• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Cloud Computing   »   Assessing the impact of shadow IT, part 2

Assessing the impact of shadow IT, part 2

  • Posted on:June 6, 2014
  • Posted in:Cloud Computing, Encryption, Industry News
  • Posted by:
    Trend Micro
0

In the first part of this series on shadow IT, we looked at what it is and how prevalent it has become within IT departments. Here are some of the specific risks that enterprises face from shadow IT:

Surveillance and data leakage
One-third of the 3,571 cloud services analyzed in a recent Skyhigh Networks report were vulnerable to the Heartbleed bug in the OpenSSL cryptographic library. That exploit was patched not long after its April 2014 discovery, but encryption remains a stumbling block for cloud security. Only 11 percent of services were encrypting data at rest.

Encryption is fundamental to cloud security. Within shadow IT, considerations about what encryption measures – if any – the provider uses take a back seat to whatever is most convenient for the end users. Enterprise customers have to take back control and ensure that all cloud services in use by the company feature encryption and have straightforward terms for managing keys.

“The important part is that the key management is disjoined from the cloud provider,” Trend Micro solutions architect Udo Schneider told ​ComputerWeekly. “This means that even if someone succeeds in stealing all your virtual drives, they will be useless to them. The fact the data is disjoined – which is really not technology but basic maths – is essential, but the interesting part in this whole discussion is that a customer can specify under which conditions they release a key to a workload.

Slow or delayed progress on modernizing IT
Security concerns about the public cloud are not enough to hold back business adoption. Many organizations are taking up Amazon Web Services and similar offerings to scale operations and reduce the burden of in-house IT infrastructure management.

But with shadow IT, setting up a secure, efficient enterprise cloud becomes difficult. Companies may lose sight of the cloud’s benefits after a breach or unexpected bill – triggered by shadow IT users – causes extensive damage. Organizations have to have conversations about how to implement cloud solutions that cater to users’ needs while also benefiting operations as a whole. As with encryption, due diligence must be performed in order to identify potential weaknesses and realize the consequences of a security incident.

“To securely implement SaaS products and take full advantage of the benefits they afford, it’s not enough to know what threats and vulnerabilities this delivery and consumption model presents. It’s also critical to hold a firm understanding of which party is responsible in the event of a breachhttp://talkincloud.com/saas-software-service/051314/forrester-shadow-it-cannot-be-ignored,” stated the authors of a recent Forrester Research report. “The combination of this new technology and its unique vendor-customer relationship, however, makes this easier said than done.” [Link is messed up, but I would just cut this quote altogether in the interest of space.]

Issues with mobile devices, spear-phishing and authentication
Last year, Trend Micro’s research projected that there would be more than 1 million malicious Android apps by the end of that year. The rapid adoption of mobile devices and BYOD initiatives means that are many new conduits for classic attacks such as spear-phishing to steal credentials and hijack accounts.

Only 16 percent of the apps studied by Skyhigh Networks featured multifactor authentication. Employees who are accustomed to constantly forgetting and resetting their passwords may be bringing these practices into the workplace via shadow IT usage of unapproved services. In the next part of this series, we’ll look at what can be done to better contain shadow IT in the context of the cloud.

Related posts:

  1. Assessing the impact of shadow IT, part 1
  2. Data security still has impact on cloud adoption
  3. How mobile threats impact today’s BYOD landscape
  4. Assessing the security red flags on healthcare.gov

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.