Apr 22 2020
Shadow IT: Uncovering the Hidden Security Threat
Shadow IT turns the old saying “what you don’t know can’t hurt you” on its head. Here, what you don’t know truly can and indeed does hurt your IT environment.
When it comes to end user devices, IT pros can only secure those machines they know about. Likewise, software, especially SaaS solutions, are only safe if they are brought in and managed by IT.
Shadow IT sounds cool on the surface. Tech-savvy end users and departments discover hot cloud apps they love and put to work. However, there are security, cost and even productivity downsides. Cloud apps that are that good should be vetted, and if proven, approved and even made standard. Ones that do not meet this threshold have no place in the enterprise. Finding the right answer means discovering and analyzing these hidden apps.
Shadow IT is inevitable. Sometimes referred to as Rogue or Stealth IT, Shadow IT are those applications, largely SaaS, that employees set up and use without IT permission — and usually without IT knowledge. This all means your IT team is not in charge of what happens to Shadow IT data. Instead, these Shadow apps are left in the hands of non-IT pros who are not experts in software standardization and management practices.
Shadow IT is a very big deal. Did you know a Cisco survey of CIOs shows they had 15 times more cloud applications than expected?
Shining a Light on Shadow IT Insecurity
Shadow IT causes all kinds of problems. It is a huge area of attack by hackers, and an ideal vector for malware. Meanwhile, storage, filing sharing and collaboration apps are all key sources of data leakage.
Shadow IT is clearly ripe for attack, as Gartner researchers predict that this year, 2020, one-third of all successful attacks on enterprises will be against Shadow IT resources.
“Many IT decisions are now distributed throughout the organization at the line-of-business level. From a security point of view, it’s a nightmare scenario,” says Larry Ponemon, founder of the Ponemon Institute, a technology research firm in an IBM sponsored study. “People at the business level may not have any knowledge at all about security, and they may be using these tools in ways that put the organization at great risk.” The study, Perception Gaps in Cyber Resilience: Where Are Your Blind Spots? argues that some 1 in 5 organizations suffered a cyber-attack due to Shadow IT.
Meanwhile, research from Skyhigh Networks finds that most SaaS providers come up short when it comes to security, and less than 10% of these providers meet the strong security requirements large enterprises need. In fact, just 2.9% of these services require strong passwords, and just 1% encrypt data with data keys controlled by customers.
Data Security – Access from Former Employees, Breaches, and Bad Permissions
How can you deprovision software you don’t know about? That’s one of many data security risks associated with Shadow IT. Unknown software may also store sensitive information. And like we’ve been hearing about with Gmail, users may inadvertently grant permissions that outlive the employee.
Regulatory and Customer Audit Compliance – SOX, GLBA, HIPAA, GDPR, etc.
Shadow IT can potentially violate regulations. Many regulations touch on data flows or storage. Storing data in unknown and potentially unvetted places may result in violations during an audit, which could result in a range of damaging regulatory consequences. Likewise, some clients may have requirements tied to these regulations and depend on you, their vendor, to maintain compliance. Violations could not only impact compliance, but client relationships and bottom-line revenue.
Shadow IT Apps Not Always Well Maintained
IT pros know that Microsoft had long had a disciplined approach to maintaining, updating and patching their on-premises products. Today top SaaS providers maintain and patch their software as part of the subscription, closing vulnerabilities and addressing new cyber threats.
However, not all SaaS providers are created equal, and IT does not know how well most Shadow IT SaaS providers update and secure their software. “One of the biggest problems that emerges from SaaS usage is unpatched or out-of-date software. While many SaaS applications perform automatic updates, some do not. When software is left unpatched, it creates security gaps and opens systems to attacks that have already been rendered useless by new patches,” argued an article in Dataconomy. Most importantly, unpatched software has a real cost. Equifax’s data breach, itself the product of unpatched vulnerabilities, cost the company an estimated $5 billion in market capitalization.
Blocking SaaS Access Doesn’t Always Work
Many companies attempt to block access to cloud services that do not meet their acceptable use policy. Skyhigh points out, however, that there is a vast discrepancy in the intended block rate and the actual block rate. Skyhigh calls this the “cloud enforcement gap.” The gap arises when cloud services introduce new URLs that are not blocked, or when access policies are not standardized throughout the enterprise, or when certain groups get an exception to access various services. This cloud enforcement gap represents…you guessed it, Shadow IT.
Issues Created by Shadow IT
- Data Security Problems – Data can be accessed from former employees, breaches can occur, permissions attacked because they are not managed by IT.
- Regulatory and Compliance Disasters – SOX, GLBA, HIPAA, GDPR and others violated because data and data access is not secured – or understood!
- License Compliance Violations – Freemium or shared accounts can put your approved SaaS contracts in jeopardy.
- Cost Overruns Out of Control – With Shadow IT, your end users are often paying for applications already served by corporate standard SaaS solutions, wasting money through vast redundancies. Shadow IT gets in the way of good IT software negotiations and proper, efficient provisioning.
- Misallocated Costs – Finance and accounting need accuracy, knowing what software is acquired, billed for, and renewed to optimize investment.
- Missed Financial Goals or Targets – If procurement misses savings goals due to unforeseen expenses from Shadow IT, it may lead to unintended cost-cutting measures.
- Loss of Respect for IT – Shadow IT leads employees to question the judgement of IT (they know better than IT does what software makes sense), and security and productivity problems caused by Shadow IT can be blamed on IT.
CoreView Bought Alpin to Solve Shadow IT Problem
Last year, CoreView bought Alpin for its broad SaaS management and discovery ability. Alpin tracks more than 40,000 SaaS apps, using 13 discovery methods, giving IT a full picture of their SaaS environment. With Alpin discovery, you will:
- Gain visibility – view all SaaS applications in one dashboard, along with all their users.
- Work with the business – help business users choose the best solutions and use those apps to their full potential.
- Spot trends – see app growth among teams, departments, geographies and across the company.
Learn more about the new SaaS Management powerhouse:
Explore the Alpin solution —Alpin Co-Founder’s Magical Mystery SaaS Management Tour
Dive into our white paper — 1+1=3: CoreView and Alpin are the New SaaS Management Platform (SMP) Powerhouse
You can also get a free CoreView Office 365 Health Check that details license savings, state of application usage, and pinpoints security problems in your Office 365 environment.
Learn more from Alpin’s Shadow IT Problems blog.
ABOUT THE WRITER
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.