The challenges and opportunities of shadow IT

Shadow IT is a concept in which users deploy or provision their own technological solutions to get work done. Properly implemented and monitored, it can provide benefits to both IT departments and end-users, particularly in these unprecedented times with so many employees working remotely due to COVID-19. However, it also entails some significant responsibilities on the part of all parties involved to ensure company operations, data, and personnel are sufficiently protected.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

I discussed the topic with several industry experts: Ofri Ziv, VP of Research at security organization Guardicore; Shai Toren, CEO at vulnerability remediation provider JetPatch; Yaniv Avidan, CEO and co-founder at data security provider MinerEye; Shai Morag, CEO and co-founder at cloud security provider Ermetic; Scott Brittain, CTO at software reviewer TrustRadius; Avishai Wool, co-founder and CTO at firewall management vendor AlgoSec; Sebastian Goodwin, vice president of Cybersecurity at cloud vendor Nutanix; and Avihai Ben-Yossef, co-founder and CTO of Cymulate, a security simulation provider.

Scott Matteson: What are the issues involving shadow IT, from a management, security, or risk perspective?

Ofri Ziv: The biggest issue for organizations is that there is no control over the data used by Shadow IT and where it’s stored. Shadow IT spreads data across dozens of cloud services and applications, making it very hard to identify and control sensitive data.
 
Additionally, Shadow IT can often go against an organization’s compliance requirements. The nature of Shadow IT is that it’s not managed by the IT team, so there is little visibility into the compliance ramifications of certain applications and the data being used.
 
With these complications comes the inability to enforce strong security policy on Shadow IT being used. For example, is two-factor authentication f available and being used? This could lead to data being exposed either by external threat actors or by an insider.

SEE: Shadow IT: It’s a bigger threat than you think (TechRepublic)

Shai Toren: The main concern with shadow IT is the lack of cyber hygiene on those machines. Usually, these types of endpoints are supposed to be temporary systems for the purpose of a particular project, a testing activity or any other limited-time assignment. As a result, the focus is on ensuring fast and efficient delivery while longterm security often comes secondary. Those systems are often considered “off grid,”  and therefore tight security protocols are not always enforced.

Shai Morag: The risk of shadow IT has increased substantially with employees working from home on insecure networks. They are also using personal, unmanaged devices, which makes shadow IT harder to detect and block. Now more than ever, it’s important for SaaS providers to ensure that their applications meet the highest levels of security by using automated tools to protect the data that they store.

Scott Brittain: Most importantly, shadow IT creates new holes in your enterprise that need to be policed from a data, privacy, GDPR, and CCPA point of view. Every time an employee stands up a new system, you create the risk of leakage or unconstrained behaviors outside of supervision.

Avishai Wool: One of the main drivers that causes users to resort to shadow IT is when the traditional IT processes are too slow. If it takes weeks to provision a few servers and allow connectivity between them, developers building a new application may prefer to use the resources of a cloud provider. This creates security challenges when it’s time to deploy the new applications into a production environment because bypassing IT processes also bypasses security review processes.

SEE: Shadow IT policy (TechRepublic Premium)

Sebastian Goodwin: Shadow IT comes in many forms. In some organizations, the main concern is people using unsanctioned software as a service (SaaS) applications while in other organizations the use of infrastructure as a service(IaaS) services like Amazon Web Services (AWS) might be the primary concern related to shadow IT. In many cases, there are signals available to alert IT that people are using these services. Those signals can be extracted from tools like corporate firewalls, proxy servers, or endpoint agents that provide reporting on the URLs people connect to and the software they install. In fact, the firewalls we use at Nutanix offer a handy “SaaS Application Usage Report,” which automatically generates a PDF document detailing our usage. Many organizations are deploying cloud access gateways—essentially cloud-based proxy servers that are managed by a service provider—to gain visibility and control that works even when employees are working remotely.

Once we have those signals, it’s important to act on them. Action can range from strict blocking of unsanctioned applications to less heavy-handed informational guidance to employees. For example: When IT receives information that someone is using AWS, they might have an automated playbook that sends a Slack message to the person along the lines of “We noticed you’re using AWS. Here’s some information to help you bring your AWS account in line with our organizational security requirements.” 

