Unsanctioned Apps in the Enterprise

This post was originally published here by Prasidh Srikanth.

Today, organizations leverage a plethora of software applications to enhance productivity, increase collaboration, and evolve their businesses. Some of these applications are IT approved and are purchased with a license by the organization at large; for example, Office 365Slack, or Salesforce. These are referred to as licenced, managed, and sanctioned applications, but they all fall under the same app category (these titles can be used interchangeably).

In addition to the above, organizations’ employees use unlicensed, unmanaged applications that their IT departments either do not know or approve of – this is known as shadow IT. Examples of shadow IT can include Facebook, Dropbox, and HighTail. Seldom do corporations have knowledge about the protocols, compliance concerns, or threats involved in using these unsanctioned applications. Consequently, as they are an unknown quantity and are not sufficiently monitored or controlled by IT, these apps constitute an avenue for data leakage and breaches.

How does Bitglass discover and provide control for unsanctioned apps?

– In order to discover the unsanctioned apps used in corporate environments, we advise customers to perform shadow IT discovery. This is done by uploading firewall logs or setting up a syslog forwarder to a cloud access security broker (CASB) like Bitglass.

– Bitglass then reviews the logs and provides detailed analytics on corporate data usage, including the unsanctioned apps being used.

– In addition to discovery, Bitglass provides customers the ability to enforce DLP policies on these unsanctioned apps, helping mitigate threats and the risk of disclosures.

Some actions provided by the Bitglass CASB to secure unsanctioned apps are as follows:

1    Block: Blocks users from accessing the unsanctioned app.

2    Coach – Block: In addition to blocking users from accessing the unsanctioned app, it coaches them to use a sanctioned application from the same app category.

3    Coach – Allow – DLP: Taking the permissions a step further, we are able to perform DLP actions on unsanctioned applications, providing varied levels of data access and preventing data leakage.

Bitglass also provides an agentless reverse proxy deployment that leverages integration with single sign-on (SSO) vendors like Okta. When a user logs into any application via single sign-on, the traffic is then steered through Bitglass for real-time visibility and control.

What is Bitglass’ recommended security strategy?

–    Secure major SaaS apps: More than 95% of corporate data resides in sanctioned applications. Organizations know that the vast majority of their data lies within common applications like Office 365, G Suite, and others. As a cloud access security broker, we strongly urge all companies to look for inline protection of these sanctioned SaaS apps.

–    Shadow IT discovery: Next, we recommend you perform shadow IT discovery to gain visibility into the unsanctioned applications being used by employees without IT’s knowledge.

–    Long tail SaaS: After securing major SaaS apps and identifying shadow IT, you can add inline protection to provide safe usage of these unsanctioned applications.

In the above way, you can rest assured that your data security priorities are being taken care of in the appropriate order.

Photo:Diligent Corporation


No posts to display