Cloud based applications adaptation is rapidly growing across organizations of all size and complexities. Today’s organizations are ever more reliant on Cloud applications and are embracing cloud first mindset. Cloud has its benefits and also its challenges esp. in form of cloud shadow IT. CredenceIA team discusses how IGA solution can effectively be utilized to get grasp and control on shadow IT.
Shadow IT in Era of SaaS
SaaS/Cloud adaptation usage is growing and organizations are moving to cloud based applications in droves. Cloud based applications do have several benefits ranging from reduced IT costs, improved reliability, flexibility, end user experience improvement, and ability to collaborate with external users/partners/businesses that help expand business competency and open up new possibilities.
No matter how well defined security practices are, most companies are hybrid today i.e. applications both on premise and are cloud based. As a result, organizations are grappling with possibility of data moving out into cloud and more concerning to unauthorized applications that are not under lens of IT.
Shadow IT occurs in several ways.
The most common being employees sign-up for cloud based application withouto informing or going through formal approval process from Security and IT teams to avoid being “slowed down”.
Business units tend to sign up for cloud solution or enter into collaboration with other businesses and start exchanging data without following organizational policies.
Many SaaS applications that are common occurrence today (e.g. Slack, Microsoft Teams, Zoom) are designed to make participant collaboration easy and provide intuitive ways to share data. The data could be sensitive.
Several SaaS applications offer “plug-in” approach that allow user to install 3rd party application on top of collaboration tools and those application in turn will also be able to read messages, emails.
All these are serious issues and there is no native tool that can effectively allow organizations IT and Security teams to manage what is being shared across such platforms. Most IT departments are not completely aware how many cloud applications are in use at a given company. With that question is how do you control something that you can’t see?
Steps to Address Shadow IT
CredenceIA utilizes repeatable framework that help gain control of Shadow IT in cloud and manage it. The process is defined with 4 steps as depicted below:
Step 1: Discover
Shadow IT in cloud discovery involves collaboration and consultation of various teams. Analysis of firewall/network logs can help discover cloud applications that are in use. Building a questionnaire that business unit leaders can fill out w/ input from their staff also bring to attention applications that are harder to locate/analyze from logs. Collection of this data allow grouping by department, function etc. to understand where most cloud applications that are not under IT control in use.
Step 2: Analysis
Once there is visibility into cloud applications, the next is analysis. Analysis include asking questions such as
Are the cloud applications compliant with relevant standards, such as HIPAA, SOC2, SOX, and GDPR?
What is the usage of the application?
Which department/business unit is using such applications and the drivers for them using these applications?
Are there alternative applications available?
Can the application be integrated with organization’s access (e.g. SSO) solution and/or governance solution?
Step 3: Integrate
For identified high interest applications that are widely used, feasibility of integration with existing SSO solution and/or IGA solution should be considered. Once application is under SSO solution, the native authentication in such application is no longer in use and instead the access to these applications are governed by organizations password policy including secure password or multifactor authentication.
For applications that are sensitive in nature, these applications integration with IGA solution is logical choice. More and more SaaS applications are being integrated with IGA solutions allowing organizations to gain control on accounts, entitlements, and permissions. Using IGA solutions capabilities, organizations can bring access governance to applications like Microsoft SharePoint and gain control who has access to sensitive data. Once done, access to such applications can be managed as part of user lifecycle and access request, approval and standardization of ongoing governance.
Step 4: Monitor
Organization wide ongoing monitoring of cloud traffic patterns and new application usage via logs can allow early visibility into emerging application usage, identify patterns of risk and allow organization to stay ahead before shadow IT become a larger problem. Further, depending on the IGA tools at use (e.g. Saviynt or SailPoint), many SIEM tools that monitor such logs and patterns can also be integrated with the IGA solution and help identify risk before it’s too late. Regardless of organization just getting started or have an existing IGA ecosystem, the inclusion of cloud applications provide actionable insight that help strengthen its security, compliance while keeping balance of changing business drivers and preferences.
Conclusion
Using a defined processes for approvals for new cloud solution, having proper request/approval and periodic certification for cloud application or 3rd party collaborations can help address the Shadow IT problem by a great extant. CredenceIA team can help with assessment and strategy to gain visibility into the Shadow IT and in turn help reduce risk, effort and budget.
About CredenceIA Consulting
CredenceIA Consulting brings over 20 years of experience working with organizations of all sizes and complexities. This allow CredenceIA Consulting advisors to get the best value and outcome within time and budget. CredenceIA Consulting provides advisory and implementation solutions. We have a successful track record of IAM implementations via our award winning team. CredenceIA Consulting brings value with its robust project planning, execution and management expertise.
CredenceIA Consulting’s all-encompassing tailored solutions from advisory, implementation, and US based L2/L3 managed services allow CISOs and their teams to focus where the attention is necessary.