5 steps to detect and control Shadow IT
Employees in every company will naturally use the best tool available to do their job. For knowledge workers, this often means using an online SaaS application, which may not be officially sanctioned by the core IT group. Many use the term shadow IT, or now more frequently referred to as business-ledIT, to describe the purchase of technology that is not officially IT-sanctioned. As the number of SaaS applications has grown, workers have naturally adopted a multitude of online tools, and most shadow technologies today are SaaS applications. Despite the industry’s best efforts, shadow computing has not diminished, but has grown and is poised to legitimize itself as a viable IT strategy that delivers competitive advantages.
The traditional strategy was to shut down shadow IT in all its forms due to security risks. However, the risks of all Shadow IT are not equal and there are documented business benefits that allow employees to acquire the technology they consider the best tool for their job. So, rather than shutting down shadow IT, a better strategy for CIOs and CISOs is to have tools in place that put in place the proper guardrails to control it to ensure employees adopt tools. that adhere to corporate security and compliance policies.
Based on the work Grip has done with hundreds of businesses, we’ve found the following five-step framework to be very effective in helping businesses create a secure and functional framework.
The first step to controlling shadow IT is to identify it to get a full picture of how widespread shadow IT is in your organization. Much shadow computing is aaS, and even hardware technology almost always has a SaaS component running it. Most companies use a CASB for SaaS discovery and security, but we often get feedback that CASBs are too noisy. They do a great job of collecting the data and identifying who is going to which website. However, they are not as good at discovering new SaaS applications that are used in a business. The data may be there, but an analyst usually needs to do some extra work to determine if an account was created, especially if the user is using local user credentials and not an identity provider. It would be better if the correlated data is presented to the analyst so that he only has to take action and achieve the desired security outcome.
The solution to uncovering shadow IT is to select a tool or method that is automated and provides the correct trigger i.e. the account was created using professional credentials outside other IAM solutions. Having all this information in logs or having to merge or triangulate data on a regular basis is definitely a doomed process.
You never know when an employee will acquire a technology, and there will be ups and downs. What you can know for sure is that there will be a steady stream of new technologies that your employees will pick up and start using. Depending on the number of employees in your business, this can range from a few per week to dozens or even hundreds. Given the volume of shadow IT entering the business, prioritization becomes extremely important as the risks vary.
Prioritizing risk mitigation is a crucial step. You can’t always use a hammer to reduce the risk of shadow IT because not all shadow IT are nails. The level of risk a technology poses to your business goes beyond whether the vendor has received industry certifications such as SOC2 or ISO 27001. These certifications are common, and even startups are receiving them now. Rather than focusing on the risk of vendor controls, a better approach is to assess business risk based on the following factors, such as:
· Does the employee understand the company’s security and risk policies for purchasing and using technology, software or SaaS?
· Will sensitive, confidential or regulated data be used?
· Who within the line of business organization has approved the use of the technology?
· What systems will the technology be integrated into?
· Will there be non-employees using this technology?
· How many other users are there in the company?
Securing shadow IT is often easier said than done. The hardware is simple assuming you can locate the physical device at a location or on a network. Software, almost always SaaS, is much more difficult because it can be accessed from a corporate network on a managed device or from another location using an unmanaged device. SaaS security products, for example CASBs, assume that you can control the network, identity, or device, but the reality is that you cannot control any of them.
The best way to secure SaaS is to lock the SaaS account itself if you believe it violates company policy or if the employee is no longer with the company. Deprovisioning the account itself is always desirable, but securing it so no one has access to it is an essential first step.
Once the shadow technology is secured, the next step is to orchestrate the securing of this application through other secure points. For example, if a SaaS application has been deemed too risky, then every user of that application in the enterprise should stop using it. As an additional layer of security, you can block access to the SaaS site on the network or set an alert whenever someone creates a new account.
Orchestration is also important when data from threat intelligence feeds or third-party risk management systems indicates that a SaaS application has been breached or credentials have been found in a marketplace. Users whose credentials have been breached should be forced to go through all the accounts they have and reset their password. While all of this is possible in some way with existing tools, the actual workflows have often not been designed. SaaS security products with out-of-the-box automation go a long way to ensuring security teams unify control points, analytics, telemetry, and operations to secure and control Shadow SaaS.
No matter how hard you try, Shadow SaaS will continue to grow. In many ways, this resembles the bring your own device (BYOD) trend that is now the norm in most businesses. As consumer technology became as powerful as enterprise products, workers found it easier and more convenient to use their consumer devices for work. Eventually, companies gave in and products designed to enable BYOD were adopted because the benefits outweighed the costs.
The same thing happens with shadow IT, and more specifically SaaS. Workers no longer need IT support or permission to purchase the world’s most powerful applications. They just need an email address and a credit card, often using free accounts that can be upgraded later. IT and security teams need to recognize the benefits and create a framework that enables employees to use the right tool for the job while maintaining governance and control over corporate technologies and data.