Shine a Light on Shadow IT

Over the last several years Shadow IT has grown from a minor annoyance into a major threat to business operations. While the term is often used to refer to runaway tech spending by users in marketing or dev-ops or finance, it has in fact become a much larger issue that involves the very core of organizational infrastructure with the potential to pose enormous cyber risk.

With the recent shift to large scale work from home due to the COVID-19 pandemic, that risk has multiplied. With some industries seeing as much as 75% of their workforce shift to working from home or remote offices (which by the way are up to 3.5x more likely to have at least one malware infection than corporate networks), the data in your cloud has never been more necessary-- or more vulnerable, which is all the more reason organizations need to aggressively gain visibility into and secure their attack surface.

The Rise of Infrastructure Shadow IT

What is Shadow IT? Basically, it’s services or capabilities that IT and security teams don’t know about, don’t have visibility into and don’t have governance over. As mentioned above, there’s a few ways this can become an issue-- and while SaaS applications that marketing onboards without IT knowing certainly pose a risk, but lack of visibility into unknown cloud instances and / or data services may also pose high levels of cyber risk to your organization.

But surely something as big as an AWS or Oracle Cloud instance couldn’t go unnoticed, right?

That’s what many security leaders believe, but it’s shockingly easy for cloud instances to fly under the radar. In fact, there may even be several unauthorized clouds in your organization.

There are several ways this can happen. The most common is the result of an acquisition or merger, where systems are inherited by the parent company, but are missed or overlooked in an IT audit. It also commonly happens when organizations operate all over the globe, with offices in different geo’s spinning up new services to meet specific needs or because regional regulations or laws may make it difficult for them to use corporate approved assets.

Why Is Shadow IT Risky?

Shadow IT poses a real danger to organizations precisely because it’s unmanaged, and this is especially true of cloud instances since the attack surface can expand significantly without the organization being aware of the risk.

First, most organizations are fairly stringent about ensuring vendors are properly assessed before doing business with them. With shadow IT, there is usually no way to know if a vendor is approved for use or has been found compliant. However, even if it’s a vendor like Google, there is still another issue that can loom large for any organization.

Most cloud providers use a security method called the Shared Responsibility Model, in which the provider secures the infrastructure itself, but the customer is responsible for securing their data and apps. Research shows this model is often poorly understood by most security professionals, leading to misconfigured security that leaves sensitive cloud information at risk, as a trove of recent breaches illustrated last year. When cloud assets aren’t accounted for at the organizational level, there is a critical gap in visibility and accountability.

Even if regional or multi-cloud instances are necessary, there still needs to be visibility all the way up the chain to ensure that the Shared Responsibility model has been configured correctly and appropriate steps are taken to reduce risk to the attack surface. Afterall, just because you don’t know about something, doesn’t mean you aren’t responsible for an eventual breach should the worst occur. That’s why it’s absolutely critical that security leaders get smarter about how to combat shadow IT.

How To Combat Shadow IT

Combating shadow IT starts with visibility. Over the years organizations have tried many methods to control shadow IT, but with limited success, simply because there is no way to ensure that all assets have been accurately reported. Often security leaders resort to using a living document, spreadsheet or other manual process to track assets-- but the problem with these methods are that, much like a vendor questionnaire, they rely on the accuracy of the information provided, and only capture a moment in time.

IT security leaders need a way to proactively discover shadow IT across their digital ecosystem, without relying on manual reports or asset tracking, as well as quantify the risk posed by those assets. That’s where BitSight Attack Surface Analytics can provide enormous value to security leaders.

BitSight Attack Surface Analytics

BitSight Attack Surface Analytics brings an entirely new set of capabilities to your security performance management program. The unique set of tools allows your team to discover the cloud assets hidden in the shadows and see the true extent of your organization’s attack surface.

By looking at externally observable internet traffic, we can help your team detect areas of unknown risk around the world, and give you crucial information about not only where cloud assets are located, but help you understand any risks or vulnerabilities associated with them. This not only eliminates surprises lurking in your network, but helps your team understand where risk is concentrated, prioritize where to spend resources, consolidate assets and potentially reduce costs.

As we enter an era where security teams are both expected to meet the demands of a drastically altered work environment while doing more with less, it’s the kind of capability that can bring enormous peace of mind.

After all, we could all use one less thing to worry about.