The challenges and opportunities of shadow IT

the-challenges-and-opportunities-of-shadow-it

The shadow IT genie is out of the bottle and offers benefits and threats. Learn some tips from the experts on how to effectively harness shadow IT in your company.

Image: marchmeena29, Getty Images/iStockphoto

Shadow IT is a concept in which users deploy or provision their own technological solutions to get work done. Properly implemented and monitored, it can provide benefits to both IT departments and end-users, particularly in these unprecedented times with so many employees working remotely due to COVID-19. However, it also entails some significant responsibilities on the part of all parties involved to ensure company operations, data, and personnel are sufficiently protected.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

I discussed the topic with several industry experts: Ofri Ziv, VP of Research at security organization Guardicore; Shai Toren, CEO at vulnerability remediation provider JetPatch; Yaniv Avidan, CEO and co-founder at data security provider MinerEye; Shai Morag, CEO and co-founder at cloud security provider Ermetic; Scott Brittain, CTO at software reviewer TrustRadius; Avishai Wool, co-founder and CTO at firewall management vendor AlgoSec; Sebastian Goodwin, vice president of Cybersecurity at cloud vendor Nutanix; and Avihai Ben-Yossef, co-founder and CTO of Cymulate, a security simulation provider.

Scott Matteson: What are the issues involving shadow IT, from a management, security, or risk perspective?

Ofri Ziv: The biggest issue for organizations is that there is no control over the data used by Shadow IT and where it’s stored. Shadow IT spreads data across dozens of cloud services and applications, making it very hard to identify and control sensitive data.

 

Additionally, Shadow IT can often go against an organization’s compliance requirements. The nature of Shadow IT is that it’s not managed by the IT team, so there is little visibility into the compliance ramifications of certain applications and the data being used.

 

With these complications comes the inability to enforce strong security policy on Shadow IT being used. For example, is two-factor authentication f available and being used? This could lead to data being exposed either by external threat actors or by an insider.

SEE: Shadow IT: It’s a bigger threat than you think (TechRepublic)

Shai Toren: The main concern with shadow IT is the lack of cyber hygiene on those machines. Usually, these types of endpoints are supposed to be temporary systems for the purpose of a particular project, a testing activity or any other limited-time assignment. As a result, the focus is on ensuring fast and efficient delivery while longterm security often comes secondary. Those systems are often considered “off grid,”  and therefore tight security protocols are not always enforced.

Shai Morag: The risk of shadow IT has increased substantially with employees working from home on insecure networks. They are also using personal, unmanaged devices, which makes shadow IT harder to detect and block. Now more than ever, it’s important for SaaS providers to ensure that their applications meet the highest levels of security by using automated tools to protect the data that they store.

Scott Brittain: Most importantly, shadow IT creates new holes in your enterprise that need to be policed from a data, privacy, GDPR, and CCPA point of view. Every time an employee stands up a new system, you create the risk of leakage or unconstrained behaviors outside of supervision.

Avishai Wool: One of the main drivers that causes users to resort to shadow IT is when the traditional IT processes are too slow. If it takes weeks to provision a few servers and allow connectivity between them, developers building a new application may prefer to use the resources of a cloud provider. This creates security challenges when it’s time to deploy the new applications into a production environment because bypassing IT processes also bypasses security review processes.

SEE: Shadow IT policy (TechRepublic Premium)

Sebastian Goodwin: Shadow IT comes in many forms. In some organizations, the main concern is people using unsanctioned software as a service (SaaS) applications while in other organizations the use of infrastructure as a service(IaaS) services like Amazon Web Services (AWS) might be the primary concern related to shadow IT. In many cases, there are signals available to alert IT that people are using these services. Those signals can be extracted from tools like corporate firewalls, proxy servers, or endpoint agents that provide reporting on the URLs people connect to and the software they install. In fact, the firewalls we use at Nutanix offer a handy “SaaS Application Usage Report,” which automatically generates a PDF document detailing our usage. Many organizations are deploying cloud access gateways—essentially cloud-based proxy servers that are managed by a service provider—to gain visibility and control that works even when employees are working remotely.

Once we have those signals, it’s important to act on them. Action can range from strict blocking of unsanctioned applications to less heavy-handed informational guidance to employees. For example: When IT receives information that someone is using AWS, they might have an automated playbook that sends a Slack message to the person along the lines of “We noticed you’re using AWS. Here’s some information to help you bring your AWS account in line with our organizational security requirements.” 

