Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Tal Klein
Tal Klein
Connect Directly
E-Mail vvv

Shadow IT: Not The Risk You Think

Enterprise cloud services such as Box, Office 365, Salesforce, and Google Apps can make a better case for being called sanctioned than many legacy, on-premises, IT-provisioned applications.

As we near the end of 2014, a multitude of indisputable data points to a simple fact that every security dollar dedicated to reining in Shadow IT through preventative policies or controls is a dollar wasted. In fact, the exact opposite is true: Shadow IT adoption by business units helps to increase IT savvy through a shared focus on innovation as a differentiator.

Verizon recently published its annual "State Of The Market: Enterprise Cloud report for 2014," based on data from independent analyst firm 451 Research, which found that what we know as "Shadow IT" has largely become extinct as a valid business risk. In the report Verizon concludes that the most successful CIOs have made building strong ties with the lines of business a core objective:

Standards have emerged, IT departments have now developed their competencies, providers have clarified their offerings, and both sides understand each other much better. Many buyers now have thorough mechanisms in place for specifying and managing procurement, governance, and performance.

Skyhigh Networks, meanwhile, in their "Q3 2014 Cloud Adoption And Risk Report," found that, "while the average organization employed 831 cloud services, the distribution of data movement across services revealed that 80% of data uploaded to the cloud goes to just 1%, or 11, cloud services."

This is very much in line with findings in Adallom's annual "Cloud Usage Risk Report," which noted that of the 11 cloud services detailed in Skyhigh Networks' report, only four primary services account for the majority of enterprise files in the cloud: Box, Office 365, Salesforce, and Google Apps. This means that of the 831 or so cloud services found in an average organization, only four represent the largest attack surface, none of which would be classified as "Shadow IT."

Rogue consumers vs. enterprise SaaS
There is a distinct difference between "Consumerized Shadow IT," defined as a single "rogue" user interacting with unsanctioned cloud applications, and "Enterprise SaaS," which are cloud applications now included as a prominent piece of IT portfolios across industries. In fact, as evinced in the Verizon report, the status quo has pivoted so profoundly that these Enterprise SaaS services have a better case for being called sanctioned than many legacy IT provisioned on-premises enterprise apps.

The "new" Shadow IT -- the one that represents real, measurable risk -- is the proliferation of third-party apps built on top of the dominant SaaS platforms -- The Salesforce AppExchange, Google Apps Marketplace, etc. Millions of applications are developed and released into these SaaS ecosystems on an on-going basis, and understanding which are installed and the potential risks they pose can be a daunting task.

The Adallom report also found that there have already been scenarios where malicious ecosystem applications have tricked users into handing over access to privileged data. Governance over third-party SaaS ecosystem application access becomes increasingly difficult as SaaS platforms intersect with each other. For example, there are already cross-platform third-party applications that integrate services like Dropbox with Salesforce, or Google Drive with Huddle -- meaning a compromised account in one cloud service could become an attack vector into another.

  Tal Klein is Vice President of Strategy at Lakeside Software. Previously, he was vice president of marketing and strategy at Adallom, a leading Cloud Access Security Broker. He was also senior director of products at Bromium where he led product marketing and strategy ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/11/2015 | 12:12:58 AM
cloud reborn
The issue is with all cloud solutions for enterprise right now is that bone of then were designed with the enterprise in mind. Follow extents the startup on social media and watch it take the industry by storm. What if the cloud was so secure it couldn't be hacked or compromised for 25 billion years using the aggregate computing power in this world? Extenua - be one of the first to get involved. Follow our launch on social media. https://mobile.twitter.com/extenua https://www.facebook.com/extenua https://plus.google.com/+Extenua Or search for us on LinkedIn Extenua
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...