According to McAfee’s report, the modern enterprise uses about 1950 cloud services on average, of which less than 10% is corporate-driven. To avoid data theft (and the average damage from each such leak in the United States is $7.9 million), companies need to take control of unauthorized cloud exploitation. Everyone is already familiar with the problems associated with shadow IT. Connected applications pose equally serious security risks today.
What are connected apps?
Platforms such as Office 365 enable teams and end-users to install and connect third-party applications and develop custom programs to meet the challenges they face. For example, Microsoft is promoting the Microsoft Store with tens of thousands of applications that users can install in an enterprise Office 365 environment. These applications complement and extend the functionality of Microsoft Office and improve user productivity.
Examples include WebEx for organizing meetings in Outlook or Survey Monkey for conducting surveys in Microsoft Teams.
During installation, these applications often ask the user to provide access to resources. This can be data stored in an application (for example, SharePoint), information from a calendar, or a message from a mailbox. Providing third-party applications with access to cloud services poses three challenges for the company.
Problem 1 – Risks of sending data to third parties
What if the application is not secure by itself? For example, applications for converting Word to PDF request access to all resources; as a result, corporate data travels from the company’s cloud application to potentially insecure applications that may include malware actively used by hackers.
But even if applications are well protected, they can still access cloud resources such as mail, cloud drive, calendar, which contain corporate information. For example, the Evernote app for Outlook is used to store email data. By itself, this application is safe, but the company cannot allow employees to work with it, because this creates the prerequisites for the leakage of corporate data.
Problem 2 – Inability to control using available means
Connected applications communicate directly with authorized cloud services, and these connections are not subject to existing network policies and controls. For example, a company might implement security rules at the web gateway or firewall level to prevent unauthorized file transfers. But that won’t stop employees from downloading the app from the store and bypassing these security measures. Even API-based data loss prevention (DLP) policies cannot block the sending of information to connected applications. This means that organizations should exercise greater discretion and implement better controls over the use of such programs by their employees.
Problem 3 – Shared responsibility
The shared responsibility model applies to connected applications too. Cloud services such as Google and Microsoft provide customers with the ability to host apps in their stores, but with the proviso that the companies will be held accountable for the data and actions of users and the use of such connected apps in accordance with security and compliance policies.
Bottom line
New apps are developed every day to help employees be more productive and make complex processes easier. Employees use DropBox to send large files or an online PDF editor for urgent edits. While these applications are useful, the problem of shadow IT is gaining momentum. Security professionals can only guess what kind of cloud services their colleagues are using and what kind of danger these applications pose. Due to the lack of transparency, it is very difficult for information security specialists to manage the costs and risks associated with the cloud.
