As I have written before in the past on numerous occasions,
the Cloud (I really love Azure) is now becoming the trend of the future for most businesses. It comes with numerous advantages, such as
scalability, fixed monthly costs, and even more security features than what
your On Premises solution could or would ever have.
In fact, there a lot of new software applications that you
can get for just a mere fraction of the cost of what it would be retail. For example, when I got Office 365 for my
laptop a few years ago, I had to pay $300+ for a year subscription.
Now that I have an M365 account that is hosted in the Cloud,
I am now only paying something like $70.00 per year. A huge difference. But with all of these new apps coming out and
the low cost they have, employees are now getting and installing them like it’s
a new craze. But to make matters worse,
very often, these apps are not approved by the IT Security team.
Thus, they can pose a hazard to the Cloud deployments that
you have.
This is technically known as “Shadow Management”. This has been a huge problem for a long time,
even well before the popularity of the Cloud mushroomed. There can be numerous reasons why employees
do this, but probably the most cited factor is that people are creatures of
habit. We don’t like to change our ways
unless we are absolutely forced to do so.
And even then, we still try to revert to our old ways.
For example, if Dropbox was the main tool for backing up
files, and all of a sudden you forced your employees to use SharePoint, you
would probably get a lot of protests initially, and even after that, you would
even have a good number of employees who still want to use Dropbox, and will
continue to do so behind your back.
Trying to deal with these situations has been very tough for IT Security
Teams recently.
So what is one to do in these instances? Punish the employee? In today’s world, this technique will not
work anymore. Instead as a manager, you
need to take a step back, and take a holistic approach, and answer this very
fundamental question: “Why are my
employees doing this”? Well, here are
some answers that might guide you:
1)
Vendors are pushing:
IT software vendors are pretty much
now taking their products off of the retail shelves. Now, they are putting everything into the
Cloud, but it is up to your Cloud Provider to offer them or not. In Azure, there is a market place from which
you can choose any kind of type of software package you need. It is totally incredible. While this may be great, it is also very
tempting for your employees to download these new apps without getting your
approval. For example, fi they can save
a few clicks with a new file transfer tool, why not? Everyday, employees are getting bombarded
with emails from vendors, and the sad part is that they are making them even
more enticing. Btu even worse is that
when an employee does download a new app without your permission, these vendors
often claim that their products are totally safe to use. While this might be true in an absolute
sense, your employees will most likely forget that they are in a shared
environment. Meaning, whatever they
download could have a negative impact upon another tenant that is using the
same shared platform as you are. Even
still worse is that these new apps will most likely not be configured to fit
your security requirements. As a result,
this could lead to serious cases of data leakages.
2)
Security is assumed:
Whenever we get an email
solicitation from a well known IT Vendor, we always assume that their SaaS
offering will be safe to use. However,
this is the very worst position to take.
These could be fake vendors who have created what is known as an
“Application Marketplace”. The apps that
they create are often phony, and will very often contain malware that can
spread through your Cloud deployment like wildfire. Also, they will even offer cut throat pricing
on them, thus enticing your employees even more. Once again, this is where your employees need
to understand how to identify a Phishing email and a spoofed site. Worst yet, if one of your employees does
indeed download one of these rouge apps, it could even open up backdoors in
your environment for the Cyberattacker to penetrate through.
3)
More tricks up the sleeve:
The IT vendors will never cease to
get your employees to try and use their products. Some of the newest gimmicks include offering
long free trial periods (like for months, rather than the usual 2 week or 30
day trial periods), or even offering them for sale at pennies on the
dollar. Again, most of these offers will
come as emails. And while they may come from legitimate vendors, these emails
are really spam and should be treated as such.
As a CISO, you can direct your IT Security team to examine all of the
emails that are non-employee related. If
a lot of them are from IT vendors, then you can immediately mark them as spam
at the point of entry so they do not get into your employees inboxes. I know Exchange has something like this.
My Thoughts On This:
I should mention that another term for this is also known as
“SaaS Sprawl”. This simply means that
you have a ton of Cloud apps downloaded by your employees, which not only
increases your attack surface, but they are also consuming valuable resources
which will drive up your Cloud costs even further.
The best way to avoid this is to conduct audits at regular
periods of all the apps your employees are using, and just cut them off.
But, you also need to educate your employees into the risks
of downloading unapproved apps. Tell
them if there is something they really want or need, they should have it
approved first by the IT Security team.
But of course this means that your team should not take forever to
approve it, because this will just give the employee more temptation to
download it without you knowing about it.
No comments:
Post a Comment