Shadow IT - the use of digital tools without the consent of the IT department - is now considered a growing threat to IT security. Even if it is not a malicious practice, Shadow IT does present cybersecurity risks, notably due to the multiplication of entry points and the increase in the attack surface.
What are the different types of Shadow IT? What detection tools can be used? How can Shadow IT risks be reduced? From network monitoring to employee awareness-raising, OverSOC takes a look at the subject.
What is Shadow IT?
Shadow IT: definition
Shadow IT" refers to the use by employees of tools and technologies (software, services, applications, devices, etc.) without the approval or supervision of the IT department.
While this practice is generally not motivated by malicious intent, it does present IT security risks. The phenomenon of Shadow IT has grown with the rise of the cloud and the need for employee mobility.
The most common types of Shadow IT
There are many different forms of Shadow IT. The most common are :
- Cloud-based file storage and sharing services.
- Mobile applications (chat applications, for example).
- Personal devices (smartphones, USB sticks, etc.) used by employees to access the organization's resources.
- Free online tools (PDF converter, image editing tool, etc.).
- Smart connected devices (Shadow IoT).
What are the risks of shadow IT?
Expansion of the attack surface
The multiplication of solutions used within an organization increases the attack surface. By definition, IT teams are unaware of the use of these tools, which are therefore not subject to the security assessments and controls in place. The use of unsupervised tools increases the number of entry points to the information system.
Data security
Sharing data outside the organization's environment also presents risks: loss or leakage of sensitive data, disclosure of confidential and/or strategic data, etc. And these data breaches can have multiple consequences, both financial and legal.
Impact on compliance
What's more, there's nothing to indicate that the tools used without IT department approval comply with the various cybersecurity and data protection regulations: ISO 27001 standard, RGPD, etc. As organizations are legally responsible for the security of the data they handle, Shadow IT exposes them to fines and sanctions.
Additional workload for IT teams
As employees seek to improve their productivity by using unsupervised tools, they add to the workload of IT teams by introducing unsupervised software and programs into the corporate network. These practices increase the risk of cyber-attacks and data breaches. IT teams are forced to step up their monitoring, which in turn increases their workload.
How can you identify and reduce Shadow IT with detection tools?
Network monitoring
Identifying Shadow IT requires proactive network monitoring. Search tools (Nmap, MMS, etc.) can be used to detect equipment or, at the very least, retrieve clues about equipment connected to networks in an unauthorized way (terminals, connected objects, etc.). Implementing network queries also helps to reveal "hidden" assets.
Access log analysis
Analysis of access logs (mainly system and network logs) is another important building block for identifying Shadow IT. A SIEM or log sink, for example, can be used to aggregate large quantities of data, but it is still necessary to know how to interrogate this data effectively (via queries) and generate relevant alerts (system event, discovery of a new IP, etc.).
IT asset management solutions
Reducing Shadow IT requires solid management of IT assets. Taking stock of them is time-consuming, and even more so if it's done manually. But inventorying, managing and securing assets (workstations, software and user accounts) is essential to understanding what's going on within the IS, and how an organization's attack surface is evolving.
CAASM (Cyber Asset Attack Surface Management) solutions allow you to carry out a complete inventory of your assets and :
- Consolidate data and prioritize vulnerability treatment.
- Control discrepancies between measurements made by existing discovery tools and the reality of production (Shadow IT detection), thanks to the aggregation and correlation of different data sources (EDR, antivirus, CMDB, results of vulnerability scans, etc.).
- Manage the remediation of major risks.
- Align cybersecurity practices across organizational and technical silos.
- Get a holistic, comprehensive and up-to-date view of the organization's assets and risks.
In concrete terms, data is aggregated via APIs and connectors that facilitate the integration and exchange of information with cyber tools already in place within the organization. Adopting a CAASM solution such as OverSOC's is not about adding yet another security tool, but rather about optimizing the potential of investments already made.
Promoting a culture of IT security based on a framework
Maintain open communication to meet business needs
Shadow IT can be the result of a mismatch between existing tools and employee needs. Limiting the phenomenon therefore requires regular assessment of needs, involving both business and cross-functional teams. This involves asking why employees are using unauthorized tools, and then assessing whether it is indeed necessary to upgrade current tools in the light of needs.
Organizations have every interest in supporting, evaluating and securing the use of new tools, rather than systematically banning them. Taking a close interest in business needs is an effective way of limiting Shadow IT.
Create internal technology approval and management policies
Ignorance of available tools and internal policies can also contribute to the development of Shadow IT. Employees must be able to simply express their needs, which are then studied by the IT department. If tool requests are rejected, equivalent solutions are offered to employees. The approval process for new tools must be known and simple (a form with expected functionalities, for example).
Employee awareness and safety training
Employees are often unaware of the risks they run to their organization by using tools without the approval of their IT department. Building an IT security awareness and training program is the perfect way to highlight these risks and share best practices.
Things to remember
Monitoring your information system and looking for "hidden" IT assets is essential for detecting Shadow IT and reducing the associated risks. Organizations also benefit from going beyond a purely technical approach to Shadow IT. Raising staff awareness of IT risks, assessing their needs and providing them with a framework for approving new tools also contribute to effectively dealing with the phenomenon.
Would you like to know how OverSOC can help you reveal the Shadow IT in your organization? Contact us.