Minimizing Cloud-Based Shadow IT Risks

Originally published by Skyhigh Security.

Written by Shawn Dappen - Director, Systems Engineering, Skyhigh Security.

One result of the recent pandemic is that many enterprises are moving to leverage the benefits of cloud-based applications and data. Over the past three years, the average number of public cloud services in use increased 50%. However, they are naturally concerned that the cloud is an environment with many nefarious actors, both at home and abroad, endeavoring to compromise sensitive data for their own malign purposes. In addition, shadow IT–where employees utilize cloud services without IT approval or involvement–increases the risk of data breaches. As a result, today’s post-pandemic environment is a complex mix of remote and hybrid workplaces with remote workers accessing cloud applications, public cloud environments, and private access networks, from various locations, none of which may be under IT’s direct control.

This is one reason why the Zero Trust Maturity Model (ZTMM) Version 2, recently released by the Cybersecurity and Infrastructure Security Agency (CISA), is so important.

Zero trust is designed to “prevent unauthorized access to data and services coupled with making the access control enforcement as granular as possible.”

Because traditional security solutions are insufficient in this environment, ZTMM focuses on five pillars: Identity, Devices, Networks, Applications and Workloads, and Data, each which evolves over time in discrete stages, beginning with “Traditional”, then moving to “Advanced” and finally achieving “Optimal.”

Version 2 extends ZTMM by adding a new “Initial” stage between Traditional and Advanced, highlighting the fact that different organizations begin their journey toward zero trust from different starting points. Enterprises then use the criteria for each stage to identify the level of maturity associated with each pillar, improving understanding of areas of concern and increasing consistency across the entire model. But a big concern with zero-trust security is how to implement it without hobbling employee access to data and negatively impacting their productivity. This is why we developed sophisticated, yet simple-to-manage solutions to protect data. By enabling a precise understanding of who is using data, and how they are accessing it, enterprises of all sizes can optimize and enforce zero trust rules without impacting productivity by enforcing overly restrictive access policies.

The shift to remote and hybrid workplaces, coupled with the increasing use of unmanaged devices by employees (our internal research reveals that six in ten organizations allow employees to download sensitive data to personal devices), makes it more important than ever to have a security solution that is both robust and flexible.