Shadow IT And The Challenge Of Controlling The Cloud

“Shadow IT” sounds like something you might see in a thriller starring Matt Damon, but it’s a clear and present danger for IT pros. It refers to the practice of people throughout a company setting up their own IT services without consulting with the IT department. It’s easy to do, thanks to the “consumerization of IT” trend and the availability of cheap or free cloud-based SaaS services from the likes of Dropbox, Google’s G Suite (formerly known as Google Apps), Microsoft Office 365, and Slack.

The result: Your company is probably using dozens of cloud services, if not hundreds, that you have no knowledge of nor control over.

Despite the obvious benefits many of these services bring, the lack of visibility and control is a problem. Not only does it reduce the CIO’s ability to manage the technology that’s actually in use at her or his company, but it also creates a very real security risk. You can’t protect what you don’t even know exists. And it’s too much to expect non-IT staff to implement security policies, encrypt their data, avoid sharing sensitive information, or even use decent passwords for the cloud services they sign up for.

As a result, unofficial cloud services become a portal for hackers. In fact, Gartner predicts that one third of security breaches by 2020 will come in through shadow IT services. Compounding the security risks, are a wide range of legal and compliance issues that accompany unauthorized cloud services sending on a company’s behalf. CAN-SPAM violation, content and data exposure, the list goes on.

How widespread is the problem? A recent Cisco study suggests most companies have  15 to 22 times more cloud apps in service than IT has authorized. Let that sink in for a minute: For every cloud app you know about, there are between 15 and 22 others that are in use but which you don’t know about yet.

Cisco’s survey might sound extreme, but other studies agree about the severity of the problem. A recent SpiceWorks survey reports that 80 percent of IT managers say their users are setting up unauthorized services. And according to the Cloud Security Alliance and Skyhigh Networks, only 8 percent of organizations believe they’ve got a handle on all the cloud services their employees use.

So what to do? In an era of bring-your-own-device policies and open Internet access, you can’t just lock down your employees’ devices the way you could have a couple decades ago. And sending increasingly irate memos or posting policies to the company intranet are not going to increase compliance, human nature being what it is.

There is a choke point available to CIOs, however, and that’s email. The vast majority of  cloud services that employees set up will, at some point, need to send email on behalf of your organization.

Naturally, those services use their own mail servers, which you don’t control. But if your company has implemented email authentication, you do have the ability to permit or deny those emails being delivered. Using the open DMARC standard, companies can specify a list of servers that are authorized to send email on behalf of the company. Servers that attempt to use the company’s domain name but aren’t on the authorized list will find that their email is flagged or deleted by DMARC-compliant receivers. And more 2.7 billion consumer inboxes globally (about 80% of US inboxes) are DMARC-compliant.

What’s more, DMARC includes a reporting function, so those rejected messages will not only fail to get through, they’ll show up on a log of DMARC authorization failures. IT staff can use those logs to identify services that are attempting to send mail on the organization’s behalf.

With email authentication in place, the job of securing shadow IT becomes much simpler. All the CIO needs to do is send a message to employees telling them that they are welcome to set up cloud services—but if they want to enable email functions with those services, they’ll need to talk to the IT department about it. Until they come forward and make their case, any email from the cloud services they set up will fail to authenticate, and the IT department will be aware of it via DMARC reports.

This won’t eliminate every shadow IT service, of course—just the ones that rely on email using a domain controlled by your company. But that’s enough to give CIOs control over a vast swathe of SaaS services, and it gives them leverage without banning those services outright. That’s a win-win for both IT professionals and the organizations they serve.

About Alexander Garcia-Tobar
Aalexander-garcia-tobarlexander García-Tobar is CEO and co-founder at ValiMail, the world’s only provider of automated email authentication services, located in San Francisco, CA. Alexander has deep roots in the email authentication and cybersecurity space as a global executive and advisor at Agari, ValiCert, and Sygate. A veteran entrepreneur, he has held various positions at high tech companies such as Lattice3D, SyncTV, and Individual. Prior to that he worked at leading research and consulting firms such as The Boston Consulting Group and Forrester Research.

In this article