auris - Fotolia

Manage Learn to apply best practices and optimize your operations.

Protect classified emails, thwart shadow IT

Use Exchange and Office 365 to restrict and secure data that leaves an organization, and share documents more easily thanks to new features.

Shadow IT is the result of consumer services outpacing the IT department's ability to provide tools to end users.

When the IT department doesn't provide tools to help employees solve problems, they often search for their own answer. Before the advent of cloud services that were easy to use, many people used their own devices to access corporate systems.

Shadow IT isn't BYOD -- it is bring your own services. This might be personal cloud services, like DropBox to share files with people externally, Wunderlist to organize tasks within a team, or services like Yammer that don't have corporate approval. In the news, you may have even seen politicians running their own email servers for work email -- another example of shadow technology services.

To counter the use of shadow IT, provide better services with the right controls or try to stamp out shadow IT and promote the existing systems. Attempting to eliminate shadow IT is ineffective; however, allowing it to proliferate unchecked is not an option in most circumstances.

Shadow IT problems Exchange admins face

Exchange administrators maintain one of the key entry and exit points for data in an organization. As a mission critical service, email faces a multitude of risks, but it's not uncommon for users to want to do more than is safely allowed within the corporate email policy, including:

  • Sharing oversized or blocked attachments via consumer file sharing services;
  • Using automation tools like Zapier to process email messages and perform actions in other cloud services;
  • Auto-forwarding email messages to third-party apps like Wunderlist to create tasks;
  • Using services like Yammer Basic as a distribution list instead of Exchange's own features and functionalities; and
  • Subscribing to fax-to-email services to receive ad hoc faxes.

Even within the confines of email, there are limits that users must exceed to accomplish a task -- such as sending a large attachment to a business partner -- or supplant with tools to increase productivity.

Use Azure services to survey cloud apps

The first step on the road to recovery is recognizing you have a problem.

Azure Active Directory Premium is Microsoft's all-encompassing cloud services for identity management. It includes an agent-based service called Cloud App Discovery as part of the license. It is deployed to workstations and mobile devices and provides reporting functionality on which cloud applications are in use, who uses them and how often they use the apps. Reports generated by Cloud App Discovery show you what's in use and where in the corporate IT deployment.

You can secure most cloud applications with an Azure AD username and password -- typically the same AD username and password they use on premises.

Improved document sharing

Office 365's OneDrive for Business for document sharing is available in Office 2016 preview and Office 365 OWA (and coming to Exchange 2016). When you attach a message, it can be shared using OneDrive for Business rather than as a traditional attachment. It eliminates any excuses for using consumer file sharing services outside the organization.

Protect data in Office 365 and Exchange

Performing a take-over of shadow IT services may not be enough. It's likely that some cloud applications are consumer-only, or don't meet IT policies for storage and retention of data. In this case, there are tools available built into Exchange and Office 365.

On-premises Exchange 2013 provides data loss prevention (DLP) policies that prevent important data from being emailed outside the organization and prevents users from auto-forwarding any sensitive data in accordance with a corporate email policy.

Similar to DLP policies, transport rules prevent forwarding to third-party or unapproved cloud services. A transport rule can be configured to match email to the cloud provider's processing address (for example [email protected]) and then block it, along with an explanation message.

To prevent third-party applications from accessing Exchange via Exchange Web Services, use the EWS Block and Allow lists.

The Information Rights Management (IRM) functionality in Exchange or Exchange Online for Office 365 protects messages that a corporation needs to be secure. IRM functionality can be applied to Office documents and Exchange email messages. IRM protects the content of the message from being read by shadow tech applications and prevents users from forwarding secure messages.

Next Steps

When shadow IT risks move to the cloud

How shadow IT obscures regulatory compliance

Experts weigh in on shadow technology

How to fight back against shadow IT

Reduce the impact of shadow IT

Dig Deeper on Exchange Server setup and troubleshooting