This practice has been nicknamed "shadow IT" by the popular press. It doesn't really matter why users have done this, but it's important to realize it's occurred and to develop a strategy to understand the magnitude of the problem. Only after these unapproved applications have been identified can appropriate actions be taken to mitigate the increased risk to the organization.
Microsoft provides several tools to help IT departments identify unapproved applications. For organizations that use Office 365, Advanced Security Management can help you:
- Create anomaly detection policies to detect suspicious activity.
- Create activity policies to monitor administrative actions, such as logon from unexpected location, mass file downloads or multiple logon attempts.
- Discover productivity apps in use by uploading log files from firewalls and proxies.
If more functionality is needed, Advanced Security Management can be upgraded to Cloud App Security, which provides a detailed report showing the apps in use, from which IPs and users, along with a risk score for more than 13,000 applications. Cloud App Security provides:
- Discovery
- Identify all cloud applications in a network — from all devices
- Risk scoring with ongoing risk assessment and analytics
- Doesn't require agent deployment — logs are imported from firewalls and proxies
- Data control
- Sanction apps with granular control and policies for data sharing — Salesforce.com, Box, Dropbox, Google Apps, Amazon Web Services (AWS), ServiceNow and Office 365 are included
- Implement data loss prevention policies
- Out-of-the-box and custom policies
- Threat protection
- User behavioral analytics — based on machine learning and worldwide data collection from Microsoft's data centers
- Simultaneous logins, sudden downloads of data, brute-force attacks