Many organizations are moving, or have already moved to the cloud, referring to infrastructure, services, or other tools. Organizations often talk about securing the cloud but disagree on what “the cloud” actually means. In reality, many organizations are already working in a multi-cloud environment and shadow IT is quickly becoming the biggest risk they face.
Expanding the definition of “the cloud”
There is disagreement and confusion on what constitutes “the cloud”, both inside and outside of the cybersecurity industry. Most people think of the cloud as one thing; you migrate your on prem setup to one cloud environment. The reality is many organizations live in multiple cloud environments.
Think about all of the tools your organization uses in their daily operations, tools that make business processes more efficient. CRM has moved to Salesforce, Marketing spends their time on social media, and Sales are using social media and collaboration apps, like Slack, to communicate faster. Most SaaS applications are cloud environments, and they are attached to core business functions.
Your vital business operations and data are already in “the cloud”. It’s no longer just a matter of moving to the cloud, but also securing your existing cloud environments. The first step is to gain visibility. You can’t protect what you can’t see.
You need to take an inventory of all existing tools, identify all existing cloud environments, and what is critical to your business. That includes tools across all departments - marketing, sales, HR, customer experience, executives, etc.
Securing multi-cloud environments at scale
Once you have an inventory of your known environments, you need to secure them. Cloud applications are critical to your business operations and likely contain sensitive data, especially if you are in a regulated industry. While we’re redefining terms, it’s also time to reconsider the “IT” of shadow IT in a multi-cloud environment. The network has expanded with the advent of BYOD and is now largely composed of employees’ phones.
MDM protocols are likely in place, but they don’t protect against what’s happening on the phone, like app activity that feeds data into the cloud environments. Instead of being left in the dark, you need to gain visibility into these apps and protect activity across devices, and across networks. The HR team might use LinkedIn on desktop while in the office, but they’ll access the LinkedIn app from their phone to message a recruit while waiting for their coffee at Starbucks, or at home responding to a notification.
Shadow IT is the result of trying to solve a problem. Recruiters can respond to recruits in real time, instead of waiting to get to the office to send a message. The adoption of cloud apps has created efficiencies across departments. Employees are now on the frontlines of data protection, making security an everyone problem.
Security teams need to work closely with stakeholders to ensure all cloud environments are secure, and avoid the shadow IT trap. It’s a matter of empowering your employees to use these apps securely so they can do their best business, not saying ‘no’ to ignore the problem. Instead, teams should work together to understand what tools are needed to conduct business, and why they need them. By developing a close relationship you avoid being asked for approval at the last minute, or worse, finding out the team adopted an app without asking.
Cloud security is evolving, your security solution should too. Start by taking an inventory of your cloud apps and extend your security policies to those environments.
Our platform was built to evolve alongside business. Contact us to learn how we can help you secure the cloud today.
July 6, 2020