Shadow IT and BYOD are not new problems, but the pandemic highlighted just how much workers rely on cloud applications to increase their productivity. The use of personal apps on the corporate network has become more accepted now than even just a few years ago. But what this has created is more data sprawl, which puts data security in the cloud at a greater risk.
According to research from Netskope, more users than ever are working and playing on cloud applications, and that has increased data activity in those apps from 65% to 79% in the first half of 2022. And many of these apps have overlapping functionality, which leads to security issues like misconfiguration, policy differences and poor or inconsistent access policies.
What is different now versus a few years ago is that app use in enterprise environments continues to be normalized.
“There was a time when apps like Gmail would just be banned in enterprise environments because there was no legitimate use for them at work. Now, enterprises use Gmail as their primary mail provider. The days of blanket-blocking cloud apps are behind us,” said Ray Canzanese, threat research director with Netskope Threat Labs, in an email interview.
At the same time, the number of apps continues to grow, especially collaboration apps, Canzanese added. “So not only do you have the normalization of using apps in the enterprise, the number of different apps is constantly growing as well, making it harder to keep up with what is being used for legitimate business purposes and what is purely personal.”
Overlapping app use has created new levels of data sprawl. As the Netskope research pointed out, “Of the 138 apps for which an organization with 500–2,000 users uploads, creates, shares or stores data, there are on average four webmail apps, seven cloud storage apps and 17 collaboration apps.”
“It’s natural to want to cut down on the number of tools we have to interact with every day, which leads people to consolidate, which in turn leads to the risk of data from our professional worlds leaking into our private ones,” explained Mike Parkin, senior technical engineer at Vulcan Cyber. “It can be as simple as accidentally pasting a paragraph from a technical document you’re working on into the wrong chat channel.”
And then there is the cloud configuration security issue. Because app defaults are typically designed for usability and not for security, security teams must review the configurations of all the cloud apps used within the organization to ensure they are optimized for security requirements. The more apps there are, the more likely you end up with misconfigurations, policy drift, and inconsistent access policies.
“And that is just for the apps that are managed,” said Canzanese. “For unmanaged apps and personal apps, the problem is even more severe: You end up with organizations losing visibility and control over who can access the data and what they can do with it.”
If there are unsanctioned applications installed on a corporate device meant for personal use, it can create a soft entry point for a data breach, Corey O’Connor, director of products at DoControl, pointed out in an email comment. “There’s been a notable trend in supply chain-based attacks, especially where OAuth tokens become compromised to gain the initial foothold. Data is generated in high volume in most all applications. You now have more data and more places to steal it from.”
Personal app use for business use was always a concern, but it was normalized during the pandemic as individuals turned to technology as a means to stay connected with other people and with their jobs.
“Prior to the pandemic, it was a natural behavior change as work and personal devices became commingled over time,” said O’Connor. “Ten years ago, people had separate cell phones for work and personal use. The current state is a blending of corporate and personal devices and applications. People have become more accustomed to using corporate devices for personal use and vice versa.”
With this new normal of personal app use, organizations are going to have to make adjustments to how they handle cloud security and rein in data sprawl.
“Some organizations have found success using virtual desktops for their employee’s workspace,” said Parkin. “That gives them solid control over the work environment and requires minimal intrusion into their people’s personal space. Properly configured, the two environments can be largely isolated which helps prevent data crossing over.”
Overall, complexity brought about by the rise of personal apps and the overlap of functionality introduces risks that are often hard to identify and make it more difficult to manage known risks.
Organizations should be thinking of ways to allow the use of personal apps for personal reasons while restricting the flow of sensitive information into those apps, said Canzanese. “This reduces friction with users while protecting the organization’s data.”