Sunday, 18 September 2022

The problem with shadow IT

Shadow IT has been a problem for many years. Simply put, it’s where users find applications that work for them, and they use those applications without informing the IT team. Why is that a problem? The answer is that IT has the experience and it’s an important part of IT’s job function to check the security of every IT device, database, and application. The attack surface available to hackers is big enough as it is without additional surfaces becoming available that are unknown to the IT team.

The problem in many organizations is the frequency that the IT team says the word ‘no’. The second problem is silos – people working in disconnected teams. And, sometimes, members of those non-IT teams don’t understand the importance of security and compliance, and go ahead with their own ideas. For them, the important thing is to get their work done quickly and easily. If the IT team won’t help them do that, or can’t seem to do it quickly enough, those workers will implement their own IT strategy – whatever that might be.

I can remember, many years ago, one member of staff had his email auto-forwarding to his Gmail account. That way, he decided, he could check his email in the evening and when he was out on the road. A simple solution – and before the days of Microsoft 365, and everyone working from home (or anywhere else). What he didn’t realize was that quite a few of his emails were company confidential and the security on his Gmail account wasn’t as good as his work security.

Nowadays, with so much of mainframe working being from the cloud, members of staff can use other cloud-based SaaS (Software-as-a-Service) applications on their laptops at home in order to produce the end results that they need. Again, the IT team has no idea what those non-standard applications are and what sort of security exposure comes with those convenient apps.

Other examples of shadow IT include teams within an organization buying and installing software that they think will make their working life easier. In addition, employees may decide to make unauthorized changes to their laptops, workstations, servers, or cloud instances. These endpoints are often targeted by hackers.

SaaS applications aren’t the only shadow IT issue faced by the IT team. There is also an issue with smart Internet of Things (IoT) devices. These might be Bluetooth speakers, coloured light bulbs, or even coffee makers, and these can all be connected to the corporate network. Why are they a problem? They’re a problem because they could be exposing information. Because the security on IoT devices is quite often very basic, it makes them a prime target for hackers to access, and from there, these bad actors can access the corporate network and everything on it. Hackers often corrupt backups to prevent recovery, encrypt vital data, and send ransom messages to every corporate screen and printer they can access.

These IoT devices may also be connected to the cloud. The issue facing IT security staff is whether the data sent over the Internet from IoT devices is encrypted or not. Obviously, if not, then it could be read by hackers, and the device could be controlled from the cloud. The hackers would be able to see, and use, single sign-on tokens, session tokens, and authentication tokens.

Another related issue that companies are starting to face is shadow data. As organizations start to migrate some applications and some data from their mainframes to the cloud, there are a number of lift-and-shift projects going on. In fact, some proof-of-concept test migrations may have taken place two or more years ago. Certainly, many will be happening nowadays. The issue that organizations face is that quite often there are zombie databases and zombie data sitting in the cloud. This is data that was originally migrated, tested, and left, while the main migration took place, and the new live database or files were installed and went active. Because everyone is busy, and because there was more work to be done, the final tidying up and deletion of these shadow (or zombie) databases never took place.

That test database won’t have the standard security policies associated with it, which makes it an easier target for hackers. And that database may well have personally identifiable data in it such as names, addresses, credit card numbers, etc.

What can IT teams do about it? Firstly, in the same way that all staff should be doing security training to recognize spam emails etc, they should also be educated in the importance of using only secure applications for their work.

Secondly, IT needs to break down the barriers between different silos within the organization. Different departments or teams need to feel that IT is there to help them. There is a very good reason why IT often has to say ‘no’ to people’s ideas. People need to recognize the implications of them using shadow IT and the risk to corporate security that goes with it.

Thirdly, IT needs to work with these departments to see how secure IT can be used to speed up or shorten workflows to make the end users’ lives easier. This is an important two-way conversation so that IT understands what employees need, and employees understand the security implications of what they do. Members of staff also need to get IoT devices checked by IT before they are installed.

Fourthly, IT should ensure security policies are being applied to all data in the cloud – making even forgotten about databases secure from hackers.

Fifthly, management needs to recognize the importance of IT and ensure there are enough personnel available for IT to support the other members of staff.

Lastly, if they haven’t already, IT should migrate the company to a zero-trust way of working.

No comments: