Securing shadow IT – May the force be with you!
Article by Delinea chief security scientist Joseph Carson.
In the physical universe, dark matter vastly outweighs visible matter, and its presence can only be detected by its gravitational effect.
The information technology universe is similar. So-called "shadow IT" is often invisible to security and IT staff, making organisations' cyber attack surfaces bigger than they realise, and less secure.
With the rise in remote and hybrid work, the universe of devices, apps and accounts that organisations must monitor is expanding, which means that shadow IT is also increasing dangerously.
Staff have also been driven to solve unexpected challenges at short notice. In particular, IT departments have been accumulating "technical debt", also akin to dark matter. This has further increased the cyber attack surface and exposure to significant costs.
Unlike the laws of physics, however, these trends are not immutable. In fact, they can be reversed and brought under control with the consistent implementation of transparency, automation and integration.
Shining a laser beam on shadow IT
Shadow IT is any unmanaged IT system used by employees beyond the visibility of IT and security teams. These include cloud accounts, messaging apps and hardware such as laptops or smartphones used without the knowledge of those responsible for IT.
To curb shadow IT effectively, you must be aware of the environment in which it arises and why employees choose to use unmanaged apps and services. Here are some typical examples of shadow IT that organisations should aim to bring out of the darkness.
1. Remote and Hybrid Work
To be fully productive in remote and hybrid work environments, employees need a variety of collaboration tools, typically hosted in the cloud, that are not found in their protected office environments.
With most staff working from home at the start of the pandemic, in some cases completely unprepared, many employees resorted to new and unapproved tools. As a result of these uncontrolled and sometimes insecure services, organisations were exposed to a massively increased attack surface.
Remote workers often have administrative access to local workstations and applications. If a cyber attacker manages to gain access to a device with local administrator rights, they can use this to steal passwords, install malware or exfiltrate data. They may even be able to elevate privileges to gain access to the entire corporate IT environment.
2. Unmanaged Browsers
Most work is now performed using Internet browsers, and many users have two or more of them running on their machines. If these browsers are not managed by organisations, which is often the reality, a large security gap arises.
Browsers often prompt users to store sensitive login credentials, passwords or credit card information, and hackers know how to exploit this vulnerability. They see unmanaged browsers as an ideal opportunity to steal critical information and access enterprise systems and databases or make fraudulent payments.
3. Productivity Apps
Third-party productivity apps that enable users to complete tasks effectively and quickly are becoming increasingly popular. Whether downloaded to a device or browser-based, the organisation faces new risks if they are downloaded and installed without verification by the IT department.
Users are often unaware that even popular apps usually lack the necessary security controls or are not updated as frequently as the company's security policy requires. Not infrequently, sensitive data is stored in all sorts of repositories, and critical business information is potentially exposed. At the same time, the software may have conflicting security models that don't align with corporate policies for access control or data usage.
4. Devs and DevOps
With the increasing pressure to work quickly and efficiently, developers and DevOps teams are increasingly forced to sacrifice security for speed.
This favours shadow IT. For example, developers quickly set up instances in the cloud and just as quickly take them down again. The problem is that data goes live in the cloud environment without IT or security teams knowing about it.
How to be master of the IT universe
Unless IT can provide all employees with access to the secure tools and seamless workflows they need, there is a risk that they will take matters into their own hands and deploy their own solutions.
If shadow IT is to be contained in the long term, IT and security teams must be able to balance requirements for security and data protection with needs for productivity. This works best with introducing and consistently enforcing guidelines and control solutions. Most importantly, solutions should operate automatically and in the background, not only to ensure security but also to avoid friction losses in work processes.
For an initial "clean up", it is advisable to use a tool that reliably detects all malicious, unsafe and unknown applications and programs in the organisation's network and makes it possible to delete or check them. A tool that identifies any passwords stored in the browsers of all Active Directory users is also mandatory.
In addition, policy-based application control should be deployed, making it possible to automatically check applications that users want to download against lists of trusted applications or the latest threat data on suspicious applications. It should be ensured that each unknown, untrustworthy application is first automatically pushed into a sandbox for further examination before it is used.
The long digital shadow of technical debt
What's often overlooked in the shadow IT discussion is that it affects not only business users and developers working outside of IT security but also IT teams. This is especially true when the different teams do not work together in a coordinated manner.
This lack of coordination often leads to technical debt. This is the extra effort that comes when teams focus on short-term, simpler solutions rather than investing time, effort and capital in a long-term approach.
It is not uncommon for IT departments to make last-minute decisions about solutions, rely on single-purpose tools or purchase multiple, siloed products to quickly resolve problems as they arise and keep the business running.
However, they often save at the wrong end. Technical debt can become a very costly proposition, which is especially critical for companies with tight budgets and limited resources. The short-term, seemingly small expenses often result in high costs for renewal, maintenance, training and upgrades.
In addition, the tools are usually inconsistent and can only be integrated to a limited extent. User-dependent systems also become a problem since other colleagues or superiors are often unaware of their existence. After the responsible employee leaves, the systems are often forgotten and increase the "digital shadow".
Effectively reducing technical debt requires IT departments to think strategically and make decisions that align with an organisation's long-term focus. It is important to future-proof cybersecurity, moving away from point solutions and instead embracing feature-rich technologies that can grow with the business and add value over time.
Visibility, automation and integration play essential roles in curbing shadow IT and technical debt. Organisations that take a consistent, long-term approach to these challenges will not only minimise their attack surface but also improve user experience and productivity. May the force be with you!