“Shadow IT” is a concern for many enterprises, as they don’t always know which cloud applications are in-use in their organization. It is important to be able to identify the cloud apps in use on your corporate network, and then take the appropriate action.
Using a log analyzer, analyze the access logs on your firewall or DNS service to extract list of all apps in use at your company. If you have a next-generation firewall or secure web gateway, you already have a source for this data. You can also use free or paid commercial services, some of which are offered by CASB vendors as an ancillary service, for identifying cloud apps via log analysis.
Keep in mind that not all cloud apps are “Shadow IT.” Many employees use cloud apps like Twitter, Facebook or Dropbox for their own personal use. Inspection of personal use apps can run afoul of employee privacy concerns and should be carefully thought through before proceeding.
Recognize that inspecting and restricting data flowing into cloud apps is not a good way to control Shadow IT. If the app is useful for business, then you don’t filter it. If the app is not useful for business, then you either block it or leave it be. Even blocking itself is not always feasible—if you block an employee on a corporate network, they can generally find an unrestricted Wi-Fi network elsewhere on which to connect to the blocked app(s).
To help provide more color on what CASBs do, we have created The Definitive Guide to Cloud Access Security Brokers. We're providing the entire document via a series of posts on this blog. Of course, if you prefer to binge read your Definitive Guides much like you binge watched Breaking Bad on Netflix, you can download the whole thing immediately, right here.