Saturday, February 25, 2023

Don't Blame Your Employees For Rogue Apps: Blame The Vendors

 


As I have written before in the past on numerous occasions, the Cloud (I really love Azure) is now becoming the trend  of the future for most businesses.  It comes with numerous advantages, such as scalability, fixed monthly costs, and even more security features than what your On Premises solution could or would ever have. 

In fact, there a lot of new software applications that you can get for just a mere fraction of the cost of what it would be retail.  For example, when I got Office 365 for my laptop a few years ago, I had to pay $300+ for a year subscription.

Now that I have an M365 account that is hosted in the Cloud, I am now only paying something like $70.00 per year.  A huge difference.  But with all of these new apps coming out and the low cost they have, employees are now getting and installing them like it’s a new craze.  But to make matters worse, very often, these apps are not approved by the IT Security team. 

Thus, they can pose a hazard to the Cloud deployments that you have.

This is technically known as “Shadow Management”.  This has been a huge problem for a long time, even well before the popularity of the Cloud mushroomed.  There can be numerous reasons why employees do this, but probably the most cited factor is that people are creatures of habit.  We don’t like to change our ways unless we are absolutely forced to do so.  And even then, we still try to revert to our old ways.

For example, if Dropbox was the main tool for backing up files, and all of a sudden you forced your employees to use SharePoint, you would probably get a lot of protests initially, and even after that, you would even have a good number of employees who still want to use Dropbox, and will continue to do so behind your back.  Trying to deal with these situations has been very tough for IT Security Teams recently.

So what is one to do in these instances?  Punish the employee?  In today’s world, this technique will not work anymore.  Instead as a manager, you need to take a step back, and take a holistic approach, and answer this very fundamental question:  “Why are my employees doing this”?  Well, here are some answers that might guide you:

1)     Vendors are pushing:

IT software vendors are pretty much now taking their products off of the retail shelves.  Now, they are putting everything into the Cloud, but it is up to your Cloud Provider to offer them or not.  In Azure, there is a market place from which you can choose any kind of type of software package you need.  It is totally incredible.  While this may be great, it is also very tempting for your employees to download these new apps without getting your approval.  For example, fi they can save a few clicks with a new file transfer tool, why not?  Everyday, employees are getting bombarded with emails from vendors, and the sad part is that they are making them even more enticing.  Btu even worse is that when an employee does download a new app without your permission, these vendors often claim that their products are totally safe to use.  While this might be true in an absolute sense, your employees will most likely forget that they are in a shared environment.  Meaning, whatever they download could have a negative impact upon another tenant that is using the same shared platform as you are.  Even still worse is that these new apps will most likely not be configured to fit your security requirements.  As a result, this could lead to serious cases of data leakages.

2)     Security is assumed:

Whenever we get an email solicitation from a well known IT Vendor, we always assume that their SaaS offering will be safe to use.  However, this is the very worst position to take.  These could be fake vendors who have created what is known as an “Application Marketplace”.  The apps that they create are often phony, and will very often contain malware that can spread through your Cloud deployment like wildfire.  Also, they will even offer cut throat pricing on them, thus enticing your employees even more.  Once again, this is where your employees need to understand how to identify a Phishing email and a spoofed site.  Worst yet, if one of your employees does indeed download one of these rouge apps, it could even open up backdoors in your environment for the Cyberattacker to penetrate through.

3)     More tricks up the sleeve:

The IT vendors will never cease to get your employees to try and use their products.  Some of the newest gimmicks include offering long free trial periods (like for months, rather than the usual 2 week or 30 day trial periods), or even offering them for sale at pennies on the dollar.  Again, most of these offers will come as emails. And while they may come from legitimate vendors, these emails are really spam and should be treated as such.  As a CISO, you can direct your IT Security team to examine all of the emails that are non-employee related.  If a lot of them are from IT vendors, then you can immediately mark them as spam at the point of entry so they do not get into your employees inboxes.  I know Exchange has something like this.

My Thoughts On This:

I should mention that another term for this is also known as “SaaS Sprawl”.  This simply means that you have a ton of Cloud apps downloaded by your employees, which not only increases your attack surface, but they are also consuming valuable resources which will drive up your Cloud costs even further. 

The best way to avoid this is to conduct audits at regular periods of all the apps your employees are using, and just cut them off.

But, you also need to educate your employees into the risks of downloading unapproved apps.  Tell them if there is something they really want or need, they should have it approved first by the IT Security team.  But of course this means that your team should not take forever to approve it, because this will just give the employee more temptation to download it without you knowing about it.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...