Mitigating the Risks Posed by Shadow IT: Can Organizations Achieve the Impossible?

With the right set of security practices and tools, organizations can manage security issues associated with shadow IT. Let’s see how organizations can configure their IT environments to detect and integrate shadow resources quickly to aid business managers needing quick solutions to meet business objectives.

Security teams have enough challenges without worrying about the use of unmanaged information resources: shadow IT. Employees and managers that use cloud resources, devices, and applications not approved by IT can open gaps in an organization’s attack surface. Consequently, security must identify and manage shadow IT. It is just as vital for IT to understand why shadow IT exists and how to reduce the reasons business managers use it.

Shadow IT Defined

Shadow IT comes in many forms. Kasey Hewitt, writing for SecurityScorecardOpens a new window , defines it as “any information technology systems, devices, applications, and services outside traditional IT department procurement processes and approval.” Examples include

• Productivity applications
• Collaboration or messaging applications
• BYOD
• Cloud file storage/sharing
• Calendar applications
• IaaS and PaaS services
• APIs

Note that IT employees also use shadow IT when they believe they can more easily meet business objectives.

Shadow IT Challenges

Security efforts focus on protecting data and critical business operations. The use of unapproved and unmanaged resources leads to data stored in potentially low trust environments. Figure 1 shows that a large amount of data is stored in cloud environments not managed by IT or monitored by security. It also shows that in this Ponemon survey, 67% of cloud services were deployed outside of IT.

Figure 1: Shadow Data Storage (from PonemonOpens a new window )

Deploying resources outside of IT bypasses change management procedures designed to properly document applications, devices, and services. It also results in bypassing the definition of appropriate security requirements and associated security testing and assessments. In addition, shadow resources are not included in threat, vulnerability, and patch management activities. If an organization has not implemented zero-trust, shadow IT can circumvent strong network and data access controls. Shadow resources can elevate risk without management or security intervention.

Finally, compliance is at risk. For example, SOX, the HIPAA, and the GDPR require specific requirements that employees and managers seeking a quick solution might not care about or consider less important than meeting mandated business goals.

See More: What Is Role-Based Access Control? Definition, Key Components, and Best Practices

Managing Shadow IT

Managing shadow resources takes more than throwing policies and controls at the problem. It also requires a collaborative and flexible approach to meeting business requirements.

Collaboration and flexibility

IT only has so much project bandwidth. Consequently, business analysts and other IT personnel must work with management to identify the most critical business needs. Further, internal development or purchasing of third-party solutions must happen with close collaboration with business users and managers.  

Any implemented solution must enable more efficient business objectives while not frustrating the employees who have to use the solutions. Solutions that are difficult to use or fall short of what is needed can cause managers and their teams to look elsewhere for something better.

Another challenge is getting to “yes.” Security teams can be a barrier to creating an environment where management can implement small or large solutions. Security analysts who quickly say “no” to new or modified functionality tend to push employees to identify and implement solutions outside standard SDLC procedures. Security must learn to collaborate with IT and business personnel to get to YES safely. This includes clearly identifying what the business is trying to achieve and helping them meet those objectives with the right tools and an acceptable level of risk.

Another approach that some organizations have adopted is treating what might become shadow IT as pilot programs. This allows temporary implementation of cloud or on-premises solutions without the complete application of the SDLC. It enables a quick risk assessment and continuous monitoring while the business users get what they need under limited conditions. The “pilot” solutions are placed into IT’s project portfolio for later complete SDLC activities.

See More: How To Keep Corporate Data Safe in the Face of Growing Shadow IT

Prevention, detection, and response

Collaboration and flexibility do not mean that users should be able to install or contract for any solution without working with IT and security. Prevention begins with blocking the installation of anything on user devices, not on an organization’s safe list. This enables controlling what is installed on-premises, including inadvertent installation of malware. However, this approach requires procedures that allow users and managers to submit requests for productivity tools with a quick response from IT. As I wrote earlier, procedures should include tools and techniques that quickly enroll new tools into pilot programs with scheduled follow-up.

Preventing shadow cloud resources used to focus on SaaS. However, IT staff and more technical business employees are also deploying IaaS and PaaS. Prevention of unapproved cloud services without enrollment in a pilot program is easily done if the employees try to use a set of resources to which the organization already subscribes. This requires strong access controls for cloud service administration.

Organizations cannot prevent all shadow IT, so they must monitor for anomalous on-premises and cloud resource use. Cloud Access Security Broker (CASB) solutions can help with this.  Gartner Research definesOpens a new window the following as the “pillars of CASB.”

• Visibility. Detection of all cloud services used; identification of all users and third-party applications able to log in
• Data security. Identification and control of sensitive information via integration with data loss prevention (DLP) procedures
• Threat protection. Authentication via adaptive factors together with user and entity behavior analysis (UEBA)
• Compliance. Reporting and dashboard access to assist with management and compliance

Organizations have two general ways to react to discovered shadow IT. The first is if they can come down hard on violators and immediately shut down the discovered shadow solutions. Secondly, they can work with violators to determine what they are trying to achieve and work to get to “yes.”

Of course, there are infinite responses within the gray area between these two approaches, so policy and management open-mindedness must be applied to make the right decisions based on the situation.

In addition, IT and security procedures and controls should be capable of quick reconfiguration to isolate pilot shadow resources and monitor them quickly. This will likely require a different approach to considering shadow IT when designing infrastructure and security controls.

Even with the proper detection tools, organizations might not quickly find some shadow resources. Consequently, zero-trust networking is needed to control user/resource interaction closely. This can include requiring organization-issued certificates to access highly classified or critical business systems. Certificate issuance should already be authorized by someone other than the requester and closely managed. If properly controlled, certificate authentication can prevent shadow resources from engaging in high-risk activities.

Final thoughts

Organizations should assume that they have shadow IT assets and should implement new processes and practices to detect and manage such assets.  Environments configured to detect and integrate shadow resources quickly can aid business managers who need quick solutions to meet required objectives. This requires working with business management to create associated procedures.

Suppose management and users understand that IT and security understand their needs and work to meet them safely. In that case, they are more likely to work through established procedures: procedures that move shadow IT into the light. 

Do you think organizations are doing enough to coach their employees on the best practices to follow before sneaking a shadow IT approach? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!