Policing in the Shadows, from home!

2020 – 2021 was a dream year for cloud computing and the hyperscalers; their profit margins describe that in a far better way than I ever will. So much so that I’m sick of talking about working from home, not working from home, the inevitable small talk when you meet the in-laws… “Are you back in the office now then?”

Anyway, what working from home does is allow much more freedom, none of the perimeter network controls of old, with no boss watching over your shoulder either.

Therefore, not as much authority over where your data is going, what it’s being uploaded to and who’s accessing it. Historically, organisations facilitated working remotely by using VPNs to tunnel traffic – using IPsec or other security means – through the public internet back to the office. This meant employees could access data, applications, and have security policies applied as if they were inside the perimeter.

In 2021 it’s more common to see folk using Azure AD, Google Workspace and other tools to forego the VPN and expensive concentrators, because everything’s “in the cloud”. Cloud providers are closing the gap on old school tech like Email Security Gateways, Web Gateways and Data Loss Prevention suites, but it’s still not a like for like comparison.

They also only ever cater for their own backyard. Microsoft can police what you upload and download from Teams. They can’t check if you’re subsequently pushing that into a FTP server or swivelling it over to an AWS bucket.

Systems beyond your control are commonly referred to as Shadow IT, and policing them is a nightmare! You can’t implement controls onto them directly because a lot of the time they’re not owned by your organisation, so we’re unable to tap into the API or policy engine they may contain. Furthermore, blocking them entirely becomes less than straightforward when every employee routes their web traffic via a different gateway.

Luckily, tools do exist. Platforms have evolved to run DLP for the cloud allowing us to push out controls on the endpoint. Reverse proxy techniques and using SAML etc give us the ability to snoop on data movements regardless of where and what devices they reside on. Terms like CASB and various other insider threat type platforms (even though we’re now outsiders!?) provide the ability to leverage machine learning and AI capabilities to look at the data and the destination, without routing it back into the data centre and the office.

Cloud adoption doesn’t need to mean security disassociation, and it fundamentally shouldn’t. Shadow IT is a real concern against the backdrop of data residency laws, DSARs under GDPR, and just for general security good hygiene.

If your business is concerned about shadow IT or data loss both inside or outside the perimeter then speak to the HANDD team of specialists. Get in touch via email info@handd.co.uk or call us on 08456 434 603.