Shadow IT is a term that refers to any application (apps) that a company’s employees utilise without obtaining IT approval. With the ever-growing list of apps available, Shadow IT is increasing exponentially and with more businesses moving their data onto Cloud platforms, the biggest risk is posed by connected third-party applications.

CloudLock, a cloud security company, has done extensive analysis on the risks that individual apps present to businesses. They recently produced a Cloud Application Risk Index (CARI), as part of their 2nd Qtr Cloud Security Report, which evaluated nearly 160,000 unique third-party applications across 10 million end users, and assessed “risk across three dimensions – access scopes, community trust ratings, and application threat intelligence – to assign a well-rounded application risk value and help security teams make informed decisions on which apps are trustworthy and which should be monitored, banned and revoked”.

Key findings include:

  • 27% of apps connected to corporate environments are high risk
  • There has been a 30x increase in connected third-party apps in just two years (2014-2016)
  • More than half of third-party apps are banned due to security-related concerns

Although some organisations are happy for their employees to ‘shadow’ innovative technology solutions and view these apps as improving productivity, it is vital that the connected third-party apps are closely monitored, because authorising them provides access to corporate data on multiple platforms.

The third-party apps pose a risk to your business because of a new authentication protocol known as OAuth connections. OAuth connections allow apps to act on behalf of users, which is dangerous when enabled using corporate credentials. To manage the potential risks associated with connected third-party apps, the ones that pose the highest risk need to be identified, and mitigation strategies need to be put in place accordingly.

Third-party apps authorised via OAuth-connections have extensive and sometimes excessive access scopes. Since they can view, delete, transfer, and store corporate data, and even act on behalf of users, they must be managed carefully.

The CloudLock report states, “On a daily basis, employees are utilizing apps without notifying IT, and authorizing OAuth connections through their corporate credentials. If these apps are malicious by design, or the connected application’s vendor is compromised, this opens the door to cybercriminals deleting accounts, externalizing or transferring information, provisioning or de-provisioning users, changing users’ passwords, modifying administrator’s settings, performing email log searches, and more.”

From their analysis, CloudLock found that, on average, an organisation’s users connect 733 third-party apps to the corporate environment. The Technology, Media, and Education industries were the largest consumers, with their tech-savvy users, increasing their use of apps at a faster rate than other industries.

Of the 156,796 third-party apps that have been granted access to corporate systems this year, security teams classified 27% of them as “high risk”. This figure was roughly the same all around the world and the size of the organisation did not seem to matter. Financial Services had a slightly higher percentage of risky apps, which is surprising, given their strict compliance regulations and IT scrutiny over information sharing.

The list of top 10 risky apps includes various games, music players, the Goobric Web App, and the Pingboard employee directory software. The most risky application is the mobile strategy game Clash Royale. While these apps are not necessarily risky by nature, they can represent a serious problem if they are compromised – mainly due to their extensive access to corporate environments and the high number of privileged users.

Over half of the third-party apps assessed for 2016 have been banned due to security concerns. Excessive access scopes accounted for 24% of banned apps, while 19% of bans were due to vendors not being trustworthy.

These are the apps most commonly banned by companies:

Top 10 Banned Apps

  • WhatsApp Messenger
  • Zoho Accounts
  • SoundCloud
  • Sunrise Calendar
  • Power Tools
  • Pinterest
  • Free Rider HD
  • Airbnb
  • Madden NFL Mobile
  • CodeCombat

These are the apps most commonly trusted by companies:

Top 10 Trusted Apps

  • Slack
  • LinkedIn
  • Asana
  • Zoom
  • Turnitin
  • Zendesk
  • Lucidchart
  • Hubspot
  • Smartsheet
  • Quizlet

Security teams will evaluate risk levels and approve the use of apps that increase productivity, are required for work, or have proven to be a useful tool.

Below are a few best practice recommendations by CloudLock:

  • Understand what apps users are authorising and which have the most installs.
  • Create protocol for which apps should be allowed, reviewed or automatically revoked.
  • Watch admin accounts closely – they should never be used to grant access to a third-party app.
  • Evaluate the types of apps being used, consolidate where possible and consider company-wide roll out.

Continuously monitor your cloud environment for possible breaches.