By Dmitry Dontov, CEO and
Chief Architect of Spin Technology
Shadow IT has been a thorn in the side of
corporate IT and security departments for decades now. Left unchecked,
employees using technologies without company knowledge or approval can
introduce grave security and compliance risks. And in the age of cloud- and
application-centric operations, and a business environment in which employees
are working primarily from home beyond corporate IT oversight, the problem is
only growing. In fact, nearly 80% of IT professionals believe shadow IT will
become a massive issue for organizations by 2025, according to one Entrust
Datacard report.
Public cloud solutions have
made valuable services available to individual employees through just a few
clicks. Services like Google Drive, OneDrive, DropBox, Box, and other cloud
solutions generally only require an email address to set up and are available
for free. And it's never been easier for users to access specialized
applications. This makes these types of services very appealing to employees
looking to have the means to access certain data anywhere and, on any device,
especially if they do not have a sanctioned way to do this with
business-approved solutions. And in a post-COVID world where remote work has
become the norm, IT and security departments have far less visibility and
control over the services and applications employees adopt and use in their
home environments.
Let's take a closer look at modern shadow
IT, the risks it presents for your business and cloud data, and the steps you
must take to minimize the threat.
Understanding
Shadow IT
The industry defines shadow IT
as any unsanctioned use of products, services, and solutions that do not align
with an organization's security, compliance and data governance policies and
requirements. Anyone with IT and security experience is all too familiar with
this issue, but it's essential to understand the drivers behind it - why employees opt for shadow IT.
Some users adopt unapproved
3rd-party apps or tools to bypass company restrictions and policies that impede
access to types of network traffic or software they see as vital to
productivity (or that they simply prefer). Generally speaking, employees often
produce shadow IT to access cloud collaboration tools with features like file
sharing, cloud-to-cloud file transfer, and online file storage. They might see these solutions
as more effective or convenient than corporate-sanctioned options, and to avoid
lengthy IT processes and the risk of denial, they'd rather ask for forgiveness
than permission.
While the intention is often
to propel the business forward and remove roadblocks to productivity, what
users often overlook is that they're actually introducing security
vulnerabilities and threats to your company data in the process.
Shining a Light on the Shadow IT Risks
Let's examine the top shadow
IT concerns and security risks associated and why they matter:
-
Mistakes and misconfigurations - Picture an employee
that creates an unsanctioned Amazon S3 bucket to remove the limitations of your
sanctioned on-premises storage, but inadvertently leaves it open (and your data
exposed). Departments or users who lack technical experience and hold unfounded
assumptions often make these dangerous security errors when using unsanctioned
software and services. Many mistakenly assume that security is simply built
into cloud solutions by default cloud, not realizing the onus is actually on
them.
-
Sharing sensitive information outside of the
organization
- Along with using unsanctioned software and services, shadow IT involves using
unapproved hardware to store and access data as well. Using a cloud
Software-as-a-Service (SaaS) storage application, employees can easily use
personal devices to access, edit, and even share information outside the
organization's purview. For instance, an employee might upload a document
containing historical customer data to their personal OneDrive account to
access the information on a personal device to work after hours on an annual
report. This opens your business up to even further security concerns when
devices that may not have the appropriate security software and other
protections in place interact with sensitive business-critical data.
-
Installing malicious mobile apps - End users often place
too much trust in third-party applications for mobile devices. Think of a
situation where an employee installs a malicious application on their mobile
device that already has access to a personal cloud environment in which they
have copied sensitive business data. There's a good chance the malicious
application will have all the permissions needed to access that data by the
end-user during installation, which represents a major data leak concern.
- Transferring
sensitive data from a company cloud account to a personal one - Very often,
departing employees try to use cloud-to-cloud data transfer SaaS services to
connect their business account with personal ones to transfer company Google
Drive files to a personal Google Drive. As a result, that employee might
blackmail the company in the future, or may cause new cases of data leakage.
Most public cloud vendors operate using
some similar form of a shared responsibility model. This means that users can't
absolve themselves of security accountability, and that any data leakage or
other security or compliance repercussions caused by shadow IT in cloud
environments is your responsibility.
Shadow
IT increases the likelihood of uncontrolled data flows, leading to serious
compliance issues as well. An unsanctioned Amazon S3 bucket your employee misconfigured could lead to a General Data Protection Regulation (GDPR)
or California Consumer Privacy Act (CCPA) violation. That's just one example of
user shadow IT behavior with serious compliance risks. These regulations can
cause tremendous financial and reputational damage from which some companies
never recover.
Establishing
Control Over Shadow IT
Employees engaging in shadow
IT and storing data, sharing data, or collaborating with SaaS applications in
the cloud specifically, without implementing proper security measures and
configurations can be catastrophic. It's arguably the most significant cybersecurity
risk threatening your cloud environment and business-critical data
today. You cannot manage and secure what you can't observe, so you must
establish heightened cloud visibility and control in order to get a handle on
shadow IT.
The best way to do this is to
extend on-premises shadow IT policies to the cloud. This will require an
AI-enabled cloud security platform like Spin that can continuously monitor your cloud properties to
track how users and third-party applications share, access, and otherwise
interact with company data and assets. Prioritize solutions with machine
learning algorithms that can detect and alert you to abnormal user behaviors
and anomalies that indicate risks such as data leakage, insider threats,
ransomware and more. You should also prioritize solutions that enable you to
maintain tight control over approved and actively permitted applications to
ensure users aren't able to adopt malicious or unsanctioned services.
Managing shadow IT has always
been an uphill battle for companies of all types and sizes. And there's no sign
that it will vanish any time soon. The good news is that by understanding and
addressing those motivations proactively and by establishing the capabilities
necessary to monitor and control cloud services, third-party applications and
user activities, you can dramatically mitigate the risks. Is your organization
equipped to contain shadow IT today?
##
About the Author
Dmitry Dontov
is the CEO and Chief Architect of Spin Technology, a cloud data protection
company based in Palo Alto, and the former CEO of Optimum Web Outsourcing, a
software development company from Eastern Europe. As a serial entrepreneur with
over 20 years of experience in security and team management, Dmitry has a
strong background in the cloud protection field and is an expert in SaaS data
security. Learn more here: https://spin.ai.