Shining a Light On Shadow IT

One of the questions I am most frequently asked is “what keeps you up at night.” My peers ask me this question, vendors ask me this question and it’s a very common question during panels. It’s also one of the more legitimate questions that I’m asked. 

There are a lot of things that I worry about—vulnerability and patch management, access controls, security operations and others. That said, the number one thing that keeps me up at night is Shadow IT. A modern security organization has a lot of moving pieces, operations, compliance, architecture and engineering. 

As a security executive I can deal with the things that I see. I can rank my risks, I can create project plans and track milestones, I can assign engineers to solve problems and we create processes and policies to secure our operations. I can solve these problems because I can see them. 

What I can't fix and what I can't solve is IT infrastructure and code when I don't know that it exists. I can’t patch the infrastructure, I can’t monitor the infrastructure and access and I can’t audit the infrastructure. These things can leave an organization with a huge blind spot and unknown risks - both from an infrastructure security perspective as well as vulnerable code. 

Shadow IT Grows Organically
There are a lot of reasons why shadow IT exists. In many cases, the people and groups responsible for shadow IT are some the hardest working in an organization. They have a “get it done attitude” and rather than follow the appropriate processes (if they are even aware of them), they just solve the problem. 

Shadow IT seems to be a problem as companies grow, especially internationally. When the IT and infosecurity  teams no longer personally know all the developers and business leaders in an organization, it becomes easy to lose sight of all the projects that are being worked on and developed.

When projects are created for specific geographies, particularly where there is no infosec presence it can become challenging. Language barriers and regional or national privacy laws also contribute to the problem. I think the top four reasons for the creation of shadow IT are:

  1. Ease and low cost of setting up initial cloud infrastructure;
  2. Overly difficult or inefficient IT processes;
  3. Lack of available development resources; and
  4. Business units don’t understand the global impact of their decisions on security and compliance.

I have yet to find a silver bullet to solve the problem of shadow IT. Rather, it’s a matter of putting several different controls in place to prevent or catch shadow projects in their infancy.

Finance and Technology Controls for Shadow IT
Finance is a great way to prevent or catch these issues early. Ensuring that only authorized parties within the IT organization are permitted to authorize technology or cloud purchases is key. If an employee is unable to pay for physical or virtual servers, they are going to have a harder time setting up infrastructure. Working with your cloud providers to limit the employees who are authorized to spin up systems is another prevention mechanism. 

Preventing the creation of unauthorized code is another problem. With the millennial generation in the workforce in strength now, there are a ton of people who know how to code or cobble together snippets of code from various sources. This does not mean that it is good or secure code, but it’s often functional.

Application whitelisting helps solve this problem. By limiting access to development resources to only authorized developers, we can make it harder for this development to happen in the first place.

The final piece of the puzzle is strong information security engagement within the business units. The infosec team within any company must understand how the business units generate revenue. This is where an ounce of prevention can be valuable. Business units need to have a good understanding of IT security risk and a strong understanding of their client’s security expectations.
 
In my experience, the best ways to do this is to physically visit and engage with a business unit. There is no substitute for a deep immersion with a team. While I am a frequent user of virtual meetings, a one-hour virtual meeting falls short when it comes to really digging in to a business and understanding and supporting their security needs. It’s during these meetings when you will really uncover the existence of shadow IT. 

Dealing with Shadow IT Requires Patience 
When shadow IT is discovered, the key is not to panic. Remember that in almost all cases, the person or group involved never intended to do anything malicious. As an IT or InfoSec professional, you job is to work with them to either migrate the infrastructure or implement your processes and controls on the newly discovered resources. In some cases, you can spin it in to a positive by educating them on the value add that your controls may have on a sales cycle.

What’s Hot on Infosecurity Magazine?