Get the latest Zscaler blog updates in your inboxSubscribe
Shadow IT—the use of unsanctioned or risky cloud apps in an organization—often happens when employees try to work more efficiently. But when they bypass restrictions IT has put in place, it can create considerable risk for an organization.
Zscaler Data Protection provides organizations with visibility into shadow IT alongside automated controls to manage it. This post offers eight recommendations for IT teams to best understand and effectively control shadow IT.
1. Monitor Risky Cloud Apps
Regularly review usage of SaaS applications in the organization. Identify whether use of risky apps is increasing or decreasing. In alignment with the organization's usage requirements and risk tolerance, categorize applications as sanctioned or tag them appropriately. Also, review access controls for these applications to keep the organization in line with legal and regulatory compliance obligations.
2. Review Unsanctioned Apps: App Category & Usage
Examine the transactions associated with unsanctioned applications. Conduct a comparative analysis of transaction data (specifically download and upload volumes) between unsanctioned and sanctioned apps to identify the highly used apps. Additionally, identify the cloud application category with the most unsanctioned apps in use. This will help refine cloud app control rules.
For instance, if a significant portion of unauthorized apps fall under the IT services category, you can establish policies that exclusively permit officially sanctioned IT services applications with a high priority while restricting any other applications categorized under IT services.
We recommend having a strategy in place for the top 20 highly used apps as well as the highly used app category. Comparative analysis can also help pinpoint sanctioned apps to recommend to users as alternatives to shadow IT.
3. Balance Productivity and Security Risks
SaaS apps can enhance teamwork and collaboration, but they also frequently expose cyber vulnerabilities and may involve unauthorized software or cloud services that do not meet an organization's security benchmarks. Nonetheless, to avoid hampering productivity, IT teams are often inclined not to completely block them. To help IT teams make informed decisions that balance security risks with productivity, it is advisable to assess these applications for high-risk characteristics and evaluate their user adoption rates.
Consider Grammarly, an extensively used application in many users’ daily workflows. There are many instances of Grammarly in the marketplace as well as many third-party variants that might not be on IT’s list of approved apps. Because restricting use of Grammarly could trigger user complaints, it’s advisable to conduct a comprehensive assessment of its risk attributes.
If an app like Grammarly has not suffered any security breaches, employs robust encryption protocols for data in transit, and supports strong cipher, IT may opt not to block it. In the future, should any of these attributes deteriorate from good to bad, the IT department can still promptly initiate measures to block the app.
4. Evaluate Risky Attributes
Organizations should evaluate which security characteristics are most important for them, such as data breach prevention, supported TLS versions, or permitted SSL inspection for an application. Indiscriminately blocking applications based only on high risk indices may disrupt user productivity needlessly.
A more effective strategy is to create access control policies aligned with the organization's risk tolerance. For instance, one such policy could restrict all applications rated at risk index 4 with data breach vulnerabilities and no support for SSL inspection.
5. Create Dynamic Policies
It is always recommended to enable users to do their work while balancing security by creating dynamic policies. Instead of blocking applications completely, create granular policies to control transfer of data between the app and user. For instance, in the case of high-risk applications, a policy can restrict uploads to personal instances of the applications.
Organizations can also take advantage of Zscaler Browser Isolation. Rather than prohibiting access to high-risk applications outright, you can permit access through browser isolation, safely empowering users to sustain their workflow without disruption. To learn more about Zscale’s Browser isolation, see our product page.
6. Review Policies Periodically
With new SaaS applications appearing all the time, it is imperative to maintain comprehensive visibility over shadow IT. Zscaler regularly updates its app catalog with new apps, which will then be included in Shadow IT reports if they are discovered in your environment.
Additionally, Zscaler routinely evaluates critical and extensively used SaaS applications, which may result in data changes such as risk index alterations. Consequently, it is a best practice to periodically (ideally monthly) review cloud application access policies and update them.
7. Incorporate End User Feedback
If employees see existing IT policies as overly stringent or at odds with their needs, they may try to bypass those policies with personal devices or services. This is why it’s so important to consider user feedback about the applications that support their work while keeping security concerns in mind. This feedback-driven approach facilitates periodic adjustment of policies to better align with user needs and security considerations.
8. Create Exception Mechanisms
Establishing exception mechanisms can prove valuable when opting not to enforce specific policies due to functional or strategic considerations. For example, specific exceptions could include permitting only users in the Sales organization to perform uploads and downloads in Salesforce, while concurrently imposing restrictions on non-Sales users.
Ready for More?
Shadow IT security is an important part of a strong data protection program. While users often gravitate to cloud apps for improved productivity, data risks need to still be properly managed. Zscaler’s always-on cloud platform enables IT to monitor all users, devices, and apps as well as properly enforce controls around sanctioned and unsanctioned apps.
To learn more about how Zscaler can help your data protection program, check out our data protection offerings, or contact us for a demo.