Malicious unmanned cloud applications downloaded onto desktop and devices from third parties are exposing enterprise networks to security issues with increasing frequency, according to managed IT security services company Securicom.
Many companies are not exercising appropriate control over these apps downloaded and used by employees.
This is despite robust tools available to block, monitor and control downloads and the use of the third-party apps.
Richard Broeke, Securicom general manager, says an enterprise’s cloud-based infrastructure becomes more vulnerable with each and every third party connected application that employees introduce into the environment.
“These apps, once granted access by users via open authentication, are able to communicate quite freely with the corporate cloud as well as software-as-a-service (SaaS) platforms.
“Once they are able to access the network, the apps can view, delete, externalise, and store corporate data.
“Alarmingly, some are even capable of acting on behalf of users. What we are finding is that a lot of companies do not know how many apps have access to their corporate infrastructure, which ones pose a risk, or what those risks are,” he says.
An analysis of connected third-party cloud applications across a sample group of 900 organisations representing a range of industries in 2016 showed that at least 27% of the apps introduced by employees into enterprise environments posed a high-security risk.
The number of third-party apps is also growing rapidly.
There were about 129,000 unique applications observed at the beginning of 2016.
By the end of October, that number had grown to 222,000.
“File sharing apps, instant messaging tools, remote printing apps, and even photo editing tools are examples of the kinds of apps that employees are downloading for work and personal use onto the very same endpoints and devices they also use to store and share business information.
"This obviously comes with the risk of exposure of critical and confidential business information as well as malware,” says Brooke.
Measures can be put in place to identify unsanctioned apps and enforce corporate policies regarding the use of cloud resources.
In fact, with the right technologies, companies can make a selection of applications available to employees without compromising company infrastructure or data.
“To prevent employees from using a diversity of apps which all do the same thing, companies can implement policies and technologies which allow certain, credible and tested ones while blocking others.
"This limits the number of unmanned applications at play in the organisation. Companies don’t have to have a complete blanket ban on the use of third-party apps,” he says.
He advises companies to:
- Educate employees on the risks of using unsanctioned apps and what information is or isn’t okay to share or store in third party apps.
- Conduct an analysis to identify what apps employees are using and why
- Investigate whether there are more efficient and safer options that could be authorised and managed.
- Create an in-house directory of company-approved apps to allow employees to find and use the apps that they find useful while also reducing the unsanctioned use of unapproved apps.
- Most enterprise versions of cloud-based apps offer some kind of directory services that enable IT to integrate with employees’ existing user passwords. This would give the IT team control over the new apps.