What is Shadow IT?
Shadow IT is the use of information technology systems, devices, software, applications, and services without explicit IT department approval. Individuals and departments will stand up rogue systems, applications, and infrastructure to meet their objectives. These objectives could be to make their jobs easier, more efficient, or provide services outside of the normal workflow for asset procurement and management by the information technology department.
Shadow IT is not usually implemented with malicious intent. More often, it is a result of employees or departments faced with inefficiencies or roadblocks that impede their productivity or completion of a time-sensitive business mission.
While shadow IT can improve employee, client, and vendor productivity, it can also introduce serious security risks to your organization through data leaks, potential compliance violations, and lack of proper resource management.
Why is shadow IT increasing?
Here are some reasons shadow IT continues to create such a high risk for organizations:
- Cloud adoption - Shadow IT has multiplied in recent years with the adoption of cloud-based applications and services. According to a workplace trends & insights report, in 2021, 97% of the cloud apps in use in the average enterprise were cloud shadow IT. This is largely because the setup, configuration, and usage can bypass internal procedures and controls.
- Remote working – A 2021 HP Wolf Security report revealed that 91% of IT teams have felt pressure to compromise security to enable business continuity within remote and work-from-anywhere conditions. In addition, 80% of IT teams have experienced pushback from users after updating security policies to account for the remote workforce.
- Employee efficiency - One of the biggest reasons employees engage in shadow IT is simply to work more efficiently. Numerous studies have indicated employees feel like they need to work around their company's security policies just to get their job done.
- Collaboration - cloud applications like file sharing/storage and collaboration can result in sensitive data leaks due to improper data governance.
- Personal email - Many employees send work documents to their personal email to work from home, or work from unsecured home networks, exposing data to networks that can’t be monitored by IT. A Work from Home Office Networks Survey revealed that 91% of devices in remote office networks have one or more services exposed on the internet, and 15% of remote network IP addresses have exposed cable modem control interfaces. In the end, there is no management for the information after it has left the organization’s domain.
- Shadow IoT – Shadow IoT is an extension of shadow IT that occurs when internet of things (IoT) devices or sensors are in active use within an organization without IT’s knowledge. The challenge of shadow IoT isn’t just the number of devices added to the network, but also the capabilities of each device, like cameras, Wifi, and even coffee makers. These devices are also frequently built without enterprise-grade security controls and set up using easy-to-crack default IDs and passwords. When these are added to an organization’s main Wi-Fi network without IT’s knowledge, it can lead to a significant security risk and conduit for future attacks.
What are the Risks of Shadow IT?
- Introduction of malware - Every instance of shadow IT expands the organization’s attack surface. Since shadow IT devices and applications are not onboarded for protection by the organization’s cybersecurity solutions, and typically have weak credentials, they create an opportunity for malware and ransomware attacks based on poor security hygiene.
- Creating backdoors for attackers –Shadow IT, and shadow IoT, by definition exist outside the view of IT security, which means any misconfigurations and vulnerabilities introduced will remain undetected, leaving an unmonitored and unprotected pathways for threat actors.
- Increasing service desk tickets/strain - Shadow IT can often cause problems on workstations or create system incompatibilities that will inevitably add to the IT support team’s backlog when compatibility or performance issues arise.
- Compliance & cyber insurance qualification issues – A breach that occurs as a result of shadow IT can create regulatory compliance issues, noncompliance fines, and penalties. Further, in the event a breach can be traced back to shadow IT, the organization may face grounds for nonpayment on a cyber insurance policy, revocation of that policy, and future cyber insurance ineligibility.
- Unanticipated costs – In addition to the costs of the potential breach, downtime, and unscalability of shadow IT, there may be additional unseen costs. For instance, shadow IT could be purchased and left unused—such as when someone leaves the company—while payments continue to be made from a corporate, or even worse, a personal account.
- Data loss and theft – Personal emails and personal storage accounts create areas for data and other assets to be stored beyond IT’s reach. Thus, they may not be backed up, and may not have provisions for disaster recovery or even a ransomware attack. If the employee leaves the company or has their personal accounts breached, that data will be unrecoverable and the supporting processes become unrecoverable.
