Best practices for curbing shadow IT in a VMware cloud

Shadow IT – the use of unauthorised tools and resources – is a security risk for enterprises. Learn how to control it in a VMware cloud.

There's a paradox at the heart of today's cloud-first workplace culture.

The vision is one of unification. All workloads, processes, data and apps are migrated safely to the cloud, where they sit in safe, accessible harmony.

Then there's the reality. The age of the cloud is also the age of hybrid working. Of bring-your-own-device policies. Of unauthorised accounts and cloud-based software.

And, as T.S. Eliot said, between the vision and the reality falls the shadow: the mysterious and frustrating presence of "shadow IT".

Shadow IT is a ghost in the machine. The phrase refers to any unknown or unapproved IT in your organisation.

It's rarely the product of malice. Most employees bear the IT department no ill will. It's usually an innocent attempt to make life that bit simpler – but because it's unapproved and unvetted, it can pose security risks not just for the employee but for the whole organisation.

In this article, we explore the twilight world of shadow IT – and some best practices for curbing it in a VMware cloud. But first: why does it matter?

Why is it important to curb shadow IT?

There are several reasons why it's important to curb shadow IT in a VMware cloud (or, indeed, any cloud). But they all combine to make one big reason: cyber security.

Security, we all know, should never be an afterthought. In a cloud-first world, skimping on security is like having a door without a lock. You might as well invite hackers to sit in on your meetings.

It's not just that you might experience a data breach, however. It's also that you could feel the chill in both your reputation and your finances.

Data leaks are bad for business. They suggest a rudderless ship. Working with a company after a serious data breach is like hiring a removal van from a company that's just been done for joyriding.

So much for your reputation. There's also the financial penalties that come with GDPR and other regulatory frameworks. These aren't anything to be sniffed at.

Cyber security is so much more than just curbing shadow IT – but those unauthorised tools and resources need taming. Otherwise, you're building yourself a coffin and climbing inside to see how it fits.

The bottom line is that shadow resources haven't been vetted by IT. There's no way of knowing if they meet your company's security standards – heck, there's often no way of knowing that they're even there .

And in either case, there's no way for management to hold shadow users accountable. It's a digital Wild West that's growing right under your nose – a spreading but odourless haze.

The big risk is a data breach caused by a distended attack surface. But shadow IT can also create non-compliance with some software vendors and even inter-departmental friction

What can you do about it?

Perhaps the most useful thing that a company can do to curb shadow IT – and bolster cyber security in general – is to create a "cloud-first culture".

This means that employees are kept up to speed with the technological side of things. There's not much use in you muttering behind closed doors about the dangers of shadow IT if your staff have no idea that it's an issue.

Do you have a first port of call for all things cloud? Do you have webinars and knowledge-sharing sessions to promote cloud awareness? If the answer is "no", you might find yourself regretting it down the line.

Related to this is the importance of opening up lines of communication between IT and employees. This is a two-way street. Employees need to know how to raise concerns and IT needs to respond to them in a timely fashion. The alternative is for disgruntled employees to go rogue and set up shop in the shadows.

Finally, you can deploy software to continuously monitor the network, ensuring visibility and control of all devices, tools, resources, applications and systems.

If you're using a VMware Cloud, CASB is the answer.

How can VMware's CASB help?

CASB (cloud access security broker) is a key part of VMware's Cloud Web Security and SASE portfolio. It offers complete visibility into all SaaS applications – and enables IT to have complete control over user access.

This puts you in the position to curb shadow IT without slowing down productivity. In fact, it shortens IT's to-do list and makes it easier than ever to enforce security policies.

CASB is kind of like a traffic cop. It checks all the traffic flowing between an enterprise and its cloud providers. Whether on-prem or in the cloud, the CASB has hawkish eyes and an even more hawkish grip on rogue traffic.

This could be the difference between a leak of confidential data and a watertight network.

How does it work?

VMware's CASB gives you full visibility into all the SaaS applications in your network – and allocates a "risk score" to each one. IT is then able to accurately monitor the risk levels and fine-tune access permissions and activity controls.

Let's say that one app is low-risk. You can set it so that users can log in, upload and download files without putting security at risk.

But another app is high-risk. For this one, you can configure things so that users can upload files but not download them.

All in all, this visibility is good for everyone – senior management, employees and IT. It streamlines asset management, cybersecurity risk management, security log management and compliance.

Conclusion

Shadow IT isn't going anywhere. We live in an age of increasingly complicated networks, brimful of devices, apps and users. There will always be network activity that's difficult to detect and hard to curb.

However, you can take steps to bring it under control – whether that's a case of improving your employees' knowledge or deploying VMware's CASB.

Are you looking for a VMware consulting service ? At Ascend Cloud Solutions, we're VMware experts and have helped over 400 enterprises migrate to the cloud. Get in touch today for a no-obligation consultation.