Professional Documents
Culture Documents
Shadow IT Discovery
Best Practices Guide
Ensuring safe cloud app adoption
with Symantec CloudSOC
Section Page
01 Introduction
01 3
09 Next steps
09 11
10 Best Practices
10 13
11 Conclusion
11 14
12 Glossary
12 14
Shadow IT Discovery Best Practices Guide | 3
Introduction 01
Regular consultation with business units and users throughout this lifecycle will enable organizations to gain greater
insight into the business requirements they have for cloud apps, educate users on cloud use best practices, and
include users as part of the solution. By alerting them to policy violations and redirecting them to use sanctioned apps,
organizations can provide transparency into the cloud security decision making process. And by letting them report
false positives organizations can gain valuable insight that will enable the process to be enhanced over time.
Shadow IT Discovery Best Practices Guide | 4
Ensure Compliance
Identify Inefficiencies Sanction secure apps
Organizations may want to examine current
Identify Risky Users
cloud app usage along with cloud app risk
Identify Inefficiencies analysis to select sanctioned apps to be
Identify Inefficiencies
used by their employees.
Identify RiskyIdentify
Users Risky Users
Monitor business critical apps
Some apps may not match the organization’s
security requirements but are business
encies critical or are used by many employees in
Users the organization. Organizations can sanction
these apps as an exception then monitor
y Inefficiencies them for risk over time.
fy Risky Users
Shadow IT Discovery Best Practices Guide | 5
What are the business functionality and Are there any opportunities for consolidation
performance requirements identified by or elimination of apps or accounts?
my users and business units? ☐☐ Are there multiple apps that provide
similar or identical functionality?
☐☐ What types of apps are my employees adopting?
(i.e., file sharing apps CRMs and business analytics) ☐☐ Are there multiple accounts for the same app?
Yes No
Is it the most secure or widely adopted
app available?*
Yes No
Meets [baseline] security
and compliance requirements?
Yes No
Mitigating
controls available?*
Yes No
Can vendor fix?*
Yes No
Business need
outweigh risks?*
*Appropriate management stakeholders, governance and risk boards, and legal representatives should be consulted before proceeding to
ensure that issues of business continuity and critical app functionality are taken into account before apps are blocked, replaced or approved.
Shadow IT Discovery Best Practices Guide | 7
Symantec applies a Business Readiness Rating (BRR) to 20,000+ cloud apps and services classified and tracked on the CloudSOC platform.
Business readiness is based on over 89 attributes, including whether the app meets standards for important compliance regimes, whether
effective access controls are in place, and whether the app encrypts data. A cloud application is considered to be enterprise-ready if it rates
above 80 (high or excellent).
Vendor should validate that HTTP • Block app and select a secure
HTTP Security Headers
security headers are supported alternative using the BRR rating.
SLA
• Contractually indemnify vendor
Vendor should validate the
Type of Clients for data loss or downtime.
general characteristics of the
Informational • Buy cloud insurance.
SaaS service such as client type
• Block app and select a secure
support and type of service Type of Service
alternative using the BRR rating.
Shadow IT Discovery Best Practices Guide | 10
☐☐ Can risky cloud apps be blocked through integrations with secure web
gateways or firewalls?
• BI
• File Sharing
• Anomalous frequent downloads
• Cloud Storage
• Anomalous frequent emails sent
• CRM
• Anomalous frequent file sharing Monitor high risk employees for
Data Exfiltration • Document Management
• Anomalous frequent indicators of account compromise.
• Finance/Acct
data previews
• HR
• Software Development
Next steps 09
Identify and remediate risky exposures Enforce policies for sensitive data
Analyze existing cloud file sharing apps—such as Box, Google Using Symantec CloudSOC to define and enforce appropriate
Drive, Dropbox, Salesforce or Office 365—to identify any policies that cover all cloud activity, including sanctioned
sensitive or compliance-related content that may be shared and unsanctioned apps, business accounts and personal
inappropriately (in other terms, perform a Shadow Data accounts, browser-based access and native apps, mobile
Risk Assessment). Leverage Symantec CASB Gateway to devices and desktops, user-to-cloud and cloud-to-
remediate these exposures to align with security policies. cloud. Ensure such policies can be enforced in real time
to prevent data loss and compliance violations.
Define a data protection strategy
Develop a strategy to protect sensitive data and adhere to Coach users on appropriate behavior
compliance regulations. Decide which types of content to allow Track users who are acting outside corporate guidelines,
in the cloud and if the sharing of such content will be restricted such as sharing inappropriate content or using outdated
or given additional security protection via encryption or browsers and coach them with interactive messages.
tokenization.
Enforce compliance regulations
Use CloudSOC to perform continuous monitoring of user activity to
ensure adherence to appropriate compliance regulations, such as
HIPAA. Ensure data is handled with appropriate sharing restrictions
and encryption or tokenization is applied as appropriate. Generate
periodic reports to demonstrate compliance and maintain visibility.
Best Practices 10
Begin periodic application usage Inspect and automatically remediate cloud
review within the security team. usage to ensure compliance with HIPAA, PII,
regulations with Symantec CASB Gateway
Steps:
Steps:
1. Schedule monthly review meeting with security tiger team
1. Identify risk types
2. Run monthly audit report one week prior
to the monthly review meeting 2. Select canned ContentIQ profile or
customize to specific requirements
3. Review trends:
3. Determine appropriate customer response for
a. New high volume applications
potential violations (comfort page /notice)
b. Unusual user behavior
4. Apply policy via API connection to cloud services (Securlet)
c. Applications with shrinking risk score
5. Establish notifications to internal SOC team
4. Select top 3 concerns
6. Sample remediations with established review process
5. Tiger Team addresses concerns over following month
6. Repeat process
a. Non-sanctioned apps
ContentIQ™ ThreatScore™
CloudSOC feature that CloudSOC feature that
dynamically classifies performs continuous User
content and identifies Behavioral Analysis to identify
compliance-related and and rate threats to cloud apps.
other sensitive content.
Gatelet™
A cloud app specific signature
enabling deep analysis of
that app by the Symantec
CloudSOC Gateway. Currently
75+ cloud apps are supported.
Copyright © 2017 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo, are trademarks or registered +
1 650-527-8000
trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this
document, either express or implied, are disclaimed to the maximum extent allowed by law, and are subject to change without notice. symantec.com