InfoGuard Cyber Security and Cyber Defence Blog

Shadow IT casts a (cloud) shadow over cyber security

Geschrieben von Stefan Pfiffner | 19 Sep 2018

Dropbox, Google Docs and Co. we all know and are more popular than ever. This is understandable because the cloud-based applications make (collaborative) work easier and are more user-friendly than many other internal company tools - if any exist at all. Just register and off you go. As the person responsible for IT, you know the problem: What may seem harmless at first glance turns out to be a no-go in terms of corporate security. Shadow IT can do more damage than many people think. In this article, you will learn why this is the case and how you can combat the dangers of shadow IT in cloud services.


Many publicly available services are incompatible with cyber compliance requirements. Security is a particular concern. The terms and conditions of use of approximately two-thirds of cloud-based services state that the data used does not belong exclusively to the customer. In addition, only about 20% of the data is encrypted at the provider level, as numerous studies have shown. Now companies (and of course all employees) need to sound the alarm. So don't take Shadow IT lightly!

The benefits versus the costs of Shadow IT

However, it makes little sense to block all cloud services, as the applications relevant to business are usually also used in the cloud. What’s more, they generally improve employee productivity - and no boss is likely to object to that. However, many online services do not look like cloud services at first glance. Only a closer look reveals that there is a cloud service behind the interface.

The problem starts with employees entering their personal data (and/or business access information such as e-mail address and password) to register. The provider collects analyses and stores this data. In the worst case scenario, they are even used by the provider for his own benefit. In addition, the data can remain in the cloud long after employees have left the company. As a rule, even the best identity management falls down here.

The second problem is that many cloud providers - especially smaller ones - do not have sufficient cyber security protection. Cloud services like these can be a gateway to a myriad of malware.

And thirdly, as already described, the dubious conditions of use are a cause for concern. All these (non-exhaustive) points can also jeopardise your GDPR compliance. You can find out what this means in practice and what sanctions may be imposed in one of our other articles and in our GDPR guide.

Winning the battle against Shadow IT

That all sounds daunting at first. But don't worry - there are solutions available today to help you fight Shadow IT in cloud services. As experts, we strongly recommend the Shadow IT Module from McAfee Skyhigh. This enables a company to detect and analyse access to cloud services via a wide variety of data sources. The Skyhigh database now contains over 25,000 different cloud service providers: from the simplest PDF converter or various online translators to comprehensive SaaS or IaaS solutions.

Skyhigh primarily shows which cloud services are used by employees. The dashboard and other reports show in detail the risks involved, the measures that can be taken to optimise security, and last but not least, they enable you to enforce your security guidelines centrally. Sounds cool, doesn't it?

Risk scoring as the basis of cloud-security

But not all services used are dangerous in themselves. The focus needs to be on the relevant services that are not authorised. But how does this work? In order to obtain the data for subsequent evaluation, the first step in the company is to analyse which log sources are pertinent. These can be proxy systems, firewalls or even directly SIEM or Syslog appliances. Sample data from these log sources is used initially to define the interfaces for subsequent processing.

For on-site analysis in the company, you need the Enterprise Connector, which prepares the initial data before it is sent to the Skyhigh Cloud for subsequent processing and analysis.

All data irrelevant to the analysis is deleted from the logs. For example, the "normal" surfing behaviour of employees is not examined, only when they have used cloud services. Therefore employees who connect to the Dropbox website without logging in are not regarded as cloud users.

The subsequent analysis of the data shows which services were used at what time and by whom. For this purpose, a risk score is calculated for each service and, if data has been transmitted, how much. The risk score is defined according to various criteria, for example:

  • Is data sharing with others possible?
  • Are there ways to encrypt data?
  • What does access control look like?
  • ... and many more questions.

A total of 50 different criteria are used to assess the risk score.

McAfee Skyhigh, the security broker for Cloud access

The weighting of the risk score can be adapted to meet the needs of the company'. If the company approves its employees' use of Evernote or Dropbox, the risk is adjusted in accordance with the critical aspects.

Once the company has collected and analysed its data, the next step is to take appropriate measures. In a PoC or Cloud Access Audit, a report is prepared with recommendations and best practices. Another possibility is closed-loop remediation. A policy that blocks access to the unwanted cloud services is created either directly via API integration on the perimeter device, or URL lists can be created to extend the proxy policy with, for example, a custom category. This allows accesses to be blocked.

These reports can also help to develop a more sophisticated cloud strategy. This allows you to establish standard applications - and your employees do not have to migrate to insecure platforms. 

Shadow IT – Where there was darkness, we are bringing light 

Consistent transparency across all your cloud services - sounds too good to be true? We can offer you that! Our Skyhigh-based Cloud Access Audit gives you detailed insight into cloud usage and what risks exist with your current cloud use. The results will give you tangible recommendations to make your cyber security even more secure. Fight Shadow IT and bring light into the darkness with Skyhigh!