Here are 3 ways you can use a cloud access security broker to prevent shadow IT usage from making your cloud data vulnerable:
1. Target all unsanctioned cloud services in use
The first measures put in place with a cloud access broker can help determine how heavily shadow IT usage is being used within the business. CASB solutions collate firewall as well as proxy logs, and from the analysis of these logs, IT departments are able to discover any cloud services being used by employees and business units. From there on, IT staff can determine which cloud services do not meet minimum requirements in relation to data security. The hard part without a CASB is that IT departments can’t monitor all of the activity carried out by everyone in the organization. The use of personal devices and mobiles makes it difficult to track and flag some cloud services in use by employees, as they may be using personal emails to share files and messages between fellow members of staff.
Obviously this is a high-risk form of activity, but it does happen when workers are based at home, or doing work on-the-road and need a cloud service at their fingertips. Sometimes staff do this simply because they feel a certain unsanctioned cloud service will help them more than the service their company has provided them with.
The problem here is that they don’t want their administrators or senior managers noticing they have made an account, so they sign up using their own personal details instead of using their work email address like they would normally do for using cloud services in an enterprise setting.
2. Calculate the risks involved with each cloud service being used
Thanks to the ever-changing technology in the cloud security industry, cloud access security brokers are able to keep up to date registries of every cloud service any member of staff within an organisation registers to. The cloud access security broker takes each service and assesses the risk value based on 50 attributes, and more than 260 sub-attributes.
Examples of sub-attributes include a cloud service claiming ownership of data uploaded, a cloud service sharing the user’s data to third parties without authorization or acknowledgement from the user, and the encryption of data in rest storage (in other words not moving between accounts and device e.g. on a laptop or hard drive).
It is very easy for any member of staff to utilize another third-party cloud service without realizing the small-print, and the risks associated with that. Let’s say one of your staff find a convenient tool online to convert JPEG images or Microsoft Word documents into PDF documents.
A common risk associated with this is that the cloud service will list in their terms and conditions that they will claim ownership of any files uploaded to their portal. It wouldn’t matter if the files were something as simple as a receipt for an order, or a datasheet containing dozens of customer’s personal details or credit card information, either way, you won’t want to be sharing that stuff…
3. The application of cloud governance policies
Once the CASB has calculated all of the risk assessments attached to each cloud service being used, the IT department and senior staff within the company can put the appropriate cloud governance policies into place.
The main benefit of this to a large organization is that the riskier cloud applications will be blacklisted, providing the opportunity for the safer cloud services and cloud applications to be actively promoted across the entire organisation. This works by aligning the CASB with the company’s existing proxy logs and firewall, so that the dangerous cloud services can be blocked on the devices in use.