You are here

You are here

Securing Shadow IT Takes an Interconnected Approach

public://pictures/metro_park_bio_pic_-_nov_2018_0.jpg
Allen Bernard Freelance writer
Photo by Robert Linder on Unsplash
 

The need to secure shadow IT is nothing new. In the wake of COVID-19, however, figuring out how to rein in the rampant use of cloud-based tools, services, and software poses greater challenges and more risks than ever.

According to McKinsey's recent American Opportunities Survey, 58% of U.S. workers have the option to work from home at least one day a week, while 35% can work from home full time if they want to. That’s roughly 91 million people. And it's not just office workers. Today, even blue-collar jobs such as food preparation and transportation are partly carried out from a home base, according to McKinsey.

Prior to COVID-19, Gartner estimated that between 40% and 50% of employees were using some sort of personally sourced collaboration tools to get their work done. Since then, cloud offerings have rapidly expanded, mirroring every level of an organization's technology stack. Since the pandemic began, the problem of shadow IT has only gotten worse.

No Walls High Enough

There is no one single cybersecurity technology that will effectively mitigate all types of risks. Attack vectors today are too numerous and widespread. Mobile and IoT devices have rendered the network edge almost non-existent. Insecure APIs connect all manner of cloud, partner, and on-premises applications to each other regardless of risk. Data (the crown jewels of every organization) flows continuously between applications, devices, and people with easeand, too often, with little thought for security.

As agile methodology and automated continuous integration and continuous development (CI/CD) pipelines are increasingly implemented and expanded, developer environments and IT administrators are more actively targeted by hackers than ever, said Bob Almond, founder and COO of Full Armor Group, a boutique software-development company that builds white-label products for cybersecurity vendors.

"One of the products that we recently released . . . was born out of the fact that our VP of engineering and chief architect needed to spin up . . . a test environment to play with," said Almond. "In less than 10 minutes, he was getting bombarded and hit with scanning utilities."

In such a hostile environment, where phishing attempts and network scanning are continuous, what's required is a multilayered defense strategy, said Brian Shea, CIO of MedOne. Tools need to augment robust network, device, and application-level defenses with automated and AI-enhanced inside-the-firewall technologies. These may include (but are not limited to):

  • Data loss prevention (DLP)
  • Intrusion detection and prevention (IDP)
  • Device-level antivirus software
  • User and entity behavioral analytics (UEBA)
  • Network monitoring and anomaly detection
  • Email monitoring
  • Endpoint privilege management (EPM)
  • Mobile device management
  • IT asset management and discovery tools


"There's a lot of different layers to this," said Shea. "I always try to break things down by people, process, and technologyand attack each of those different levels."

Bringing It All Together with Zero Trust

One approach today that gets a lot of attention but is often misunderstood is zero trust, said Lars Rossen, CTO of Micro Focus.

"At one end of the scale, zero trust is what it saysthat you cannot trust any system to be not hacked. And so you need to protect yourself from every system," said Rossen. "Once you take that approach, then it actually doesn't matter whether the system is inside or outside the firewall—because you distrust it anyway."

But zero trust is not a technology. It is made up of a group of technologies designed to authenticate users, devices, and applications. Identity and access management (IAM) technologies that rely on multi-factor authentication are a widely used part of this approach.

But zero trust also means that you cannot trust users even after they’ve been granted network access. A zero-trust approach may, for instance, use an EPM solution to limit users, devices, and applications to only the applications and data they need to perform their jobs or functions. It may use UEBA to flag suspicious activity based on user behavior. And it may deploy network monitoring to identify anomalous traffic.

IT assessment and discovery tools can also be used to help get shadow IT under control while enhancing the overall security of the network, said Almond. If you don’t know whether a device, a piece of software, or SaaS provider is accessing your network, you cannot manage, control, or hope to secure it.

Of course, to function properly, all of these tools (and many more not listed) need to be managed and orchestrated, such as with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) products. Fortunately, for organizations with limited resources to field all of these tools in-house, network- and device-security can be outsourced to managed security service providers (MSSPs).

Security Trumps Privacy

To be completely aware of what is going on inside your network requires insights into what every user is doing at all times on the network, said Almond. All of your cybersecurity tools need to work in concert to provide a detailed image of every user's actions at all times. This likely requires the addition of AI-based tools that can spot anomalous behavior as it is happening.

“I'm talking about the intersection of a bunch of different technologies, like SIEM products and alerting products, that . . . track everything a user does from the moment they click on the mouse . . . and log in," said Almond.

Using AI and machine-learning algorithms, these tools converge to form an understanding of (1) who the user is; (2) what the user's rights, responsibilities, and restrictions are; and (3) how, when, and where the user typically performs their work.

The Off-Network Threat

As effective as these tools can be, the one thing they cannot prevent is off-network activity. If a high-privilege user who regularly accesses sensitive data decides to sign up for their own Gmail, Dropbox, and Zoom accounts and use these to conduct business, there isn't much that network-centric technologies can do about it, said Rossen. And the problem is an old one, predating not only COVID-19 but also the World Wide Web.

"When you only had physical disk space, you would print out the documents that were confidential and bring them home," said Rossen. "People did that all the time . . . and then they forgot about them."

Today, DLP tools may spot files being moved off network by a high-privilege user. But, unless the destination is blocked by the firewall or some other technology, all the security tools in the world would do little more than log the event.

"With shadow IT, there's nothing that prevents me, especially for the freeware apps, [from] just sign[ing] up," said Shea. "Those apps are easily hidden because they don't come back into any kind of budget that might be picked up on in someone's cost center."

This is where zero trust can help, said Rossen. Because zero trust is more focused on authenticating users instead of preventing them from breaching a predefined perimeter of some sort, it doesn't really matter where the users are or what devices they use to access the corporate network. As a bonus, zero trust can eliminate the need for VPNs, because zero-trust applications are typically cloud-based.

As a result, zero trust can enhance cybersecurity while letting employees get their work done wherever and however they prefer—without working around corporate security policies and IT. But this all comes with a caveat: The onus is still on IT to give employees tools that they want to use. 

“You can go into lockdown mode, but that is not healthy for the company because you cannot stay competitive if you're locked down,” said Rossen. “So you need to have an organization that can adapt to shadow IT.”

Keep learning

Read more articles about: Enterprise ITIT Ops