To keep your networks secure, you need to know about everything that’s on them. The two leading items on the Center for Internet Security’s list of basic controls are keeping an inventory and control of hardware and software assets. You can’t secure what you don’t know is there.
Sometimes people add their own software without getting authorization or letting the IT managers know. This is called “shadow IT.” It isn’t as sinister as the name sounds. Usually, it’s people trying to do their jobs in what they think is a responsible way. There’s some task which they need to accomplish, and there isn’t already a tool available for it, or they don’t know there is.
They aren’t trying to create risks, but the simple fact that their software isn’t in the inventory raises concerns. It might not meet security and compliance requirements, and they probably won’t rigorously install all the patches that come out. Confidential information is insufficiently protected when it’s transferred to cloud services of unknown quality.
People don’t even have to install software to engage in shadow IT. All it takes is a browser that connects to a service. People who go that way often don’t think of it as something requiring approval. IT can configure computers so that users can’t install their own applications, but it can’t easily stop them from running cloud services from a browser.
Most managers seriously underestimate the amount of shadow IT that goes on in their networks. A data breach or regulatory violation could blindside them with serious consequences.
Knowing what applications are running on the network is central. Software packages such as Microsoft 365 Cloud App Security are designed to achieve this. It lets managers discover all cloud use, authorized and unauthorized. They can identify activity which isn’t on the approved list and get a risk assessment on each case. Cloud App Security has information on over 16,000 applications, ranking them against industry standards. If it’s a known application with a good reputation, there may not be any need for further action beyond documenting its use.
If there’s no good information about a service which people are using, or if it’s one which has known problems, it’s time to look more closely. In some cases, the tools will disclose which users are running the application. The next step is simply to talk to them and find out why. They may not even be aware that they’re doing anything out of the ordinary. They may not know that there’s an authorized alternative. Or perhaps what they’re using really is the best solution, but it needs to be brought under the IT umbrella so it gets proper maintenance and monitoring.
Sometimes old applications were installed before there were systematic policies. They’re still in use, running in the background, and no one is aware of them. Detecting them provides a chance to get rid of them and eliminate possible risks.
Locating Sensitive Information
Most businesses consider it legitimate to store some sensitive information on cloud services, but only if it meets strict requirements. The business must already be familiar with these cloud services. They need to follow a high-security standard, both in storing information and in transferring it. Only authorized parties can have access. Cloud App Security analyzes log files from proxies and firewalls to provide insights into where information is going. It gives the IP addresses of destinations and shows where they are in the world.
Most traffic should be going to known services. After eliminating them, there could be other destinations that need a closer look. They might indicate the use of an unauthorized service or even a data breach. If the destination is in another country, it might violate regulations and policies even if its purpose is legitimate.
A common mistake is storing information on consumer-grade services such as Google Docs and Dropbox. They provide some security but aren’t adequate for sensitive personal information such as Social Security and credit card numbers. It’s vital to discover and eliminate any uses of these services where real security is needed.
Establishing Policies and Priorities
Mitigating the risk of shadow IT requires adopting consistent policies and prioritizing concerns. So the more sensitive a set of data is, the more closely you need to watch it. Using a cloud service to share information which is already public is rarely a problem. Using it to hold personal medical or financial data requires close attention.
The absence of information is a warning sign. A known application with identified users is at least well behaved, and some additional checking can confirm whether it’s being used safely. If log entries don’t correspond to any identified service, or if its records are inadequate, it may not be a trustworthy application.
It makes a big difference what kind of client is accessing a service. Consumer-grade services aren’t untrustworthy as such, but their use should be limited to cases that aren’t sensitive. Banning their use across the board may not be feasible, but any access to them from sensitive parts of the network should raise alarms. For example, backing up user data to a weakly-secured offsite service may not be a major problem, but backing up a critical database to the same place is a serious issue.
Shadow IT happens. The important thing is to discover the risky uses of it and find better alternatives. Knowing how to find shadow IT is key. Being so strict about it that people resort to secrecy will only make matters worse. So, create channels where users can report what software and services they’re using or would like to use, and provide them with feedback. Just knowing that they can do that will encourage them to think more carefully about their choices.
Agile IT offers workshops to help identify cybersecurity threats, including shadow IT and vulnerability to rapid cyber attacks. The Shadow IT Assessment workshop will help you identify security objectives, define requirements, use Cloud App Security effectively, and create a roadmap for application visibility and control. With the training it provides, you will be better able to help users to accomplish what they need to do while letting you manage and minimize the security risks. Contact us to schedule a free consultation.