Finding Alternative Ways to Close the Security Gap

New technology comes to market all the time. Following the rise of BYOD, IT has seen a growing popularity of BYOA (applications), BYOC (cloud) and BYOS (storage) and whilst the possibilities are endless, the challenge is how IT keeps pace with all the new trends coming into the workplace whilst ensuring that security is not compromised.

One answer is to block every non-approved application. In today’s employee-centric, mobile environment, that’s simply not an option. As a result, CIOs and CISOs are leading the way in finding alternative ways to close the security gap – or what is more commonly known as the “shadow IT” challenge.

Bring IT out of the shadow

When we speak about “shadow IT,” we speak of applications that exist in an IT infrastructure without having passed through normal IT processes intended to ensure that they are functional, secure, and can support more than one user. Generally, the applications are installed by end-users for purposes ranging from IT functionality not currently provided by official IT resources, to personal usage.

On a personal device, the user reserves the right to download any application. For corporate devices however, the responsibility falls on IT to ensure that all applications are tested and deployed as appropriate, in a timely manner. Given the speed of innovation, even large IT departments sometimes find themselves falling behind the adoption curve on the latest trends.

Organizations with extremely high security requirements are likely to choose a more tightly controlled “guilty until proven innocent” approach – which provides greater up-front security assurances at the cost of slower innovation. Those with greater risk tolerance have the option of monitoring the use of emerging technologies that take the form of shadow IT applications and follow the “innocent until proven guilty” approach, which entails more up-front risk but encourages innovation.

True path of least resistance

Security service providers act as intermediaries between the open internet and their customers, filtering out as much malicious traffic as possible. It’s up to the organization to make their own policies regarding shadow IT applications.

A popular application inherently involves more risk to an organization than a more obscure one, due to its scale. If two applications (an unpopular one and a popular one) are equally secure, more users will be victimized in the more visited application – that application is thus arguably more of a threat than the less popular one.

As the popularity of an application increases, so too should the developer's attention to security. It is not surprising to find that high traffic sites such as Facebook, Skype and Twitter frequently top the list of sites containing the most malware. Often, users click on, or unwittingly download malicious applications without realizing they have put themselves and the organization in danger.

Mind the gap

While CIOs and CISOs try to retain control by providing corporate applications, there are simply too many competing applications on the market to tempt employees away. Employees will step outside the corporate ecosystem if they can work more efficiently using apps that they know and like, such as Dropbox or Evernote. Blocking is simply not the answer.

In the workplace, employees can download apps and be up and running in minutes. Apps that incorporate business data and integrate with existing enterprise applications can be installed without IT involvement. This puts organizations at risk of cyber-attacks and malware infection in ways that IT cannot predict, without the ability to monitor and control application use within the enterprise.

However, if staff makes use of cloud for the benefit of greater productivity, why don’t enterprises turn to cloud-based services to protect users as well from the dangers going along with the new app economy? A lot of enterprises are still stuck in the old model, where they believe that there is a control mechanism, they can put around their networks and data centers that make them more secure. As a result, a lot of traffic and services are being used outside of the data center fortress/corporate policy, therefore putting the organization at risk.

Rather than prohibiting applications, CIOs and CISOs must find alternative ways to close the gaps. To keep pace, IT must go from “block or allow” to “manage and monitor.” It’s all too easy for businesses to feel overwhelmed at the new technology coming to the market, or new consumer apps penetrating the workplace.

However, it’s a positive step that employees are seeking to be more efficient whenever and wherever they are. The cloud has become reality as it allows not only end-users, but businesses too, to become more agile. Businesses should take advantage of the productivity benefits of cloud-based services and not be afraid of a transformation process that is disrupting established business models.

Taking advantage of the cloud will mean that businesses keep pace in a rapidly evolving market. Traditional solutions are failing to keep up with the new cloud norm. Network data will help businesses understand employee behavior and in doing so, CIOs and CISOs can support the cloud apps that employees choose in a manner that doesn’t expose the company to unnecessary risk.

What’s Hot on Infosecurity Magazine?