Shadow-IT Assessment

Every day, new cloud services are developed that are freely available to companies and users, for example as Software as a Service (SaaS). Well-known SaaS applications that are also used in the business environment include Microsoft 365, Teams, Google Drive, Salesforce, ServiceNow and Zoom. The benefits of cloud services are evident: They can be used at any time, at any place and from almost any device, and therefore offer a very flexible way of working.

Many of these appealing cloud services are often not provided by corporate IT and therefore exist "in the shadows". Since they are not integrated into the security architecture, the usual security mechanisms of a company do not take effect – shadow IT is an enormous and often underestimated risk. Parallel to the rise of the cloud, the number of end devices with which employees access cloud services has been increasing as well. This also creates security gaps.

Our Shadow IT Assessment provides your company with transparency about the cloud services it uses. Based on the assessment, we will show you solutions to increase your IT security. Our claim is: Anytime, anywhere, any connection – always secure!

An important step towards cloud security is to mitigate the risks associated with shadow IT. In the first step, the TÜV Rheinland Shadow IT Assessment provides visibility and transparency. Because only if you know the applications that are used can you secure them effectively. The Shadow IT Assessment is a cloud-based, semi-automated approach that identifies your company's unauthorized cloud services. It reveals those applications and highlights any risks.

This is what the Shadow IT Assessment does:

• It provides transparency about all SaaS services used.
• It qualifies and quantifies the risks your company may face from the use of these services.
• It provides details about each individual cloud service (who, when, how often, what amount of data).
• It audits cloud and web usage, taking into account compliance requirements.

Our IT experts conduct the assessment together with you. We take your specific situation into account and tailor the assessment to the needs of your company.

Step 1: Informational meeting

In an informational meeting, we clarify the framework conditions with you. For example:

• What are the cloud services (e.g., Salesforce, Office 365) or cloud storage solutions approved by IT?
• Which of your company's data require special protection?
• What confidentiality policies (anonymization) are mandatory during the assessment and how should they be implemented?
• Which data governance or security policies require a special analysis?

Step 2: Access to your systems

During the assessment, we review the log information of the access systems (e.g., NG Firewall or Web Proxy) and will need the log data of the Internet breakout (NG Firewall, WebGateway, Proxy). We can process all log formats by the common firewall and proxy providers.

Step 3: Analysis and result report

For the analysis, our experts evaluate the log data using a secure cloud-based system, which processes the anonymized data automatically. The analysis takes two to four weeks and provides a complete overview of the cloud services used.

The results report will provide transparency on:

• Number and criticality of the services used
• Risk assessment of the used cloud services from the company's point of view
• Ratio between upload and download
• Which users (anonymized, if necessary) have the largest upload or download?
• Top 10 critical cloud services in terms of upload and download
• Top 10 critical cloud services in terms of number of users
• User-defined evaluations, if desired

Step 4: Consulting on consequences

We will present the results to you and advise and assist you in the next steps to effectively contain your shadow IT and to maximize your cloud security.

The Shadow IT Assessment is one of the first measures embedded in the Cloud Security Cycle. It can be conducted as a one-time assessment or be repeated regularly as a cycle. In any case, the assessment is a crucial milestone on the way to cloud security. This is because the transparency gained is an essential prerequisite for all steps that follow: to control and regulate cloud use, to adhere to data protection and compliance requirements, to enforce security guidelines and to ensure the security of corporate data. This is achieved with another important step in the Cloud Security Cycle: The Cloud Access Security Broker (CASB) – our complex software solution and your gateway to the secure cloud.

By using cloud applications securely, you fully benefit from the advantages of cloud services: You reduce your costs, gain flexibility and increase your productivity. At TÜV Rheinland, we actively support you – as a partner with recognized expertise and as an independent advisor. Anytime, anywhere, any connection – always secure!