Avihai Ben-Yossef: According to data recently published by Microsoft, the average enterprise is using more than 1,500 different cloud apps, with employees uploading work-related information to web-based platforms that have often not been verified by their IT security teams, which makes this phenomenon a classic case of shadow IT. Today, with most of the population becoming accustomed to working from home during the pandemic, BYOD has found an additional boost.

As a result, corporate data is no longer confined to corporate networks and devices, and we’re not only talking about a company’s own confidential information but also personal identifiable information (PII) associated with customers and other audience members. A great example that I’m sure happens quite a bit is a shared spreadsheet listing all of the people who registered for a webinar. This type of shadow IT vulnerability has already received attention from regulatory bodies, and I predict that regulations will get more strict in this regard.

Scott Matteson: How does this tie in with self-service SaaS adoption, the work-from-home trend and BYOD?

Ofri Ziv: In these crazy days, lots of companies got drifted into the WFH and BYOD trends with no heads-up. Such a drastic shift in a company’s culture in general and in its IT habits in particular will certainly boost security issues, and Shadow IT is definitely one them.

People and companies are looking for alternate solutions (sometimes with no proper planning), which might lead to a small chaos that can also be named shadow IT. Their intentions are good, they want to deliver results, and do it in an efficient and fast way using different services available to them (hence, the variety of self-service SaaS solutions).

SEE: Bring Your Own Device (BYOD) Policy (TechRepublic Premium)

By definition these new trends expose an organization’s data and services to new machines and challenge the organization’s existing security policies and its security posture: The organization perimeter changed dramatically (dozens of new devices connect to the network over VPN from hundreds of unsecured and unsupervised networks), and some services and resources are not accessible from remote, etc.

Shai Toren: As more organizations adopt practices like self-service SaaS and BYOD, the need for greater visibility into their overarching corporate network of devices becomes even greater. Many organizations faced this crunch when moving their workforce remote only a few months ago as a response to COVID-19. Typically, the larger and more widespread an ecosystem of devices is, the more difficult it becomes for IT teams to maintain visibility and consequently cyber hygiene of those devices. We can expect many of the challenges around Shadow IT to only grow in the next few years as more enterprises adopt practices like BYOD, or even on an operational level, more flexible remote work policies. Consequently, enterprises will put a greater focus on automation to better identify and secure devices across their widened infrastructure.

Yaniv Aviden: SaaS tools bring immediate dangers of freely shared file data that is not classified or labeled. Or to say this in a more technical manner, there is zero data governance in collaborative hybrid work environments over shared files. DLP tools fail to bring effective results in shared environments. For effective data protection, organizations must have virtual file labeling that offers an automated process in which all the relevant security, privacy, and operational policies are considered, and continually fine-tuned. Only then can CISOs remain confident that their file data is protected in all shared work environments.

Avihai Ben-Yossef: Solutions do exist to discover and control both BYOD and SaaS usage. Microsoft recently announced some new capabilities, enabling enforcement when teams are working from home. Of course, it’s all a question of cost vs. risk, but I believe that regulators will help by putting a heavy price tag on the risk.

Scott Matteson: How can automation help address these issues or improve the process?

Ofri Ziv: Automation is an effective way to enforce policy. It minimizes the chances for misconfigurations and if done properly maximizes the security and efficiency of the “automated process” (as it should be designed, implemented, and delivered by professionals).

 

However automation can’t solve everything as there are so many SaaS services each of us consume these days, and there’s no chance an automation can be applied to every one of them.

SEE: Robotic process automation: A cheat sheet (free PDF) (TechRepublic)

 

Shai Toren: Automation takes away the need to manually chase the owners of those shadow systems. Since IT is not always aware of these systems’ existence, connecting to a central automation process ensures that even if these systems are not officially authorized, they are not an immediate security vulnerability, and automation ensures they adhere to the basic security protocols enforced by the organization.

Scott Brittain: One of the key automation areas is being able to quickly provision a new app with accepted corporate standards. Once shadow IT brings a new app inside your walls, you want a one-click way to create credentials, profiles, and permissions within that app that enable centralized control.

Avishai Wool:  To rein in shadow IT usage, IT teams need two things: Automation and visibility. If IT processes are automated, and it takes hours rather than weeks to provision servers and connectivity, developers are less likely to rely on shadow IT. And if shadow IT projects already exist, then visibility is key: If the IT and security teams have visibility into the cloud-native security controls, they can make informed decisions on whether, and how, to integrate the shadow IT projects into production systems, without compromising on security. This may be the modern IT interpretation of “If you can’t beat them, join them.”

