Employees using applications and devices without the approval of IT personnel has become a big security problem.
Explore Exposure CommandShadow IT is the use of systems, devices, software, applications, and services without explicit IT approval. Indeed, according to this publication from the United States National Institute of Standards and Technology, workers typically begin using “Shadow IT systems when enterprise-provided systems and processes are seen as cumbersome or impeding work or when the enterprise fails to provide necessary systems.”
A good example of shadow IT is when employees at a company connect unvetted or unapproved consumer products onto a company network because of a device’s potential to, let’s say, help them do their jobs faster. Historically, adding infrastructure resources required review and approval of a centralized IT team – who ultimately had final say on whether or not something could be provisioned.
Cloud infrastructure has since democratized ownership of resources to teams across the organization, with most organizations no longer requiring their development teams to request resources in the same manner. Instead, developers are empowered to provision the resources that they need to get their jobs done and ship code efficiently.
This dynamic is critical to achieving the promise of speed and efficiency that cloud infrastructure and DevSecOps offer. The tradeoff here, however, is control. This paradigm shift means development teams could regularly be spinning up resources without the security team’s knowledge.
Between new categories of devices or systems and new/existing/old policies, identity practices can quickly become difficult to navigate. Let's take a look at some clear-cut shadow IT examples to make it all more digestible.
These devices in and of themselves aren’t inherently disallowed in each and every organization. It’s the way they’re used and/or if they’re used without proper identity and access management (IAM) software. Most organizations allow personal devices, but often will have rules about the kinds of security or identity applications must be implemented for their continued use.
Examples of these kinds of devices include a list of the usual suspects: smartphones, laptops, and tablets. Internet of things (IoT) devices comprise a significant portion of this category as well: smart watches, bluetooth earphones/earbuds, fitness trackers, and streaming TV devices.
Think of all the software applications a business uses to get things done: project management, instant messaging, video conferencing, content marketing automation, social media, personal email, and more. Depending on the needs of a team, there may be more than one tool in use in a given category – and only one is approved.
A note here that a network is only as strong as its policies. The size of the business and the IT and cybersecurity organizations are also considerations. If a company is in the small to medium-sized range, there simply may not be a large enough team to create and enforce IT policies with any regularity, thus the enterprise’s network becomes increasingly more porous due to the number of unsanctioned devices being added.
There are so many reasons that would prompt an employee to leverage applications and software outside of those approved for use by an IT organization. Some of these use cases are more forgivable that others, but that doesn't mean all of the situations shouldn't ultimately be a lesson in how they can leave a network more vulnerable to attack. Let's consider a few scenarios:
Benefits to something as risky as shadow IT, you may ask? Believe it or not, there is a bit of upside to allowing unauthorized devices to access an enterprise network.
Indeed, there are risks to having open or loose shadow IT policies, so it’s best to find that middle ground. This might mean something like IT scanning for unauthorized apps and not taking action against any well known apps or devices with inherently strong security that may not be authorized to be on the network at a given time.
As we've discussed at length so far, there are many security risks associated with, willfully or otherwise, allowing shadow IT to operate to any extent in an enterprise setting.
Everyone may have full workloads, but the day-to-day work will mean nothing if policies aren't enacted to stop attackers from being able to take advantage of vulnerabilities and damage the company's reputation. They might include:
Since security teams are unaware of shadow IT assets, vulnerabilities inevitably go unaddressed. Development teams may not understand – or may simply choose to ignore – the importance of cloud security updates or patching for these types of assets.
If cloud resources are accessed by unauthorized users, vulnerabilities could go unmitigated in network assets and can put businesses at risk of data breaches or leaks. Additionally, this data most likely is not protected with centralized backups, making it difficult – if not impossible – to recover.
Most cloud compliance regulations require the processing, storage, and securing of customer data. Since businesses have no oversight of data stored on shadow IT assets, this could quickly become an issue.
What, then, is a security organization to do about the potential for shadow IT to run rampant on the network? A good starting place is to implement a cloud risk and compliance management platform to continuously assess the entire cloud environment to detect any changes – like new assets coming online.
As soon as a new device logs on or a new resource is spun up in the DevOps process, this type of platform should be able to detect it in real time and automatically identify whether or not it is in compliance with enterprise policies.