Taking the Shadow out of “Shadow IT”

Matt Soseman, Partner Technical Architect, Modern Workplace – Security

Edward Walton, Cloud Solution Architect, Modern Workplace – Security

You may not realize it, but your organization is already operating in the cloud. Even if your IT department hasn’t deployed cloud services yet, your employees already have, and your organization is 100% responsible for the security and compliance of that data. This is known as “shadow IT”, where an organization is using application services, but IT has not yet approved their use—and it creates a major challenge for IT and a major risk for the organization.

Sure, you can attempt to “block” shadow IT – but blocking won’t solve the issue. Users will always find another way therefore blocking will just inhibit innovation, productivity, and creativity that your users want (among other more important things such as employee recruiting/retention, and organization competitiveness). Therefore, it’s important we discover what apps are in use today and develop a strategy to control those apps and to protect the data they access and use – then we can talk about what other apps we may want to block that aren’t approved.

There’s three steps for which to create an action plan to mitigate this challenge and risk of shadow IT:

  1. Visibility: Gain visibility by discovering what applications are in use, authentication being used, and the security and compliance of those applications. From here you can associate a level of risk and determine if controlling or blocking makes sense.
  2. Control: Through control of application use, policies can be developed—that are aligned to your organization’s compliance requirements—that define which applications are approved and how/what data can be in the cloud.
  3. Protect: By protecting against threats, define a baseline for application access, and analyze abnormal patterns/behaviors that stray from that baseline. Understand if anomalies are actual threats and develop a strategy to address them.

In this blog post, we will take you through the first step in this three step process of Visibility using Microsoft Cloud App Security (CAS) that is part of the Enterprise Mobility + Security (EMS) suite of products. For a quick overview of CAS, watch this 2-minute video. The goal of this post is to inspire you to learn more about how you can build a strategy for shadow IT in your environment—but will not be a complete “how to” guide.

Visibility – Discovering cloud applications users are accessing

To discover the cloud applications your users are accessing, Microsoft Cloud App Security (CAS) can be used. This provides an agentless and unobtrusive way to quickly gain the visibility required. This is performed by uploading (manually or automatically) logs from your internet proxies or firewalls to CAS for an analysis. CAS will analyze the traffic using a catalog of some 15,000 cloud applications and provide a risk score to help you assess the risk of that app within your organization.

For more information on the firewalls and proxies that are supported, see Set Up Cloud Discovery.

A step-by-step guide to cloud application visibility

As an example, let’s look at how to do this:

Login to the Cloud App Security portal at https://portal.cloudappsecurity.com/. Click the Discover menu, then select Create snapshot report.

In the Create new Cloud Discovery snapshot report, fill out the required fields and select a data source. For my example I will choose a Blue Coat proxy access log.

Now, if this were a real report, under Choose traffic logs I would browse for that log file to upload. However, for my example I will:

  • Click view and verify…
  • Select download sample

  • Upload that sample log by clicking Create

Note: Notice the Anonymize private information check box. This is interesting and can mask the actual usernames of your users to keep them private or can be used in a security investigation. Click here to learn more.

Once uploaded, the data will start to be parsed and processed. It’s important to note this process may take up to 24 hours. When the processing is completed, the status of the report will change to Ready. Click on Ready to then view the report.

Another dashboard demo

For demonstration purposes, while that report is processing, let’s look at another report that is ready to view by clicking on Ready:

The dashboard tab provides an excellent overview into the type of applications, specifically which applications that users are using – and even the top users who are using them. In the Discovered apps pane of the dashboard, let’s take a closer look at the cloud applications users are using. I’m going to change the sort from Traffic to Users so we can view how many users are using each app.

Clicking on the Info tab will give me details about the cloud application such as information about the company and various security and compliance details that will help me to understand the risk this application may have in my environment. Note, in the upper right corner the 9, this is a risk score that CAS assigns. Cloud applications are evaluated against a catalog of over 15,000 applications and are ranked and scored based on more than 60 risk factors such as:

  • Holding status of the company (private/public)
  • Encryption methods
  • Industry and regulatory compliance certification status (i.e. SOX, SSAE,etc)

These risk scores can be customized and overridden, and you can even suggest an improvement on a risk if you disagree. Each item is ranked on a scale of 1-10 and carries a certain percentage weight for the overall risk score (also on a scale of 1-10).


As you can see, Microsoft Cloud App Security can provide you with insights into both sanctioned (approved) and non-sanctioned (unapproved) cloud applications that your users are using to help you develop a strategy for mitigating shadow IT and ultimately enabling the users to do their best work using the apps they want. In this blog post we covered at a high level the initial discovery, and in future blog posts I will discuss how to implement controls around those applications to search them for data and provide protection policies for the data in those apps. Enjoy!

Modern Workplace Technical Community