 

Automation means that IT teams can keep on top of all the network changes they need to make to serve the organization’s needs, streamlining processes, and eliminating manual processing errors during changes. The right automation solution will also automatically flag up any potential security or compliance issues and will document everything for audit purposes, helping to ensure a strong security and compliance posture is always maintained.

Sebastian Goodwin: We shouldn’t overlook the fundamental reason that people seek out their own solutions instead of asking IT: Working with IT can be a slow and painful process. It doesn’t have to be. With recent developments in artificial intelligence (AI) and natural language processing (NLP), software has become increasingly good at deciphering requests from humans. Combine that with the increased popularity of tools like Slack, and you have a powerful and efficient front-end service for IT requests that can often be fulfilled immediately. For example, at Nutanix we deployed a bot in Slack that we call “X-bot.” Employees can ask X-bot for things, for example “I need a project management tool,” and X-bot will offer up our standard tool and automatically provision a license so the employee has access immediately. When an IT department is so highly responsive in fulfilling employee requests, the need for people to look for solutions themselves diminishes.

SEE: Four vital security policies keep company networks safe (TechRepublic) 

Hackers use automation to detect when your employees make a mistake. You should, too. With the proliferation of online tools available, it’s inevitable that someone will use them and accidentally disclose sensitive data. Once the mistake has been made, automation allows IT to detect that mistake and fix it before hackers detect it and exploit it. There are a number of tools and services available to help automatically detect leaks of confidential data, misconfigured public cloud accounts, or any number of common mishaps that can result from the use of shadow IT. If you’re not automating this, it can lead to problems down the road because today’s adversary is highly automated.

Scott Matteson: Have you implemented this, and what were the end results? Were there any specific challenges or special skills involved?

Ofri Ziv: We implemented automations for critical IT/DevOps tasks in our company. It saved us a lot of security issues, increased our service consumption efficiency, allowed us to support a much bigger operation as a growing company, while meeting our compliance requirements. For these processes to be implemented properly we needed a combination of our strong DevOps team with our skilled security team.

 

Scott Brittain: TrustRadius has implemented it up to a point. Since every app can be a bit different from an API or scripting point of view, our challenge was automating the process that operations goes through while provisioning.

Scott Matteson: Do you have any advice for other companies seeking similar solutions?

Ofri Ziv: One of the first steps a company should do to cope with shadow IT is to gain visibility into the different services consumed by its employees and products.

To identify the different services, we used our very own Guardicore Centra, which maps the communication between and from all our assets across the world, allowing us to list the services we consume and block access to them when needed.

Scott Brittain: We’d recommend establishing a friendly and welcoming tone within your IT department so employees cooperate with IT freely. Also, setting aside time for shadow IT is key. You need to work this problem every week, particularly in larger enterprises.

Scott Matteson: Where is this trend headed?

Ofri Ziv: It seems like more and more SaaS solutions will be consumed by different people in the company and each department will need a different set of such services that is optimized to its needs. From a work efficiency standpoint, that’s a great trend!

 

From the security point of view, this is a huge challenge that will require advanced visibility tools to identify and monitor the different services in use, good security posture management tools to ensure the right policy is in place and the ability to block access to unwanted systems.

Scott Brittain: The self-service trend is winning and justifiably so. Employees are creating efficiencies for themselves and their teams by adopting new apps. IT departments should position themselves as facilitators and magnifiers of those new apps.

Shadow IT is here to stay. Every week, a new free-trial, easy-start app hits the market, and most of them provide real value. Embrace it! Help the good apps succeed, and kill off the bad ones. 

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays



Sign up today

Also see

Top challenges migrating apps to Office 365

top-challenges-migrating-apps-to-office-365



Find Out More

Zscaler

Provided by:
Zscaler

Topic:
Networking

Format:
PDF

If you’re like most IT and network leaders in the midst of an Office 365 migration, you’ve probably encountered a variety of changes and situations that you were totally prepared for and some, perhaps, that you weren’t. Whether you’re just beginning your migration or you’re well on your way, Office 365 is a big deal in terms of its capabilities and in terms of how it affects your network.



Find Out More

Challenges facing data science in 2020 and four ways to address them

challenges-facing-data-science-in-2020-and-four-ways-to-address-them

Finding value in data, integrating open source software, a small talent pool, and ethical concerns around data were found to be trouble areas in a new state of data science report.

