Every day, new apps are developed to solve problems and create efficiency in individuals’ lives. Employees are continually experimenting with new apps to enhance productivity and simplify complex matters. When in a pinch, using DropBox to share large files or an online PDF editor for quick modifications are commonalities among employees. However, these apps, although useful, may not be sanctioned or observable by an IT department.
The rapid adoption of this process, while bringing the benefit of increased productivity and agility, also raises the ‘shadow IT problem’ where IT has little to no visibility into the cloud services that employees are using or the risk associated with these services. Without visibility, it becomes very difficult for IT to manage both cost expenditure and risk in the cloud. Per the McAfee Cloud Adoption and Risk Report, the average enterprise today uses 1950 cloud services, of which less than 10% are enterprise-ready. To divert a data breach (with the average cost of a data breach in the US being $7.9 million), enterprises must exercise governance and control over their unsanctioned cloud usage. Does this sound all too familiar? It’s because these are many of the issues we face with Shadow IT, and are facing today regarding a similar security risk with connected apps.
What are Connected Apps? Collaboration platforms such as Office 365 enable teams and end-users to install and connect third-party apps or create their own custom apps to help solve new and existing business problems. For example, Microsoft hosts the Microsoft Store, where end-users can browse through thousands of apps and install them into their company’s Office 365 environment. These apps help augment native Microsoft office capabilities and help increase end–user productivity. Some examples include WebEx to set up meetings from Outlook or a Survey Monkey add-in to initiate surveys from Microsoft Teams. When these apps are added, they will often ask the end–user to authorize access to their Cloud app resources. This could be data stored in the app, like in SharePoint, or calendar information or email content. Authorizing access to third party apps creates concerns for many organizations.
Reason 1: Risky Data Exfiltrated to 3rd Party Apps
What if the app itself is risky? For example, PDF converter apps ask for access to all data so they can generate PDF versions for sharing. Corporate data is moving out of the corporate cloud app into these risky applications. Or, even if the app is not risky, it may be accessing cloud resources such as mail, drive, calendar, which contain data considered highly sensitive by the company. For example, the Evernote app for Outlook can be used for saving email data. Now, the app itself is not risky, but the company may not have approved it for employees to use. If that is the case, an introduction of apps in this manner represents a data exfiltration of corporate data.
Reason 2: No Coverage with Existing Controls
Connected Apps establishes a cloud-to-cloud connection with your sanctioned cloud services that is not visible to existing network policies and controls. So, if a company has put in place controls on the web gateway or firewall to block unauthorized file-sharing services, then it is still possible for employees to add the connected app from the marketplace and bypass these existing controls. Even the API based DLP policies do not apply to data moving into Connected Apps. All of this means that organizations need to exercise more oversight and control on the usage of Connected apps by their employees.
Reason 3: Shared Responsibility
The Shared Responsibility model applies to Connected Apps as well. Cloud services like Google and Microsoft provide a marketplace for customers to add apps, but they expect the companies to take responsibility for their data and users and ensure that the usage of these connected apps is in line with security and compliance policies