October 6, 2020
Shadow IT: Get the Low Down Before You Download
Defining the Problem:
The shift to hybrid and remote work environments has dramatically increased the use of cloud services for collaboration (e.g. Microsoft Teams, Zoom, Slack) and business services (e.g. Salesforce). Tech-savvy users may have also increased their use of shadow IT tools to support efficiency and collaboration.
Shadow IT includes applications that are used without having passed IT processes to ensure security, functionality, and proper integration within the environment. These applications are generally installed by end-users and may range from personal email accounts used for business, file sharing tools (Dropbox and Google Drive), communication applications (Zoom, Skype), and other services not provided by official IT resources.
What Is the Risk of Shadow IT?
Shadow IT can improve employee productivity and drive innovation by allowing the users directly trying to solve a business problem to identify a technology solution. It can also introduce serious security risks through data leaks, potential compliance violations, and more. In many cases, the biggest risk isn’t the hacker breach, but rather, user error due to employees not realizing they are disclosing or misusing data.
Unsupported SaaS applications may seem harmless, but behind the scenes, the applications might encourage sharing sensitive data between groups or recording calls for transcription services. Shadow IT affects the company’s visibility and control over how employees process and store data.
Examples include:
- Access to data stored on a shadow IT application may not be removed or updated as an employee changes jobs.
- Tools and applications may not be appropriately maintained or patched with security updates.
- In the event of a breach, the IT team will not know the full potential scope of the threat, what data has been compromised, and when the compromise occurred.
- Storing data in unknown and unvetted locations may lead to compliance violations and ultimately, fines.
What Is the Solution?
The foundation for the solution is:
- Policy
- Supporting processes
- Guidelines for devices, cloud services, and third-party applications
- A process for meeting users’ IT needs without relying on shadow IT.
A simple, open dialogue process will work best for the management of shadow IT.
User education is also a must-do, ensuring they are aware of the shadow IT risks and vulnerabilities.
To gain visibility of shadow IT, a combination of automated and manual processes will be needed. IT should monitor the network to see what is running and who is running it, search for product registration, updates, and discussion of unauthorized software. Monitoring will identify unusual patterns and log-in attempts. IT can also implement application allowlisting software and proxy software to make sure only authorized cloud and local applications are able to be installed and used on company devices.
As important as it is for organizations to control and monitor what is happening on their company devices, it is just as important to understand what has caused shadow IT to appear in the first place. Many times people turn to using unauthorized or unapproved services because they don’t have the tools they need to be efficient or effective in their job role. Providing a conduit for employees to engage openly with IT through dialog and feedback can help IT departments meet the needs of their people before they turn to their own solutions. Many times, shadow IT is the result of employees trying to do their best work and IT not knowing there are issues with the workflow/software they currently have deployed.
A few final guidelines:
- Access to insecure devices, applications, and services should be blacklisted.
- A zero-trust policy is critical to ensure each user and device authenticates, rather than having a standard password used for each device.
- Controls, including remote wipe, should be implemented for mobile devices.
- Cloud access security brokers (CASBs) should be considered to enforce security policies across multiple cloud-based assets.
- CASBs can help your team gain visibility and control over data and user activities. Examples include authentication, single sign-on, encryption, logging, malware detection, etc.
Final Takeaway:
The use of cloud computing has greatly increased access to shadow IT. We used to have to purchase and install software from a disk. Now anyone can easily access and deploy SaaS applications instantly, without thinking about the bigger security picture. Because we use cloud computing every day and take it for granted, it is especially important to understand how this crucial data is processed, stored, and accessed.