We'll just run our traffic logs through some search parameters and see what we're dealing with. How hard can it be?
First off, log analysis is a costly and time-consuming process. Second, the logs aren't going to tell you what data is being transferred. Because many SaaS sites use HTTPS encryption, they may not even be flagged as SaaS. The unavoidable conclusion is that application-identification technologies built into your security infrastructure are critical for any organization that wants to work safely in the cloud.
4. Cloud services are already secure
If these services use encryption, isn't that a sign that they're secure? Can't we just rely on the security measures in place at the SaaS or IaaS provider?
In the Tech Pro Research survey, 70% of respondents felt their IaaS provider is responsible for security. And that's true, to an extent. Cloud security vendors secure their cloud infrastructure, while you're responsible for securing your apps and data. Whether you're using IaaS or SaaS, data integrity and access control are your responsibility. This is called the Shared Responsibility Model.
5. Shadow IT won't lead to a serious breach
More than half of the Tech Pro Research respondents said they are not devoting funds to securing SaaS usage, and as we mentioned, only 18% rely on dedicated third parties to secure IaaS. So shadow IT is clearly not a priority, even though it should be.
The risks of data leakage and regulatory violations are significant. Gartner says that by 2020, one-third of successful cyberattacks will be mounted on shadow IT resources. Leaving a hole this big in your company's defenses is a recipe for disaster.
Why Palo Alto Networks
Cybersecurity is a full-time job, and the talent pool from which to pick is shrinking. Most companies lack the human or budgetary resources to manage security consistently, especially when malicious actors have automated their processes and launch attacks effortlessly. The answer for today's companies is to implement a true, Next-Generation Security Platform that ensures a uniform security posture across network, cloud, and endpoint.This approach represents the smartest, most cost-effective, and most efficient approach to securing cloud usage in today's uncertain world.
Palo Alto Networks ® Next-Generation Security Platform tracks applications, users, and content to ensure that leaks are prevented. Palo Alto Networks products integrate seamlessly into physical and virtual environments, providing consistent, automated protection at endpoints, in the datacenter, and in the cloud. Enterprises can secure all business-critical data residing within SaaS applications with Aperture, part of the Next-Generation Security Platform. Aperture provides visibility and reporting, instant classification, and granular enforcement across users, folders and file activities.
This protection is based on a global trove of threat intelligence that Palo Alto Networks brings to bear against major and minor threats. To learn more about Palo Alto Networks ® Next-Generation Security Platform, visit go.paloaltonetworks.com/secureclouds