Rogue applications are everywhere within companies, thanks to shadow IT. In order to tame this wild proliferation of unauthorized software, IT leaders must turn to new tools in order to protect company data.
Mathias Thurman writes, “The security risk that I am most focused on right now is this: Shadow IT and the consumerization of IT have put too many employee work activities out of sight of the security department.
“Employees at my company now use more than 90 cloud-based apps that I know of. Most of these are categorized as software as a service (SaaS). Many are corporate-sanctioned, meaning the business unit or IT went through a selection process to identify and procure an application, and my department was at least consulted. This list includes applications such as ADP for payroll, Salesforce, Workday, Oracle, WebEx, Google Docs, Microsoft® Office 365 and SAP.
“Other apps are unsanctioned but tolerated. These include Github for source code and Skype® and Yahoo IM for communication.
“Then there are apps that I only find out about because I get invited to join or I observe the application’s traffic while monitoring events on our firewalls. One recent invite was for a team collaboration tool that allows for the collection and sharing of ideas. An engineer introduced the free app to our network and was using it to share some fairly sensitive information regarding security weaknesses in our product. Although his intentions were good and the tool got the job done, it was a security nightmare. Authentication? Nonexistent. Encryption? Same story. The app uses http instead of https, and worst of all, everything shared to it gets indexed by Google, meaning it can be discovered by anyone.
“When I find out about a risky app like that that’s being used in the company, I explain the dangers to the parties for whom it is useful and we try to come up with an alternative that will be more secure.”