It is absolutely critical that an IT department tightly controls what employees are allowed to access from and download onto their company equipment, isn’t it? Everyone knows that allowing staff unfettered access to any website they like and bringing in third-party applications into the network without restriction is a recipe for disaster. Or at least that has been the prevailing thinking in IT security for many years.
But, as more and more people turn to cloud-based applications to optimize their businesses, the concept of shadow IT is becoming an increasingly vital tool within the modern workplace.
Research shows that 77% of surveyed professionals believe their organization could gain an advantage from embracing shadow IT solutions—defined as the practice of using IT services, devices, applications, systems and software without the direct approval of an organization’s IT department. Yet, there remains some hesitancy in fully adopting this approach, and organizations must weigh the benefits and risks before deciding whether shadow IT is to be fully embraced.
The age of unsanctioned solutions
While external systems and applications may not necessarily be flawed or directly present a threat, taking advantage of shadow IT means being comfortable with removing any explicit oversight of what employees are using and accessing. This could create a significant risk to the organization.
Yet, engaging in shadow IT can lead to efficient operations. For example, an employee may discover a better marketing tool to execute a marketing campaign, and if successful, this can spread to other department members and become a significant tool going forwards.
SEE: Shadow IT policy (TechRepublic Premium)
We now live in an age of cloud-based applications and no longer only access systems and applications made available by IT departments responsible for procuring software. As such, professionals must identify solutions that help defend their network if they want to enjoy the benefits of a shadow IT approach. This is where zero trust comes in.
The challenge of zero trust
Since Forrester Research coined the model in 2010, zero trust has proven its ability to provide organizations guidance on continuously managing and mitigating evolving risks to protect their digital assets and outweigh the adverse effects of so-called “bad shadow IT.” Despite this, zero trust presents plenty of risks to an organization, and these can often outweigh the positive outcomes.
When choosing to embrace zero trust, operators must continuously treat everything as an unknown entity to fully ensure trustworthy behavior. On the one hand, it provides an efficient method of stopping or limiting cyber threats compared to the structured and often restrictive ineffective perimeter-based security models.
It also ensures a risk-based approach to implementing cybersecurity into a system or application, giving insight into a corporate network to monitor and grant access to only specified resources. Moreover, the need to access specific resources, whether in the office or at home, has never been greater with an ever-increasing hybrid workforce. Zero trust enables workers to securely access the corporate network from anywhere and everywhere.
However, establishing a network of zero trust presents a series of challenges that must be dealt with for a network to operate securely.
To implement a zero-trust program in the long run, it is demanded that organizations have applications, devices, networks, data assets, access rights, users and other resources in a detailed inventory alongside the organization having financial and non-financial resources for support. In addition, there must be clear communication within the organization between the executives and the cyber team as to why a new security architecture is being introduced.
Consequences of bad shadow IT
Even with the right resources in place to execute a program of zero trust, bad shadow IT can still present serious risks to an organization’s network infrastructure. If external backup and recovery procedures aren’t given as much attention as ones under an IT team’s control, essential data may be lost if there is an incident.
SEE: Mobile device security policy (TechRepublic Premium)
It is up to the employee or department running the resource to take care of this. Without the required backup and recovery strategy, there is an increased chance of data being lost, and in many cases, frequent training may be required.
The IT department also has no control over who is accessing resources with shadow IT. Whether it is specific data that employees shouldn’t be able to access, or ex-employees being able to access a system despite departing an organization, there is no control over who has an account or what these accounts can do, which makes data increasingly challenging to monitor, with little to indicate whether there has been a severe breach.
Embrace shadow IT by adopting a vulnerability management platform
Using a reputable vulnerability management platform is the key to enjoying the benefits of shadow IT without resorting to a zero-trust approach. A platform like this will proactively scan an organization’s network, so if an asset enters, it can discover all systems and applications running, whether they are sanctioned or unsanctioned, and offer up the appropriate steps to deal with the most vulnerable risks in the network. You never know when a vulnerability will occur, so constantly proactively scanning the network allows you to understand and manage assets continuously.
Of course, it’s all well and good, covering technical assets. Still, an organization cannot honestly say that it is effectively managing its risk if it doesn’t factor in human assets. 82% of data breaches come through human error, so to manage asset risks efficiently, the human element needs to be considered when an organization assesses its cybersecurity.
Organizations can embrace shadow IT so long as this is done correctly, rather than adopting restrictive measures like zero trust.
Claus Nielsen, CMO of Holm Security
Headquartered in Stockholm, Sweden, Holm Security was founded in 2015 and offers vulnerability management services. The company is used by over 750 customers within both the public and private sectors.