10 Ways to Take Control of SaaS Apps and Shadow IT
IT can define and enforce a cloud security strategy only if it is aware of the applications in use. It’s essential to discover cloud apps that employees provision on their own.
Once you have discovered an employee-supplied app, know it’s security practices, data center location and regulatory compliance obligations. Know how employees use it and whether they have configured the application security settings to your policies and industry best practices.
Because users access cloud apps from off-site, via mobile, and over insecure networks, evaluate potential risks in context and automatically apply additional security measures, like a one-time passcode.
Employees access cloud apps from corporate and BYOD devices, which contain copies of sensitive documents and are especially vulnerable to attacks. Cloud app providers don’t distinguish between managed or unmanaged BYOD devices–but enterprises should.
To protect data stored in the cloud, know what’s there, who’s accessing it and what they are doing. Administrator or “privileged” accounts are hackers’ targets, so watch the watchers when it comes to SaaS apps.
Hackers are focusing on stealing cloud app credentials to walk in the “front door.” Consider adding capabilities that detect anomalous activity to prevent account takeover attacks.
Data centers are spread across the globe, so information may get placed in jurisdictions your corporate governance policies or security compliance mandates do not permit. Obtain up-to-date reports on where cloud service providers store data and make an informed decision about whether to sanction their use.
Security Incident and Event Management (SIEM) systems are critical for correlating data to understand risk and identify potential threats to data center resources. But cloud applications operate outside the range of enterprise SIEM deployments. Aggregate standardized activity logs across cloud apps to extend SIEM to the cloud.
In the layers of security implemented to protect the on-premises data center typically do have no impact on cloud apps, so IT lacks the ability to define consistent usage and access policies across all cloud apps and cannot effectively enforce them. Cloud Access Security Brokers can help.
Identify them before malicious insiders, ex-employees or hackers get to them. Abuse of orphaned or dormant accounts can go on for a long time, leaving the organizations foldable to data exfiltration and exposure of sensitive data and corporate secrets.