Posted: 5 Min ReadExpert Perspectives

Shining a Light on Shadow IT: Jason Crist on the Future of Cloud Security

If only we could solve IT's security headaches with a magic pill.

As impatient employees demand access to new cloud-based services and devices - which sometimes don't mesh with an organization's existing security framework - they're not taking no for an answer.

Oftentimes, departmental managers go behind IT's back and procure the products on their own. But while these lone wolves may argue they are only cutting through bureaucracy and acting in the company's best interests, they also risk introducing new vulnerabilities into the network. We sat down with Jason Crist, Symantec's Regional Vice President of Sales State, Local & Education for the Western United States to find out how IT can cope with these and other myriad challenges to cloud security.

Q: Shadow IT - the unofficial, unsanctioned hardware and software like WiFi connected tablets and cell phones most workers bring to work - looks daunting from a security viewpoint. Security professionals are already swamped. What are you doing at Symantec to ease the burden?

Crist: Shadow IT is certainly a buzzword today and it's not going away anytime soon. A huge issue that enterprises face is data loss through theft or accidental sharing of data. Roughly 23% of cloud documents are shared broadly and 12% of those documents actually have sensitive, personally identifiable information including health and credit data.

Organizations depend on mobile more than ever before. Take, for instance, Salesforce's mobile app. Salesforce on the cellphone is critical for many people in sales. But you can't just lock things down to the point where people can't do their jobs, so ultimately there has to be a policy that says, "these apps we accept, and these we don't."

Symantec works with organizations to give them visibility into the cloud apps that are in use and shed light on which "unsanctioned" cloud services are potential issues. Symantec can also monitor the content and files flowing in and out of a customer's network through the web and email to make sure potentially harmful information isn't leaking out.

Clients also have to develop a policy and make sure that there is messaging and collaboration within the leadership team. You can leverage technologies to help you adhere to that policy.

Q: What are you seeing overall? Are the best IT departments looking to give their clients more freedom than before, or less?

Crist: They're being selective in what they allow. Your marketing department certainly has the right to publish on Facebook and promote the brand of the company. Yet, with controls like the ones we have at Symantec, you can allow people to go to Facebook for an hour a day, say, but not play games there. Other than marketing, there's really no reason for most workers to be on Facebook during work hours. So, no, I don't think we are headed back to the days when everything was locked down. But it's clear that organizations need to be mindful of the information and applications their people are touching.

Beyond a list of sanctioned and unsanctioned apps, good cloud security means you have controls in the data center. You have the ability to see who is accessing which app and which data within a storage environment. Then you have controls to prevent that information from seeping out, whether the intent is malicious or not.

And that's what makes Cloud Access Security Brokers (CASB) – so important right now. We are at Shadow IT V 2.0 right now. There's a lot more to pay attention to than most people realize.

We've polled IT managers and asked them: How many cloud apps do you suppose are in use by your employees? We routinely hear answers in the range of 30 or 40. The reality is much, much higher. We find 900 cloud apps, on average, on large networks. And many of these are from vendors that you've never heard of.

So, what can go wrong? Here's an example. In many cases, companies will only use the cloud for storage – let's say they set a policy that says you are allowed to use Dropbox. What happens when an employee from Company X is about to move to the competition, company Y? If he has Dropbox on his desktop, he can simply take a copy of all of his files with him. If they don't have a policy that monitors what applications employees can use from their home, and they don't have a policy that defines what they can download from their Dropbox, that data is gone. That's such a simple thing. And you wouldn't believe how often we see it happen.

Or suppose I work for a company that uses Dropbox, but I prefer SugarSync. SugarSync seems to work well because it syncs with my iPad and my PC and Mac and it does the same thing. So, I install SugarSync on my laptop. Next thing you know I'm connected to SugarSync with all corporate information in the Cloud, and there's nothing to keep me from downloading anything I want, even though I wouldn't be able to do that with Dropbox on this network. A good CASB can help prevent that.

We're in a good place in this market –in the top right of the Gartner quadrant with our CASB Solution. Our Symantec CloudSOC CASB gives not just visibility into apps that are running, but also corporate policy and control with data loss prevention so that you can really prevent important confidential information like personal health data or credit card account details from leaking out.

If you think of what firewalls do, controlling or preventing people from going places or making sure they go a certain pathway and what an intrusion prevention system (IPS) does in terms of what information is allowed and not allowed - all of these are functions our CASB does for cloud apps and content.

Additionally, it also makes sure data is not transferred from one cloud to another, like from Dropbox to SugarSync to someone's desktop. Whether it's data at rest or data in motion, you've got a way to protect and control your most critical information. There are multiple ways to do that.

Q: What's the demand for CASB and other cloud security? Will this be the next big wave?

Crist: Absolutely. In the state, local government and educational market, everyone is looking at adopting Amazon Web Services, Office 365, or numerous other cloud services because they want out of the managing of their own data center and managing the operating and capital expenditures that go along with it. They really want more of a utility model, where they can scale up and scale down without worrying about it. It's something that I would say 60 or 70% of customers are asking us for a proof of concept or more info regarding visibility or audit of different cloud providers they may be using, sanctioned or not.

Q: So, what's the bottom line? Is the cloud more secure in practice? Less?

Crist: It used to be that antivirus, gateways and firewalls were enough to keep you reasonably secure. Recently though, people have been getting into really big problems in the cloud when the crown jewels were compromised – like 120 million credit cards at one major retailer we've all heard of. That placed a massive amount of money at risk. At consumer credit agencies, it's the data of their customers -- their crown jewels – that have been compromised.

Those crown jewels are now in the cloud. Large organizations of all sorts have to become much more focused on what their sensitive data is, where that sensitive data resides and who's accessing that data, while having measures in place to make sure it's not compromised. In summary, the perimeter of your control has gone away, things are not in a central location and the days of having them in a fenced off area are gone.

IT and top management have to ask themselves, has this data been classified? Is there anyone touching it who should not? If it has been compromised we need to make sure there's s a wrap-around – that it goes to the cloud encrypted. If an authorized person is accessing that data from their home PC they have to go thru the VPN, and have to go through certain pathways. It's really evolving. I think we will see a significant uptick in data loss prevention and awareness. I just came off a tour in Texas and California. Two of the states' main agencies are looking at CASB right now. I expect the rest of the country will soon follow.

About the Author

William Rodger

Technical Writer

Will Rodger is a veteran communicator and policy specialist with more than 20 years experience in public and governmental affairs in the United States and Europe. His work has appeared in publications such as USA TODAY, Wired Magazine, and Business Week.

About the Author

Jason Crist

Regional VP of Sales - State, Local & Education - West

Jason Crist is the VP of Sales for Symantec Corporation’s West Region. He leads teams to support state, local government, and education in their efforts to improve cybersecurity.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.