What is Shadow IT?

What Exactly is Shadow IT?
Shadow IT is the use of information technology systems, devices, software, applications, and services without explicit IT department approval.
Shadow IT ecosystem is what is created when your employee(s) go around (circumvent) the main IT department and start using unauthorized apps, hardware, software, or web/cloud services. Shadow IT is that IT system that is being used at WORK (in corporate networks) without the knowledge of your IT department.
Shadow IT includes all forms of IT-related activities and purchases that your IT department is NOT involved in. These purchases or uses can include:
• Hardware: servers, PCs, laptops, tablets, and smartphones
• Off-the-shelf packaged software, Macros
• Cloud services: SaaS, IaaS, and PaaS
Why Do Employees Use Shadow IT?
One of the biggest reasons employees engage in shadow IT is simply to work more efficiently. A RSA study in past reported that 35% of employees feel like they need to work around their company’s security policies just to get their job done. For example, an employee may discover a better file-sharing application than the one officially permitted. Once they begin using it, use could spread to other members of their department.
**Cloud services, especially SaaS, have become the biggest category of shadow IT. The number of services and apps has increased, and staff members routinely install and use them without involving the IT group. The rapid growth of cloud-based applications has also increased the adoption of shadow IT. Common applications, e.g., MS-Office 365, Google Docs (G Suite), Slack, Skype, Dropbox, Excel Macros, etc are available to them at the click of a button. Certain features like file sharing/storage and collaboration (e.g., Google Docs) can result in sensitive data leaks. 
What makes cloud stand out from past shadow IT situations is the magnitude of the challenge. collaboration services like video & web conferencing, on-line training, education, and desktop sharing (not including social media), all are up there.
And the canvas of shadow IT extends beyond work applications to employees’ personal devices such as their smartphones or laptops, tablets etc (BYOD).
In recent times, when a large number of employees are working-from-home, they are showing strong tendencies to use and like the user-friendly functionality of such applications.
But what they are not thinking about is that with each such use, an new entry point is created for a cyber attacker to exploit.
Why is Shadow IT a growing cybersecurity risk?
Almost every organisation can fall victim to Shadow IT and face a cyber-attack sooner than estimation. The same will hold true to your organisation too, particularly if you don’t have certain safeguards and preventive controls in place.
Ransomwares are already knocking at your doors…
One common example is when your employee downloads an app without your approval and starts using it and that app contains a remote access trojan that a cyber-attacker exploits for the initial entry point and credential theft subsequently.
By the time you would react to them, it might already be too late. What would you gain by realizing later that–the root cause was Shadow IT?
And this risk extends beyond just applications. The RSA study also reports that 63 percent of employees send work documents to their personal email to work from home, exposing data to networks that can’t be monitored by your IT.
Then there is additional risk from OAuth-enabled shadow IT applications…
OAuth-enabled applications are convenient because they use existing credentials. But they also include ‘permissions’ to access information in the core application (Office 365 and G Suite, for example). These permissions increase the attack surface and can be used to access sensitive data from file-sharing and communication tools. OAuth-enabled applications communicate cloud to cloud, so they don’t hit the corporate network. They are a blind spot for many organizations. Recent OAuth-related attacks have highlighted the need for better visibility and control of these connected apps.
Your organisation might be spending a lot of money on cybersecurity and working very hard to prevent intrusion into your network or cloud, but what is the gain if your employees unwittingly create the bypass and pathway for the attackers, all under the radar of IT or security.
You need to understand that it is a BATTLE that can’t be won without certain safeguards, preventive and detective controls.
Sometimes back, Gartner estimated that more than one-third of successful attacks experienced by enterprises will be on data located in ‘Shadow IT resources,’ including shadow Internet of Things.
Shadow IT is a huge cybersecurity risk because it is usually not on the radar of your IT/Security department. Because it provides many entry-points for cyber-attackers to intrude into your network by exploiting vulnerabilities on the third-party app, software or web services.
Shadow IT and Compliance Risks
Shadow IT creates not only cybersecurity risk but also non-compliance risk with GLBA, PCI-DSS, HIPAA or other requirements, depending on whether personally identifiable information (PII), payment card information (PCI) or protected health information (PHI) is involved with the use of Shadow IT. It can also lead to GDPR non-compliance and stiff monetary penalties.
Shadow IT that leads to a data breach can also create allegations of federal or state unfair or deceptive acts or practices (UDAP) law violation. In addition to federal UDAP, each state in the U.S. also has their own UDAP law.
It can be alleged that failure to prevent and detect Shadow IT enabled the cyberattack and caused harm to consumers and consumers had no way to avoid the injury and what the organization said in the privacy policy about safeguarding the consumers information was false.
The Paradox Of Shadow IT
Despite its risks, shadow IT has its benefits. Getting approval from IT can require time employees can’t afford to waste. For many employees, IT approval is a bottleneck to productivity, especially when they can get their own solution up and running in just minutes.
Many SaaS tools are making them more productive and help them interact efficiently with co-workers and partners. IT guys need to correctly handle this paradox.
Finding a middle ground can allow end-users to find the solutions that work best for them while allowing IT department to control data and user permissions for those applications.
The bottom line is that if you, as a cybersecurity professional, are not aware of an application, you can’t support it or ensure that it’s secure.
What Can You Do To Manage Shadow IT Properly?
1. First, you must create a ‘Shadow IT Policy, clearly explaining — What Shadow IT is, the risks it creates and providing concrete examples.
2. You can also implement both Preventative and Detective internal security controls. Preventive controls blocks ad-hoc downloads of apps or software or access to certain web services, for example. Detective controls include performing regular scans to identify unauthorised apps, software or web services.
3. Cloud access security brokers (CASBs) can help you by providing both visibility and control of software-as-a-service (SaaS) apps.
4. Provide a mechanism, usually a FORM, to your employees to recommend and justify the authorisation of any new App, device or service. If the organization authorizes and adopts, you should give the employee a carrot in the form of recognition and/or a reward, highlighting the benefits gained by using the new app.
5. At the same time, use the stick by communicating that any non-compliance will be grounds for suspension or termination of employment, then enforce compliance and communicate instances of non-compliance and consequences.
6. Make sure to train every single employee on policy and controls so everyone clearly understands why the policy is essential, the risks and why each employee’s cooperation and compliance is critical to success. Train all new employees when on-boarding.
7. Finally, engage a third-party to perform regular Shadow IT audits to independently test compliance with policy, and assess the adequacy of preventive and detective controls, for prompt risk mitigation.

Thanks to Mrs.Meena for this post.


Pentester , Cyber World Enthusiast

Leave a Reply