Employees may not realize they're doing anything wrong but these potential leaks still need to be plugged.
It’s a problem seen across all federal agencies: Employees are using cloud-based applications that aren’t approved or protected by IT teams. These apps range from sharing tools, such as cloud storage platforms, to social media sites or personal email accounts that are accessed from network devices. This problem is called shadow IT, and it can be a significant security risk for federal agencies.
Why Do Employees Turn to Shadow IT?
In some cases, employees may not even be aware that they are doing anything wrong. Their daily lives include checking social media and personal email, regardless if they are at home or on their network computer at work. A “quick” post on social media or a nefarious email in their personal account that entices them to click can quickly lead to sensitive data loss, or worse yet, malware entering your network undetected.
In other cases, employees turn to unapproved apps because it helps them get their job done. They simply feel that the tools they have been given do not allow them to do their job efficiently or effectively. They look to other options, which are often unapproved cloud-based apps.
Data loss prevention is the single biggest concern stemming from federal employees creating their own cloud-based strategies with applications. Even in cloud environments dedicated to government use, some parts of the environment may have the proper controls in place, but others may not.
Taking the Offensive: Attack the Problem
So how do IT departments set about identifying the unapproved applications that are being used? A good place to start is to educate your employees, who might not even be aware that what they are using poses a security risk. Agencies should have policies on social media and personal email use in place, and enforce those policies.
Agencies should also do a thorough examination of their cloud strategy to identify any inefficiencies that could lead to employees leveraging unapproved applications for their work. Probe the way people are working. How do they access data? What are their true needs to do their jobs?
What you may find is that agencies already have an approved, secure tool to support the employee’s needs. But, that tool could be difficult or inefficient to use. Also, employees are often creatures of habit, so they have their “favorite” tools that they know work. These tools may offer speed and efficiency. They also may be easily accessed and user-friendly. If the approved solution is slow, cumbersome, and difficult to manage, they will turn to their favorite, unapproved tool instead.
When you find instances of shadow IT that employees say they need in order to do their job, ask the question: what would work for them? By working with employees to find good solutions, CIOs can help eliminate a good chunk of their shadow IT issues.
Defense Is Critical
How do agencies protect against instances of shadow IT? The answer is multi-pronged but starts with a review of the traditional approach to security threats.
Typically, agencies have perimeter security or an intrusion prevention solution in place to monitor incoming and outgoing traffic on their networks, stopping threats as they arise. But those become quickly antiquated with cloud-based applications.
A more robust strategy is needed for IT departments to evolve their ability to combat threats associated with shadow IT. The latest platform that offers additional protection is cloud access security brokers, known as CASBs, which can integrate with different cloud-based service providers.
A CASB serves essentially as a middleman between the cloud-based environment and the employee. Traffic going into the secured cloud environment goes through the CASB first. It ensures there is no intellectual property or sensitive personal information being transferred.
CASB solutions are a good starting point, but they won’t solve all the issues. They still require access to environments and protect only the areas where they have been pointed. With all of that in mind, the best defense right now is taking a multi-layered security approach.
Agencies should start with a CASB for anything it knows will be in a cloud environment. Layering in a traditional approach with a firewall and IPS, which blocks private cloud traffic to support the CASB, will provide added coverage to better protect from the threats unapproved apps can create. The main goal within the multi-layered security approach is to have complete visibility into all of the data both within your network and also with everything leaving your network.
While there is no one way that will completely solve this problem, taking offensive and defensive measures now will position your agency to be better protected against shadow IT threats.
Pete Burke is the security practice team lead at Force 3.
NEXT STORY: Modernizing Government IT Starts with Data