Shadow IT is the use of assets that don’t fall under the management of the IT department, and, says Phil Richards, CSO of LANDESK, it can be a huge security problem, especially for those companies that don’t have a strong IT department to monitor application and device use, or when policies are too restrictive to allow employees to do their work efficiently. “The existence and growth of shadow IT is usually a sign that the central IT organization is not meeting the needs of the business,” says Richards. This means too many employees are going rogue to do their work.
This is putting both the network and its data at risk. For example, Symantec’s Shadow Data Report analyzed the business readiness of over 15,000 cloud apps and services based on more than 60 security criteria. The result was that only 1 percent of these apps were found secure enough for business use. Many apps and services are already a security risk, but when they are used as shadow IT, the potential threats go unchecked.
Shadow IT Security
Examine some of the concerns involving shadow IT security and the riskiest behaviors, applications and devices.
Risky Behaviors Lead to Shadow IT
According to Martin Johnson, senior director, Cloud Security, Symantec, some of the most risky user behaviors when using any cloud application, but especially in shadow IT, include:
• Accidental oversharing of data
• Account compromise
• Data Exfiltration
• Data Destruction
• Malware Delivery
Misuse of Popular Apps Leads to Shadow IT
Organizations can be exposed to data loss and other risks due to misuse, said David Dorosin, director of Product Marketing at Netskope. “A user could upload a file with sensitive business data to Office 365 OneDrive and inadvertently share that file publicly. To address the risk of misuse, organizations need to gain visibility into the usage of their cloud services and put the appropriate controls in place to prevent risky activities.”
Shadowy Cloud Storage Platforms
“Dropbox and other non-sanctioned Enterprise File Synch and Share (EFSS) and cloud storage platforms are one of the most prolific forms of shadow IT in the enterprise,” says Vishal Gupta, CEO of Seclore. “These products are attractive to employees due to their ease of use, but lack the data security features necessary for protecting highly sensitive documents.”
The problem, Gupta adds, is that once this information is shared, the organization loses the ability to control who can use the files, creating huge security gaps.
Use of Personal Accounts Leads to Shadow IT
Another shadow IT security risk, Gupta says, is the use of personal accounts. “Workers often use personal accounts to go around IT’s back, meaning there are no assurances that established protocols are being implemented. As a result, it isn’t uncommon for departing employees to retain access to sensitive data long after leaving an organization.”
Plugins and Add-ons
Plugins and add-ons to applications approved by IT also create a great security risk, according to Darran Rolls, CISO of SailPoint. “Many people don’t think about shadow IT in terms of plugins and add-ons to existing, approved applications. However, these applications expand approved SaaS applications into new territory, often with potentially significant security implications that haven’t been evaluated by IT.”
Multiple Developers Creating Similar Solutions and Not Sharing Them
According to the security experts at CloudSploit, IT teams inside of a company are tasked with creating processes or even scripts to make sure that their cloud account is properly configured, but they aren’t sharing this information with others within the company. In turn, they are often developing repetitive solutions that may not cover all security vulnerabilities and may not adhere to best practices.
Staff Collaboration Using Evernote Means Shadow IT
Employees like using Evernote because of its collaboration tools. However, as Sateesh Narahari, VP of Product with ManagedMethods, points out, in some industries, like health care, using Evernote can result in compliance violations. For example, Narahari says, in order to efficiently share patient info between staff members, the team uses Evernote to record information from patient visits, lab results, phone conversations with patients, prescription requests, etc. “It’s their own version of Electronic Health Records, but unfortunately not secure and definitely not in line with HIPAA regulations. The practice is essentially sharing all this patient information with the world since it is stored in the cloud without required security measures to prevent hackers accessing that info and wreaking havoc with it.”
Google Drive and Shadow IT
The security team at Bitglass points out that cloud productivity apps like G Suite are quickly coming out of the shadows, now officially sanctioned in many organizations. However, the team adds, many IT departments turn a blind eye to features like one-click sharing and components like the Google Drive sync client. This may be because these organizations lack the granular controls necessary to restrict access in risky contexts – unmanaged device use of the sync client, for example – and in failing to do so, expose themselves to a potential breach.
BYOD and Mobile Mean Lots of Shadow IT
Mobile is another popular example of shadow IT, the Tenable Network Security team explains. In the organization’s 2016 BYOD and Mobile Security Survey, 72 percent of respondents had reached the stage where BYOD was available to all or some employees. However, the team adds, not every organization has the tools and processes in place to know what mobile devices are connecting to the corporate network, and whether those devices have vulnerabilities or malware that can infect the network.
Don’t Forget About Social Media Applications
“While not often mentioned in discussions around shadow IT, we shouldn’t forget that hugely popular applications like Twitter, Facebook and Skype are risky applications to add to a user’s device. These three applications alone are responsible for a significant amount of malware and information leakage, albeit almost unintentional,” says Absolute’s Global Security Strategist, Richard Henderson.
