Shadow IT as a threat
12:00 Tuesday, 24 November 2020
UK Cyber Security Council
Shadow IT is defined as: “IT systems deployed by departments other than the central IT department, to work around the shortcomings of the central information systems”. There can be few people reading this who haven’t either implemented shadow IT of their own or had to deal with the consequences of its use.
In one sense, the potential for shadow IT to cause harm to the organisation might be imagined to be modest. For example, basic Network Access Control (NAC) can be used to ensure that only known, supported corporate devices are able to interact with the production network, and to bar entry to unknown devices – shadow IT. And if there is a non-production network (such as a WiFi network for visitors) this will generally be segregated from the production networks and hence the only threat is to the other non-corporate systems on that LAN. And even if we consider the potential for an illicit audio- and video-capable device to be connected to the “guest” WiFi and to exfiltrate data, is it really that great a threat? It would, after all, be just as easy for the attacker to plant a 4G-capable device that needs no connection to any of our organisation’s infrastructure.
Shadow IT can, however, exist on your corporate network – and thus can present a huge threat. At the simple end is the unofficial Excel spreadsheet – where a user works around a cumbersome official system by developing a home-made Excel workaround that gets calculations wrong. Excel errors in officially sanctioned (and presumably tested) Excel spreadsheets have cost billions over the years, so the risk with unofficial, untested ones is tangible.
The elephant in the room, though, is the cloud. When IT systems were on-premise, it was easy to control the introduction of new tech – alongside the NAC approach mentioned above, change permissions on any virtual infrastructure would be limited to the sysadmins. With the cloud, though, even though the sysadmins can control what happens in the company’s own systems, it’s a trivial and inexpensive job to set up a non-company cloud account. And even if you filter web connections to external sites, you won’t be blocking connections to, say, the AWS management console if that’s what your techs use to manage your own AWS installation.
Shadow IT in the cloud will inevitably be populated with the organisation’s sensitive data. Vulnerabilities will appear over time, since unless patching is rigorous (which it won’t be) security holes will not be plugged and the systems may not even have anti-malware software installed. And if there’s personal data among the corporate data on those systems, you have an automatic data breach because as far as the Information Commissioner is concerned the organisation is processing personal data for a purpose that, by definition, isn’t included in the company’s inventory of personal data and register of processing activities.
So what can we do about it? Well, on one hand one could simply stamp it out – discipline people who side-step the rules and cause potential or actual harm to the business through data protection or security disasters.
On the other hand, though, perhaps one can embrace it: much of this shadow IT exists because it’s useful to the business – people have implemented it because it helps them do something more quickly, or more accurately, or perhaps it even lets them do something they couldn’t before.
So if we have all these keen people making life better for themselves – and hence by implication for the organisation – why not educate them do it properly:
- give them training on the rules and policies, and explain why they exist
- send them on courses to help them find out how to do what they’re doing properly, from generic development techniques to specific courses on the applications and languages they’re implementing and developing in
- get the IT teams to share knowledge and help them bring what they’re doing out of the shadows.
Some say that shadow IT is essential, or at least useful, as a means of trying out new ideas, innovating and doing proofs-of-concept. This is, bluntly, wrong: innovation and pilot projects belong in properly supported lab or development networks, not some unofficial and uncontrolled cloud of randomness.
Uncontrolled shadow IT is, then, a menace. Any sensible organisation will make clear that it is unacceptable, will hunt it down, and will be harsh with those who create it and – even more – with those who know of its existence but turn a blind eye. But a sensible organisation will realise that at it all exists for a reason, and that at least some of it has a positive effect, and will make a decent effort to enable the creators of the technology to do it properly and produce something that can be supported in the long run.