The Most Common Types of Shadow IT
The most common forms of shadow IT might surprise readers or spur revelations of incidents present in their own environments. Consider these top five shadow IT types that plague the majority of businesses:
1. Shadow IoT devices
Shadow IoT devices include smart connected devices like fitness trackers, wireless thermostats, cameras, wireless printers, smart TVs, and even some medical devices. These are commonly used and overlooked by employees, and their advancing capabilities mean even formerly innocuous items, like coffee machines and fridges, have become potential pathways onto the corporate network for threat actors.
2. SaaS Applications
The implementation of a cloud-based application that does not follow the normal procurement process. The SaaS app may have local accounts that aren’t managed by IT for access, multifactor authentication, nor improper behavior. These applications may also pose a risk based on the vendor’s implementation, data contained within, and improper scrutiny for security best practices and basic hygiene, like data backups.
3. Virtual Machines
Most organizations have hypervisors on their desktops, servers, and in the cloud. Shadow IT virtual machines are present everywhere for users to test software, demonstrate a solution, operate specific applications, etc. The ability to create and destroy virtual machines via a mouse click represents an unacceptable shadow IT risk, when the assets are unmanaged. This can introduce vulnerabilities, default accounts, poor configuration hygiene, etc. All virtual machines used by an organization should be derived from managed templates or snapshots to ensure their creation and runtime are properly managed.
Businesses add offices, acquire other companies, and expand their networks. Often, this results in routable subnets that are unknown to the business and, ultimately, not managed. Only through discovery and verifying IP addresses (assets) in logs can these shadow IT subnets be identified and put under management.
5. Network Hardware
In many organizations, adding a device to the network is as simple as plugging it into a network jack or connecting to WiFi with a username and password. These devices can range from consumer-based WiFi Access Points to unmanaged printers, cameras, TV’s, etc. Every unmanaged device that is added presents a risk since no one is monitoring for vulnerabilities or inappropriate access. Network hardware represents the earliest form of “shadow IT” and can be the Achilles heel for a business—if combined with shadow IT subnets, virtualization, and applications.
6. Local Applications
Every business has a few “one-off” applications on servers and end-user workstations. A software inventory via an asset discovery engine can help find these solutions; however, depending on the application, it can represent an unacceptable risk. For example, if a user has installed a software KVM (keyboard, video, mouse) solution to manage multiple assets with a single keyboard and mouse—this can pose a high risk, if vulnerabilities are present. A server with an unmanaged vendor monitoring solution that requires a username and password could be a backdoor, if the storage of the credentials is not properly secured by the solution for its services to operate. In the end, all applications should be sanctioned and documented by IT, and “one offs” need to be discovered to prevent application shadow IT.
The Most Dangerous Types of Shadow IT
The most dangerous types of shadow are truly based on risk. These are applications that are unmanaged, that may be improperly licensed, and that are not properly monitored. If we break these down to security disciplines, these are resources that interfere with:
- Vulnerability Management – Shadow IT that is assessed for vulnerabilities and prioritized for remediation
- Patch Management – Shadow IT that is not scheduled for remediation via patches or security updates based on vulnerability information, or public disclosure by the vendor
- Configuration Management – Shadow IT that is not properly hardened or configured to prevent inappropriate access to the application
- Identity Management – Shadow IT that contains rogue user accounts not managed by IT. This may include orphaned accounts from former employees, or access for users outside of the scope of the business role
- Privileged Access Management (PAM) – Shadow IT that has unmanaged privileged accounts or does not follow the concept of least privilege
- Log Management – Shadow IT that does not have access, operational, and security logs monitored for inappropriate behavior.
In any organization, any one of these security disciplines can be a problem for sanctioned assets. When shadow IT is present, odds are that multiple disciplines are at issue, amplifying the problem. These become the most dangerous forms of shadow IT because the overall hygiene of the deployment becomes a risk via multiple attack vectors, and not just one discipline for a solution owner to resolve.
