Shadow IT – The New Backdoor

A new IBM XFORCE Analysis of hacking attempts shows that Shadow IT is becoming a far more serious issue than was previously thought. 45% of of the incidents that they investigated were due either to improperly configuring cloud environments or or issues with applications being launched into the cloud outside of approved channels (aka Shadow IT).

A recent Gartner study discovered that somewhere between 30% and 40% of all IT spending goes to Shadow IT while Everest Group puts this closer to 50%. In short, take your official IT budget and divide by 2 to figure out how much Shadow IT your company is using. One study from Frost found that 80% of corporate users admitted to using at least 1 ‘non-approved’ application in their daily work and that 35% of all your SaaS apps operate outside of IT oversight. Another stunning metric is the percentage of IT perceived shadow IT vs what business users are actually using. For every Shadow IT SaaS app you know about, there are 4 more lurking, waiting to become a problem.

How did we get into this mess? Because there is no clear policy promulgated by management with clear penalties for circumventing it that get applied across the board to everyone all the time.. I only know of one company who audits their procurement cards for SaaS purchases. Firewall logs are not audited for SaaS provider connections. Most companies don’t have a policy on this. When they do, every business unit adopts a policy but loads it with their own in-house exceptions.

Many younger employees are used to the app economy and have long used freeware with little to no thought of the data or security implications. They find dealing with traditional IT approval processes to be slow and cumbersome. Often the products selected by IT (many times for very sound reasons) don’t have the features that the users wanted. With the pressure to perform, many feel justified in taking whatever shortcuts are necessary to produce. Most either do not recognize the risk or feel justified in taking it.

The big issue is just how risky is it. The sudy from Frost shows that it runs anywhere from 1 in 10 to 1 in 4, depending on the application and the time period that it was being used. As for the apps themselves, they run the gamut from Social Media management to HR, Legal, Financial, and Business Intelligence which are areas of the company where the most sensitive information is stored.

The biggest issues with Shadow IT involve improper security, data leakage, and operational silos. In an era where big data and data combination and analytics are critical to the bottom line, storing and manipulating data in what amounts to a private platform that is not shared with the rest of the business disrupts that process and deprives the business of insights it might otherwise have gained.

Improper security leads to data breaches that often go unnoticed for extended periods of time, if ever, because the users of the application either fail to notify IT staff when the SaaS provider notifies them, or simply do not know what to look for to realize that a breach has occurred. This also leaves the security management to those who have no experience in creating or managing security settings or knowledge of regulatory requirements. It places responsibility for updates to computer and mobile device apps onto the end users. If a breach via one of these apps should happen, the company may not even be aware of it for some time, if ever, while data continues to be exfiltrated.

Security and siloing are fairly obvious, but lets take a look at data leakage. Why is that problem? Well, let’s take a look at a very popular item, Evite. Its a ‘free’ (air quotes) application that you can use to invite people to events. However, if you read the privacy policy, it clearly states that Evite owns all the data about the event and any one registering to attend it. It also clearly states that they will be selling that data to anyone who is interested. Imagine what happens when your marketing department starts using Evite to invite your top tier clients to attend events or your next trade show and, without breaking any laws, your competitor can just start buying that data from Evite.

If that isn’t enough to give you indigestion, let’s move on to our next example. Lets assume that a critical area of your company, say Product Development, decides to use a ‘free’ app for collaboration. This opens the door for your competitor to purchase the data on the new product that is being developed. Worse yet, most collaboration suites also permit file storage and sharing which means that you now have sensitive company data being stored in a system where it may not be properly protected because your marketing people will have no knowledge of data governance, data retention, or regulatory requirements. They’re doing product development and marketing.

Its time to start auditing whats going on all those procurement cards. This is an area where your financial management application should be flagging XaaS charges and sending them to Security for review to see if these are permitted or not. Its time to start checking those firewall logs for connections to XaaS providers. The laissez-faire management of corporate expenditures for Shadow IT really has to come to an end. Combined with supply chain hacking, and many of the other advanced persistent threats, its only a matter time before these become channels of compromise.

Leave a Reply

Your email address will not be published. Required fields are marked *