Avihai Ben-Yossef: According to data recently published by Microsoft, the average enterprise is using more than 1,500 different cloud apps, with employees uploading work-related information to web-based platforms that have often not been verified by their IT security teams, which makes this phenomenon a classic case of shadow IT. Today, with most of the population becoming accustomed to working from home during the pandemic, BYOD has found an additional boost.

As a result, corporate data is no longer confined to corporate networks and devices, and we’re not only talking about a company’s own confidential information but also personal identifiable information (PII) associated with customers and other audience members. A great example that I’m sure happens quite a bit is a shared spreadsheet listing all of the people who registered for a webinar. This type of shadow IT vulnerability has already received attention from regulatory bodies, and I predict that regulations will get more strict in this regard.

Scott Matteson: How does this tie in with self-service SaaS adoption, the work-from-home trend and BYOD?

Ofri Ziv: In these crazy days, lots of companies got drifted into the WFH and BYOD trends with no heads-up. Such a drastic shift in a company’s culture in general and in its IT habits in particular will certainly boost security issues, and Shadow IT is definitely one them.

People and companies are looking for alternate solutions (sometimes with no proper planning), which might lead to a small chaos that can also be named shadow IT. Their intentions are good, they want to deliver results, and do it in an efficient and fast way using different services available to them (hence, the variety of self-service SaaS solutions).

SEE: Bring Your Own Device (BYOD) Policy (TechRepublic Premium)

By definition these new trends expose an organization’s data and services to new machines and challenge the organization’s existing security policies and its security posture: The organization perimeter changed dramatically (dozens of new devices connect to the network over VPN from hundreds of unsecured and unsupervised networks), and some services and resources are not accessible from remote, etc.

Shai Toren: As more organizations adopt practices like self-service SaaS and BYOD, the need for greater visibility into their overarching corporate network of devices becomes even greater. Many organizations faced this crunch when moving their workforce remote only a few months ago as a response to COVID-19. Typically, the larger and more widespread an ecosystem of devices is, the more difficult it becomes for IT teams to maintain visibility and consequently cyber hygiene of those devices. We can expect many of the challenges around Shadow IT to only grow in the next few years as more enterprises adopt practices like BYOD, or even on an operational level, more flexible remote work policies. Consequently, enterprises will put a greater focus on automation to better identify and secure devices across their widened infrastructure.

Yaniv Aviden: SaaS tools bring immediate dangers of freely shared file data that is not classified or labeled. Or to say this in a more technical manner, there is zero data governance in collaborative hybrid work environments over shared files. DLP tools fail to bring effective results in shared environments. For effective data protection, organizations must have virtual file labeling that offers an automated process in which all the relevant security, privacy, and operational policies are considered, and continually fine-tuned. Only then can CISOs remain confident that their file data is protected in all shared work environments.

Avihai Ben-Yossef: Solutions do exist to discover and control both BYOD and SaaS usage. Microsoft recently announced some new capabilities, enabling enforcement when teams are working from home. Of course, it’s all a question of cost vs. risk, but I believe that regulators will help by putting a heavy price tag on the risk.

Scott Matteson: How can automation help address these issues or improve the process?

Ofri Ziv: Automation is an effective way to enforce policy. It minimizes the chances for misconfigurations and if done properly maximizes the security and efficiency of the “automated process” (as it should be designed, implemented, and delivered by professionals).
 
However automation can’t solve everything as there are so many SaaS services each of us consume these days, and there’s no chance an automation can be applied to every one of them.

SEE: Robotic process automation: A cheat sheet (free PDF) (TechRepublic)
 
Shai Toren: Automation takes away the need to manually chase the owners of those shadow systems. Since IT is not always aware of these systems’ existence, connecting to a central automation process ensures that even if these systems are not officially authorized, they are not an immediate security vulnerability, and automation ensures they adhere to the basic security protocols enforced by the organization.

Scott Brittain: One of the key automation areas is being able to quickly provision a new app with accepted corporate standards. Once shadow IT brings a new app inside your walls, you want a one-click way to create credentials, profiles, and permissions within that app that enable centralized control.

