PROTECTING YOUR CLOUDS | A ZDNet Multiplexer Blog What's this?

Bringing Shadow IT Out of the Shadows

Shadow IT arises in your network because users figure it's better to ask for forgiveness than permission, or because you simply haven't defined any policy around SaaS use. When you have full visibility into the traffic on your network, you can find where unauthorized applications are being used, potentially compromising your security and exposing sensitive data.

Back in the day, the only software products on your company's network were the ones IT installed. Nowadays, employees can easily access a variety of compelling Internet-based services, and they help themselves to whichever apps seem to help them do their jobs. These services run in the cloud, often out of sight of IT and therefore out of their control. This is what we call "Shadow IT."

With the proper security measures in place, however, you can bring that unauthorized SaaS use out into the open and ensure it's safe, ultimately empowering users.

Shadow IT belongs to an era when IT didn't have full visibility into applications. It's all too easy for legacy security tools to miss the fact that unauthorized software is being used on the enterprise network. Most of these SaaS services are web sites, and you can't just block all web sites. Even worse, they may be HTTPS sites, which (for very good reasons) are also ubiquitous and which encrypt all traffic, hiding it from legacy tools. It's very difficult to secure your network and data without next-generation security.

Shadow IT most often involves Internet services, which typically means that the software is unauthorized, and that company data is traveling to a third party site. Is it being handled properly there? Data being taken to these third party sites may be a regulatory violation in and of itself, as it's now more available to be scanned for advertising or other research.

Finding out that shadow applications are being used -- and what they are being used for -- requires full visibility into data traffic flows. You need to see where data is going and who is using it.

Conventional security tools, operating on the endpoint or enterprise network perimeter, are essential to manage systems, block network attacks and malware, and guard sensitive data. But these products are challenged by data stored off-network at SaaS vendors like Salesforce, Microsoft Office 365, and Google G Suite. There, a different approach is necessary.

Next-Generation Security Platforms have the ability to manage data even when it's offsite. App-ID from Palo Alto Networks, for example, identifies all the applications on the network and determines their behavioral characteristics and relative risk. App-ID can eliminate shadow IT by decrypting traffic and providing fine-grained control, allowing only sanctioned Office 365 accounts, for example, or permitting messages on Slack but blocking file transfers.

With a solution like App-ID in place, you can then use a CASB (Cloud Access Security Broker) like Aperture, also a part of the Next-Generation Security Platform from Palo Alto Networks. Aperture runs in the cloud and manages all user behavior and data access that happens within the SaaS application. It occupies a privileged position in the SaaS, allowing it to enforce policy and mitigate attacks, and also to scan existing data for violations of policy.

Established SaaS providers that support enterprise-level customers typically allow for CASB integration. By sanctioning these services, you can lessen the temptation for users to go off the IT grid.

Learn more about Palo Alto Networks® Next-Generation Security Platform for cloud at