robsonphoto - stock.adobe.com
The COVID-19 pandemic and the resulting work-from-home mandates have increased the security challenges facing enterprises, and the rising use of unauthorized technologies -- dubbed shadow IT or stealth IT -- is one of the top risks.
Shadow IT risks have been a security issue for decades and have evolved as technologies changed and users could more easily access work-related IT hardware and software. As it stands, everything from SaaS applications to personal smartphones to a network of IoT devices can be brought into an enterprise without enterprise IT and security teams being in the loop. Unauthorized technologies create greater risk for the enterprise due to potentially more exposure to cyberthreats that could corrupt systems, as well as compromise data privacy, integrity and security. Usually, the end user doesn't intentionally create additional risk.
A recent survey from Check Point Software Technologies highlighted the current issues around shadow IT. The April 2020 report found 95% of the responding security professionals saw increased challenges in keeping their organizations safe during the pandemic, and 47% specifically thought untested software, tools and services were a leading concern.
"Shadow IT, depending on your security architecture, can be a huge, gaping chest wound if not managed properly," said Gregory J. Touhill, adjunct faculty member at Carnegie Mellon University's Heinz College of Information Systems and Public Policy and retired U.S. Air Force brigadier general who served as the first federal government CISO during the Obama administration.
To counter the risks of shadow IT, CISOs must devise strategies and policies in cooperation with their colleagues, Touhill said.
"Any solution the CISO wants to implement has to be done hand in hand with the CIO, as well as other senior leaders across the organization," he said.
Shadow IT outside of most safeguards
The scope of shadow IT was significant even before the pandemic.
Gregory J. TouhillFormer Obama administration CISO and adjunct faculty member, Carnegie Mellon University
Password management company 1Password, based in Toronto, conducted a shadow IT survey of 2,119 U.S. workers in late 2019 that found 63.5% of respondents had created at least one account without involving IT. The survey also revealed, across the board, each enterprise professional created an average of 1.5 shadow IT accounts.
Similarly, in a report released in January 2020, McAfee found more than 25% of enterprises had sensitive data downloaded from the cloud to a user's personal device with no corporate controls to adequately monitor or protect it. Cloud downloads of sensitive data also expand enterprise risk due to shadow IT. The report said 91% of cloud services don't encrypt data at rest, so the data isn't protected if the cloud provider is breached.
In addition to shadow IT, security risks are rising overall.
The Check Point survey results showed 71% of responding security professionals saw an increase in security threats or attacks since the beginning of the pandemic. The FBI has warned of a rising number of cyber attacks as hackers seek to exploit the situation. The World Health Organization also warned against increased cyber attack activities.
Yet, due to its very nature, shadow IT generally falls outside many -- if not all -- enterprise policies and defenses meant to safeguard data and protect the IT stack against such attacks. That means the risk of data loss, as well as regulatory and compliance failures, are higher, as is the potential for a successful attack on IT systems.
"There is no oversight or visibility over the security controls in shadow IT," said E.J. Widun, who has learned to guard against it as CTO of Oakland County in Michigan.
Widun believes shadow IT stems from a breach of trust with business users.
"It tends to come in where there's too much red tape and bureaucracy and a lack of perceived nimbleness," he said -- a scenario that can encourage business users to avoid IT, the security team or both in search of technologies that let them work more effectively and efficiently. "But, when you build the relationships, I believe you can crush shadow IT."
He's not alone in that assessment, with experts advising CISOs to strengthen their proactive measures to better address the issue.
More specifically, security leaders said they advise CISOs to rely on the standard PPT -- people, process and technology -- to tamp down on the security risks from unauthorized devices.
Build trust to reduce shadow IT
CISOs need to build alliances with their colleagues throughout the organization to garner trust and gain insights that will help them respond more quickly to users' needs and thereby head off risks from possible shadow IT deployments, as well as identify existing risks.
Bill Bowman, CISO of Emburse, an expense management technology company based in Los Angeles, said it's all about establishing relationships and creating a security team that enables the business. He said he and other security leaders succeed on those fronts by attending meetings, listening to roadmaps, asking questions and being solution-centric. "Be approachable, and listen," he added.
Similarly, Pamela Gupta, president of cybersecurity services firm OutSecure Inc., based in Shelton, Conn., and a member of Women in CyberSecurity, said she advises CISOs to cultivate strong relationships with the legal and audit departments specifically, as those departments review contracts and payments to vendors and can, therefore, alert security to new technology deployments that haven't been reviewed by security.
Carnegie Mellon's Touhill advised CISOs to develop a partnership with the CFO for similar reasons.
Shadow IT policies limit unauthorized technologies
CISOs should set and use procedures and policies that can limit the use of unauthorized technologies, which will tamp down on the security risks that come from shadow IT.
Gupta said CISOs could work with the legal and audit departments to put policies in place that ensure security standards are met whenever a new contract or payment is enacted.
"The more integration there is in terms of what the objectives are, how we're meeting them and how they're communicated, the more it will help CISOs achieve their objectives -- which is not having a covert platform or system," she said.
Matthew Miller, vice president of global information governance advisory services at Consilio, based in Washington, D.C., which offers eDiscovery, document review, risk management and consulting services, said he has found most business users still don't understand the risks that unauthorized technologies can introduce into their organizations.
"They put their companies at risk, but they just don't know it. They don't recognize it. They just want to get their work done," he said. "And, if someone doesn't know they're doing something wrong, then they're going to keep doing something wrong."
That indicates the need for stepped-up security awareness and training, Miller added, in addition to reviewing and perhaps strengthening BYOD and data retention policies, data classification procedures and other procedural controls to ensure they are up to date and match the current work and IT environment.
Technologies address shadow IT
As for technology, Touhill said segmentation and other tight controls that enable or block connections to the enterprise IT stack can help CISOs limit the risks posed by shadow IT.
"Making sure you have connection approval and approval to operate and policies and procedures for that in place [means] you can effectively operate and maintain security," he said.
Putting shadow IT fixes in place
Oakland County's Widun leans on technologies such as a recently deployed product from Okta, an identity and access management company based in San Francisco, to manage access and authentication.
On the process front, Widun said he has defined standards included in all requests for proposal for new technologies to help ensure security and other requirements are met even when business-side workers drive the IT selection process.
He then leans on people and processes to make sure the standards are used. "We talk with business partners to make sure they have solutions that meet those standards," he explained.
As an example, Widun cited a recent incident in which one government agency needed to use a video conferencing system outside the IT-sanctioned system. Agency officials reached out to Widun and other IT and security leaders to work together to ensure its preferred platform met security standards.
"It worked because those relationships were longstanding," Widun said, "and the security education and awareness were there."