Five Steps to Detect and Control Shadow IT

​Enterprise employees usually want to use the best tools to do their job.对于大多数员工来说,This usually means using the onlineSaaS应用程序,But these applications and tools may not be the enterpriseITDepartment approval and license.Many employees are using shadowIT(Or now call it more“业务主导的IT”)To describe the without businessITApproved by the team technology.随着SaaS应用程序数量的增加,People naturally the use of a large number of online tools,Now most of the shadowIT都是SaaS应用程序.Although the enterprises from all walks of life toITThe team do the best,But the shadowITThe application of not only failed to reduce,而且一直在增加,And close to legalize,Eventually become a feasible can provide competitive advantageIT战略.

由于存在安全风险,Enterprises to adopt the traditional strategy is usually stop employees adopt various forms of shadowIT.然而,A variety of shadowITRisk is not the same,And enterprises of these shadowITThe benefits of record is,Allowing employees to get they think is the best work tools technology.因此,For enterprise's chief information officer and chief information security officer,To prevent the shadowIT的策略相比,Better strategy is to implement tools to set up the proper security fence to control it,To ensure that the staff compliance with company safety and compliance policy tools.

According to the investigation and research,In the framework of the following five steps to help enterprises create safety feasible security framework is very effective.

1、Find the shadowIT

控制影子ITThe first step is to identify,With a comprehensive understanding of the shadowIT在企业中的流行程度.Many shadowITIs a kind of service,Even hardware technology also almost always useSaaSThe component to run it.Most companies will cloud access security agent(CASB)用于SaaSDiscovery and security,But often receive employee feedback,Said cloud access security agent(CASB)干扰太大.They are collecting data and identify who will go to which website has done very well,But not good at found that employees are using the newSaaS应用程序.The data may be in there,But analysts often have to do extra work to determine whether the created account,Especially if the user is using a local user credentials rather than identity provider.If the relevant data can be presented to the analyst,So they only need to take action and achieve the required safety results.

Find the shadowITThe solution is to choose an automated tools or methods and provide the right trigger,Also is to use other identity and access management(IAM)Solutions outside business credentials to create account.Record all of this information in the log or should be merged data on a regular basis,It is certainly a doomed to failure process.

2、Give priority to reduce the shadowIT的风险

Never know when employees get technology,会面临哪些问题.可以确定的是,Enterprise employees will receive and start using the new technology are always present.The number of employees according to enterprise,It can range from a week a few to dozens or even hundreds of.Considering the shadowITAccess to the number of,Faced with the risk of different,Priority becomes extremely important.

Prioritize risk mitigation is the key step.Companies cannot take some fixed patterns and methods to reduce the shadowIT的风险,Because they are constantly changing.A technology for enterprises constitute the risk degree is beyond the supplier whether theSOC2或ISO27001等行业认证.This certification is common,Even now startups are also accept the certification.With its focus on supplier control the risk of,Not according to the following factors to assess risk,例如：

• Whether employees understand about using the enterprises purchase and use of technology、软件或SaaSSafety and risk policy?
• Whether can use any sensitive、Confidential or regulated data?
• In the business organization,Who is to approve the use of the technology?
• The technology will with which system integration?
• Any non employees will be the user of this technology?
• In the enterprise and many other users?

3、Protect the shadowIT帐户

Protect the shadowITOften this is easier said than done.Assumptions can be found in one location or network physical device,则很简单.但软件(几乎都是SaaS)要困难得多,Because you can from the managed device on the enterprise network or use unmanaged devices to access it from the different position.SaaS安全产品(例如CASB)Assuming that can control network、Identity or equipment,But the reality is that might not be able to control any of them.

保护SaaSIs the best way in thoughtSaaSAccount in violation of the corporate policy or lock when employees work in enterprises no longerSaaSThe account itself.Cancel the account itself is still desirable measures,But to protect it so that no one can access the account is a critical first step.

4、Coordination across the control points of security,Reduce the shadowIT的风险

Once the shadow technology protected,The next step is to through other security, to coordinate the protection of the application.例如,如果SaaSApplication is considered too risky,So every user of the application to an enterprise should stop using the.作为额外的安全层,Companies may want to prevent access to the network on theSaaSSite or set an alarm when every time someone to create a new account.

When the threat from intelligence source or third party risk management system of data show thatSaaSApplication has been damaged or had been in the market to find the credential when,Coordination is also important.Users should be forced to check their credentials leaked with each account and reset the password.Although all of these can all be done through existing tools in some,But the actual work process is not generally designed.With the out-of-the-box automationSaaSSecurity products in ensuring security team unified control points、分析、Remote sensing and operation in order to protect and control the shadowSaaSThere is a big help.

5、Safely accept shadowIT

无论如何努力,影子SaaSWill continue to grow.在许多方面,It is like most of the enterprise standard cabin equipment now(BYOD)The development trend of.As consumer technology become as strong and enterprise products,Workers found using consumer devices work easier、更方便.Enterprise will eventually compromise,And use to supportBYOD的产品,Because the gains more than the cost.

The same thing happens in the shadowIT上,更具体地说是SaaS.Employees are no longer neededITTeam's help or permission to buy a more powerful application.They only need to use an email address and your credit card,Often use can upgrade free account.ITAnd security team need to acknowledge these benefits and create a frame,Let employees use the right tools at work,At the same time to the enterprise to better governance and control technology and data.