Focus on People, Process, and Technology to Secure Your Shadow IT
Written by David Golding, AppOmni.
Anyone in IT is familiar with shadow IT. How many times has an IT manager been surprised by the number of unknown applications that connect to their network? Shadow IT isn’t a new challenge, but the ability to keep track of unsanctioned IT has become more difficult with the rapid worldwide shift to remote work. Along with that comes the challenge of securing shadow IT.
I was curious: how did the sudden explosion of remote work affect the prevalence and existence of shadow IT? I did some research, and it was eye-opening.
- A ManageEngine Study from September 2021 revealed that the U.S. excelled in limiting shadow IT, ranking the highest in the world (33%). Also interesting: mobile-specific applications are the most often purchased without IT approval (37%), followed by online meeting tools (29%) and document sharing applications (26%).
- According to Beezy’s 2021 Digital Workplace Trends & Insights report, 40% of employees are using communication or collaboration tools that aren’t explicitly approved by their company.
- A 2019 Forbes Insights Report found that 60% of organizations don’t include shadow IT in their threat assessment.
- Recent research by Forcepoint discovered that 56% of employees between the ages of 18 and 30 years old said they needed shadow IT to get their job done and 67% of them said shadow IT made their job easier.
- Zylo’s 2020 SaaS Management benchmark report found that the average company had 651 SaaS applications. Here’s a telling quote from the report: “While this number is astounding on its own, what’s alarming is that without a way to discover and identify SaaS applications accurately, most companies underestimate the number of SaaS applications in use in their environments by two to three times.”
With this research clearly indicating that shadow IT is alive and well, what can be done to make sure sensitive data is secure? The most productive method involves implementing a comprehensive approach that focuses on people, process and technology. Let’s dig into those topics a bit more.
Collaboration is key. It may be a difficult transition, but IT must be seen as an enabler of change rather than a prohibitor. Gartner recently published an article proposing that organizations change their perspective on how technology is sourced, implemented, and used. Gartner recommends that IT organizations empower emerging “business technologists” using the “democratization of digital delivery.”
It’s an interesting idea and will require a cultural shift in many organizations. Considering how and why people use shadow IT makes for a more productive discussion with business technologists and other end users about the security of those tools and the data they access.
Think process: To counterbalance the empowerment of business technologists noted above, IT should provide “security guardrails” through policies that are based on business needs. Policies must be well-documented and based on both compliance standards and strong security fundamentals.
Nowhere is the need for security guardrails more evident and important than in Platform as a Service (PaaS). If you’re using PaaS solutions like Salesforce, ServiceNow, Workday, etc., then you need to be implementing policy-as-code. In an article from Security Magazine, Chris Webber suggests, “Modern policy-as-code authorization controls not only who can do what, but what can do what – ensuring mitigation of both user error and rogue service operations. When expectations are clear, you can build common policy directly into cloud apps and infrastructure, up front, enterprise-wide.”
Security tools like single sign-on (SSO), Cloud Access Security Brokers (CASB), and multi-factor authentication (MFA), along with newer standards like SAML, OAuth, and more, have made a substantial impact to improve security for remote/cloud access. But there’s still a long way to go.
Take OAuth, for example. Once an OAuth token has been granted, it creates continued authorized access to an application until the token is revoked. This presents IT security organizations with questions like:
- Who is managing these tokens?
- Where and how has OAuth integration occurred?
- How do you know which tokens need to be revoked and when?
- How can OAuth token management be automated?
These questions and many more like them highlight the need for better visibility, control, and monitoring of SaaS, PaaS, and IaaS environments. Gartner listed its four “must-have” technologies from the Gartner Hype Cycle for Cloud Security, 2021. They are Secure Access Service Edge (SASE), Security Service Edge (SSE), SaaS Security Posture Management (SSPM), and Cloud Native Application Protection Programs (CNAPP). Evaluate your security measures and make sure there’s technology in place to protect your organization’s sensitive data in the cloud.
What’s the takeaway? Shadow IT is here to stay. Better to find a way to handle it than try to eliminate it. With a comprehensive plan and an open mind, we can improve and ultimately overcome the challenge of shadow IT security. Remember to focus on the people, the process, and the technology, along with clear communication, a spirit of collaboration, and a desire to grow and learn from others.
About the Author
David Golding is currently selling SaaS Security Posture Management to Enterprise clients at AppOmni. His experience includes sales and management roles with large enterprises like NTT Security and University of Pittsburgh Medical Center as well as early stage companies like Stargate, H3i, Solutionary and CyLumena. David has been exclusively focused on information security since 2008.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.