How PAM illuminates shadow IT and mitigates the risk
A properly implemented PAM solution can help you mitigate shadow IT risk to your organization by: Providing visibility into the network:
1. Providing visibility into the network:
You can’t protect what you don’t know about. Knowing which devices have access to your network, and which users have access to privileged credentials is an important first step to defending your organization against shadow IT threats. Organizations can leverage PAM discovery tools to detect the devices, applications, subnets, and user credentials that are accessing the network. Once the assets are detected, PAM tools can also help with onboarding, management of privileges, monitoring, and auditing.
2. Enabling and enforcing Least Privilege:
PAM allows organizations to stop malware and ransomware attacks by enforcing the principle of least privilege. PAM solutions can granularly control applications on Windows, Mac, Unix, Linux, and network devices—all without hindering end-user productivity. In fact, in addition to managing endpoint privileges, some PAM solutions include advanced application control capabilities that go beyond allow listing and deny listing, to also granularly control applications.
Some PAM solutions also provide Active Directory (AD) bridging technology. This technology bridges the gap between Windows and Unix/Linux operating systems by extending AD’s Kerberos authentication and single sign-on (SSO) to them, simplifying and streamlining identity management. Creating a lack of privileged access will help prevent an incident in a shadow IT deployment from impacting sanctioned production assets.
3. Securing Remote Access for Service Desks and Vendors:
Traditional remote access methods, such as RDP, VPN, and legacy remote desktop tools, lack granular access management controls. These services enable easy exploits via stolen credentials and session hijacking. PAM solutions can provide secure, VPN-less remote privileged access for vendors, internal employees, service desks, and infrastructure. PAM enables organizations to apply least privilege and audit controls over remote access. This can reduce the risk of unauthorized remote access being implemented via shadow IT and the potentially risky SaaS applications that connect into your environment.
In summary, PAM solutions not only discover, onboard, actively manage, and audit shadow IT, the solutions also limit the potential damage caused by shadow IT by restricting lateral movement and enforcing least privilege controls.
Other tips on addressing shadow IT
For any business, the following IT policies can help address shadow IT:
1. Establish a proper management policy
Create and enforce a policy that all operations can follow when it comes to managing shadow IT, regardless of whether the employee is on premise, remote, or working in a hybrid environment.
2. Acknowledge shadow IT is present
Plan for the presence of shadow IT and provide a grace period for the deployments to be placed under IT management, with no repercussions. Potentially, some great IT and security solutions may be in the field that can contribute positively to the organization, if properly empowered.
3. Support an open-door IT policy
Be open to new projects, ideas, and advice, and help provide prompt guidance for design and deployment of new projects. IT departments should adopt policies of, "Yes I can help you," versus resistance to change. Shadow IT tends to occur as a response to the roadblocks with traditional IT. If the barriers are removed, staff in other departments can become valuable allies. When departments understand and embrace IT policies that provide enablement, shadow IT environments tend to dry up and new ones do not form.
4. Adopt a policy for identifying shadow IT implementations
Use discovery techniques to detect shadow IT and classify its risk to the business. For example, do the systems contain PII (Personnally Identifiable Information), rogue users, or have vulnerabilities that are not being mitigated? If they contain sensitive information, business leaders can be presented with reasonable options to let IT manage the assets or have the systems decommissioned.
5. Balance security with the requests
This is very important. Just because something sounds like a great idea and may be easy to implement, it may not be in the best interests of the company. The balance is agreeing on the need, improving the business, and adopting a secure model to make it work. This requires a little give and take from both sides, but it results in a supportable and secure solution that can meet the objectives of all teams.
Moving forward securely with shadow IT
Understanding what shadow IT exists and the risks it represents is key to acknowledging and managing the issue. To that end, shadow IT and rogue employees that create it will almost always exist. Denying their existence will ultimately only hurt the business. It is important to understand why shadow IT exists, what is the purpose, and how to make it supportable by the business. The response of “shut it down” rarely has positive results. Assume positive intent and strive to fix the problem together.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.