Avishai Wool:  To rein in shadow IT usage, IT teams need two things: Automation and visibility. If IT processes are automated, and it takes hours rather than weeks to provision servers and connectivity, developers are less likely to rely on shadow IT. And if shadow IT projects already exist, then visibility is key: If the IT and security teams have visibility into the cloud-native security controls, they can make informed decisions on whether, and how, to integrate the shadow IT projects into production systems, without compromising on security. This may be the modern IT interpretation of “If you can’t beat them, join them.”
 
Automation means that IT teams can keep on top of all the network changes they need to make to serve the organization’s needs, streamlining processes, and eliminating manual processing errors during changes. The right automation solution will also automatically flag up any potential security or compliance issues and will document everything for audit purposes, helping to ensure a strong security and compliance posture is always maintained.

Sebastian Goodwin: We shouldn’t overlook the fundamental reason that people seek out their own solutions instead of asking IT: Working with IT can be a slow and painful process. It doesn’t have to be. With recent developments in artificial intelligence (AI) and natural language processing (NLP), software has become increasingly good at deciphering requests from humans. Combine that with the increased popularity of tools like Slack, and you have a powerful and efficient front-end service for IT requests that can often be fulfilled immediately. For example, at Nutanix we deployed a bot in Slack that we call “X-bot.” Employees can ask X-bot for things, for example “I need a project management tool,” and X-bot will offer up our standard tool and automatically provision a license so the employee has access immediately. When an IT department is so highly responsive in fulfilling employee requests, the need for people to look for solutions themselves diminishes.

SEE: Four vital security policies keep company networks safe (TechRepublic) 

Hackers use automation to detect when your employees make a mistake. You should, too. With the proliferation of online tools available, it’s inevitable that someone will use them and accidentally disclose sensitive data. Once the mistake has been made, automation allows IT to detect that mistake and fix it before hackers detect it and exploit it. There are a number of tools and services available to help automatically detect leaks of confidential data, misconfigured public cloud accounts, or any number of common mishaps that can result from the use of shadow IT. If you’re not automating this, it can lead to problems down the road because today’s adversary is highly automated.

Scott Matteson: Have you implemented this, and what were the end results? Were there any specific challenges or special skills involved?

Ofri Ziv: We implemented automations for critical IT/DevOps tasks in our company. It saved us a lot of security issues, increased our service consumption efficiency, allowed us to support a much bigger operation as a growing company, while meeting our compliance requirements. For these processes to be implemented properly we needed a combination of our strong DevOps team with our skilled security team.
 
Scott Brittain: TrustRadius has implemented it up to a point. Since every app can be a bit different from an API or scripting point of view, our challenge was automating the process that operations goes through while provisioning.

Scott Matteson: Do you have any advice for other companies seeking similar solutions?

Ofri Ziv: One of the first steps a company should do to cope with shadow IT is to gain visibility into the different services consumed by its employees and products.

To identify the different services, we used our very own Guardicore Centra, which maps the communication between and from all our assets across the world, allowing us to list the services we consume and block access to them when needed.

Scott Brittain: We’d recommend establishing a friendly and welcoming tone within your IT department so employees cooperate with IT freely. Also, setting aside time for shadow IT is key. You need to work this problem every week, particularly in larger enterprises.

Scott Matteson: Where is this trend headed?

Ofri Ziv: It seems like more and more SaaS solutions will be consumed by different people in the company and each department will need a different set of such services that is optimized to its needs. From a work efficiency standpoint, that’s a great trend!
 
From the security point of view, this is a huge challenge that will require advanced visibility tools to identify and monitor the different services in use, good security posture management tools to ensure the right policy is in place and the ability to block access to unwanted systems.

Scott Brittain: The self-service trend is winning and justifiably so. Employees are creating efficiencies for themselves and their teams by adopting new apps. IT departments should position themselves as facilitators and magnifiers of those new apps.

Shadow IT is here to stay. Every week, a new free-trial, easy-start app hits the market, and most of them provide real value. Embrace it! Help the good apps succeed, and kill off the bad ones. 

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Sign up today

Also see