Data structure and information tools for networking business

Data volume analysis and computer science industry.3d illustration

Image: Getty Images/iStockphoto

A report on the state of data science from software firm Anaconda finds that data science is anything but a stable part of the enterprise. In fact, it has several serious challenges to overcome.

SEE: Tableau business analytics platform: A cheat sheet (free PDF download) (TechRepublic)

Luckily, Anaconda’s report provides four recommendations organizations should focus on to address problems it found in its survey of data science professionals: A lack of value realization, concerns over the use of open-source tools, trouble finding and retaining talent, and ethical concerns about bias in data and models.

“The institutions which rely on [data science] are still developing an understanding of how to integrate, support, and leverage it,” the report said. 

The four trouble areas that Anaconda found are keys in the continued evolution of data science from an emerging part of enterprise business to a fundamental part of planning for the future of work.

1. Getting value out of data science

This problem stems mainly from production roadblocks like managing dependencies and environments, a lack of organizational skills needed to deploy production models, and security problems. 

Combined, those three problems lead to 52% of data science professionals saying they have trouble demonstrating the impact data science has on business outcomes. This varies across sectors, with healthcare data pros having the most trouble proving benefits, where 66% said they sometimes or never can do so, to consulting, where only 29% said the same. 

“Getting data science outputs into production will become increasingly important, requiring leaders and data scientists alike to remove barriers to deployment and data scientists to learn to communicate the value of their work,” the report recommends. 

2. Difficulty integrating open-source data science tools

According to the report, open-source programming language Python dominates among data scientists, with 75% saying they frequently or always use it in their jobs. 

Despite the popularity of open-source software in the data science world, 30% of respondents said they aren’t doing anything to secure their open-source pipeline. Open-source analytics software is preferred by respondents because they see it as innovating faster and more suitable to their needs, but Anaconda concluded that the security problems may indicate that organizations are slow to adopt open-source tools.

“Organizations should take a proactive approach to integrating open-source solutions

into the development pipeline, ensuring that data scientists do not have to use their preferred tools outside of the policy boundary,” the report recommended.

 

There’s a caveat to mention here: Anaconda is the manufacturer of a Python-based open-source data science platform. The results of its survey may be tilted in favor of open-source products since people surveyed were recruited via social media and Anaconda’s email database.

3. Trouble finding and keeping qualified data scientists

There are several layers of problems to parse through here. First, the report found that what students are learning and what universities are teaching isn’t necessarily what enterprises need from new data scientists. 

The two most frequently cited skill gaps by businesses—big data management and engineering skills—didn’t even rank in the top 10 skills universities are offering their data science students. 

Another layer of problems comes in talent retention, which the report found is closely tied to how often data science professionals are able to prove the value of their work. Across the board, however, 44% data scientists said they plan to look for a different job within the next year.

Anaconda makes three recommendations to address this problem: 

  • Businesses need to collaborate with educational institutions to ensure their programs are teaching students the skills businesses need. 
  • Employers should design holistic data science retention plans that include helping employees learn to articulate the value of their work and providing opportunities for training and growth.
  • Ensure that data scientists have the opportunity to cross train to increase the value of their contributions.

4. Eliminating bias and explaining machine learning

“Of all the trends identified in our study, we find the slow progress to address bias and

fairness, and to make machine learning explainable the most concerning,” the report said.

Ethics, responsibility, and fairness are all problems that have started to spring up around machine learning and artificial intelligence, and Anaconda said enterprises “should treat ethics, explainability, and fairness as strategic risk vectors and treat them with commensurate attention and care.” 

Despite the importance of addressing bias inherent in machine learning models and data science, doing so isn’t happening: Only 15% of respondents said they had implemented a bias mitigation solution, and only 19% had done so for explainability. 

Thirty-nine percent of enterprises surveyed said they had no plans to address bias in data science and machine learning, and 27% said they have no plans to make the process more explainable. 

“Above and beyond the ethical concerns at play, a failure to proactively address these areas poses strategic risk to enterprises and institutions across competitive, financial, and even legal dimensions,” the report said.

The solution that Anaconda recommended is for data scientists to act as leaders and try to drive change in their organizations. “Doing so will increase the discipline’s stature in the organizations which depend on it, and more importantly, it will bring the innovation and problem-solving, for which the profession is known, to address critical problems impacting society.”

Data, Analytics and AI Newsletter

Learn the latest news and best practices about data science, big data analytics, and artificial intelligence.
Delivered Mondays



Sign up today

Also see