Mentioning the phrase “shadow IT” to CISOs often results in an eye-roll or a grimace. As one who spent most of his adult life within government dealing with home-based IT capabilities that far outstripped those in the office, I know this feeling.
Operating within an enclaved system means direct user access to more advanced technologies from their workstations wasn’t happening. Commercial entities don’t have that luxury of an enclaved environment. They do have the challenge of employees using technology and applications with capabilities that far outstrip their ability to keep up.
Ask how easy it is to handle shadow IT and the consensus is that it is as easy as nailing Jell-O to a wall.
What is shadow IT?
If you are the CISO who has not encountered shadow IT, you are indeed fortunate, or perhaps have a blind spot. CISOs and their infosec teams put into place process, procedures, applications, and infrastructure to provide their workforce the tools necessary to be effective in their tasks.
Shadow IT occurs under a couple of circumstances: The benevolent scenario has individual users deciding to exit the provided ecosystem and use other methods to do their work. The malevolent scenario is when a user opts to bypass the provided ecosystem to move/take data for nefarious purposes.
Who is to blame for shadow IT?
The user? Management? The infosec team?
The infosec team and management should recognise that they shoulder much of the blame, with the choices made by individuals and internal/external teams to step outside of the provided ecosystem shouldering the remainder.
During a recent conversation with Code42 CEO Joe Payne, he noted the irony of infosec, the entity responsible for keeping data protected and inside an ecosystem, when they make it difficult for employees to accomplish their tasks. The tools used to protect the data slow the natural flow of the tasks at hand.
Payne likened employees and their actions to water flowing down a hill: even with restrictions and funnelling data, employees operating against an operational deadline will find a way. He suggests monitoring activity for data moving where it shouldn’t and then determining intent.
Shadow IT examples: The bad, the innocent, and the determined
Now, with COVID flipping the work environment on its ear, users and companies have been forced to adjust to stay afloat and keep their workforce safe. The bring your own device (BYOD) discussions of old are now all the more important, especially with the opportunity to commingle business information with personal information.
The constant risk is that a personal app on an employee's device might compromise the device and by extension the company via its network connection, as the examples below illustrate.
Getting employees access to their work environment is a challenge. In one case, as Lynsey Wolf, security analyst and insider threat expert within DTEX Systems shared, engineers put in place a “remote support tool (TeamViewer).” The tool was configured to allow “anytime” access.
Investigation showed that it was set up as a workaround without malicious intent, but to allow the engineers to gain remote access from home during COVID lockdown. “However, the successful detection and mitigation of these tools, which do not require installation, are often left unchecked, and they can result in high-profile breaches, such as the Florida Water Treatment hack.”
An example of the malevolent use of Shadow IT capabilities can be found in the recent Coca-Cola trade secret theft case. An engineer used one of many ubiquitous commercial cloud services to facilitate her theft of intellectual property: Google Drive.
Not all instances are theft, even if the end result is malevolent, as evidence by the example provided by Eddy Bobritsky, CEO of Minerva Labs. Bobritsky shared how an employee within an infrastructure organisation had downloaded an application to facilitate completion of their work.
That app, unbeknownst to the employee, carried a payload containing malware. No doubt the cost to clear out the malware exceeded the timesaving produced by the unauthorised application.
Payne shared an example of an innocent exposure that happened within Code42. A new employee received her laptop and during the normal course of events, including making the device her own, she signed into her Apple account.
The omnipresent nature of iCloud unexpectedly reached into her back-ups in iCloud and downloaded files, updating her new machine. The iCloud back-up application didn’t know/care she had changed employers. The data moved and another company’s files were moved to the employee’s device. She was oblivious it had occurred.
The infosec team noted the download of other company’s data and engaged. They sleuthed out the sequence of events, contacted the company whose data was now in their hands to return it and advise.
That company whose data was being returned was unaware their Apple users were unknowingly backing up the company data when their devices (which had personal and business data present) were backed up to the iCloud.
Sometimes it is hard to determine if someone is trying to get their job done or if they are up to no good. An example of such is provided by Chris Owen, director product management at Saviynt, he shared how an employee uploaded a sensitive company file to a third-party storage application (e.g., DropBox or OneDrive) for sharing with another individual as the corporate email restricted the size of the file or the sharing of sensitive information.
As Payne noted, if employees have a need, employees will find a way.
How CISOs can counter shadow IT
That said, companies can reduce the likelihood of shadow IT being the “go-to solution” for speed-bumps employees encounter when trying to operate with the tools and processes provided. Phil Strazzulla, CEO at Select Software, recommends having an open dialogue as to the “why” behind the rules that restrict the movement of data or installation of applications.
Within this dialogue, he suggests creating “a channel which can expedite new software requests.” This open dialog leads “ultimately to less frustration and more personal responsibility.”
Experience has shown that which is measured and monitored garners the attention of employees. As Payne noted, having an information monitoring capability and being transparent that when data moves to an unapproved environment it will be seen and investigated (the iCloud example) will minimise data flow outside of the approved channels.
Shadow IT is omnipresent and not going anywhere soon. The CISO challenge is to work with it and corral the intent while embracing the capabilities their employees want/need/desire.