CYBERSECURITY
THE NEW FRONTIER OF SHADOW IT
Agencies need greater visibility and control over employees’ activities in the cloud.
SPONSORED CONTENT
KEVIN JONES
VICE PRESIDENT, PUBLIC SECTOR, SKYHIGH NETWORKS
WHEN DISCUSSING how agencies can more quickly identify and mitigate threats across an increasingly complex enterprise, it’s important to
recognize that the definition of “enterprise” has fundamentally shifted into a hybrid of on-premises, shared, and cloud-based services. This new landscape is dictating the need for new security solutions to protect and ensure visibility into agencies’ data, no matter where it resides.
Trying to harness and control the cloud with traditional technologies is a bit like trying to catch a tuna from the shore. No matter how high you make that chair, you’re still trying to catch a deep water fish from the shallows. Meanwhile, our cyber foes are using an ever-changing arsenal of tools while Shadow IT is increasingly becoming the primary vector for government data loss.
If an employee uses an agency-issued device to access a cloud-based service, it’s nearly impossible for the agency to control that activity through traditional methods. Employees are increasingly creating and sharing government content in the cloud— outside of the perimeter.
By adding cloud-based controls, agencies can provide total visibility into employees’ interactions without hindering legitimate activity. For example, employees often use unsanctioned PDF services to redact highly sensitive government documents. They have no idea where that service lives, how their data is being protected, or who has access to the document once they put it there. There is no intentional malice on the part of the employee, but this behavior creates a tremendous amount of risk for an agency.
While most of us can name the top five or six cloud storage services, there are actually more than 350 in this category, many of which
are based in Russia or China. Employees don’t read the terms and conditions. In an effort to be more efficient, they will often use whatever is fast and easy—usually for a good business reason. If an employee needs to send a 75MB file to a colleague and the agency automatically blocks the request, the individual will find another way to send that document. Intentions are good, but is the perceived gain in efficiency worth the exposure, especially when the agency is blind to it?
As a baseline, gaining visibility into all cloud activity will help enable the right types of behavior with the right cloud services,
thus expediting safe cloud migration. Having an acceptable use policy is a good start, but how do we enforce it? Cloud security controls enforce such policy regardless of how an employee accesses the cloud. Furthermore, data security must be paramount from the early stages of cloud application development.
Cloud Service Providers are always changing their IP ranges—some as many
as 250,000 times per day—which makes it impossible to track with traditional security tools. The best options agencies have for improving how they manage diverse cloud- based services are technologies that were born and bred in the cloud.
There’s often a combative relationship between users and security practitioners involving access to agency data. For perhaps the first time, cloud access security brokers (CASBs) are changing this mindset by maintaining agencies’ high security standards while enabling broader cloud usage. While
the cloud is certainly not a panacea, agencies should expect the same or even greater levels of control over data in the cloud as they would if those systems were still on-premise.
Kevin Jones is vice president of public sector at Skyhigh Networks.
S-18