The Digital Trust Imperative: Risk in the Shadows

A Kaspersky study published in 2023 indicated that 85% of companies have had cybersecurity incidents, with shadow IT playing a role in at least 11% of those.¹ Given that any cybersecurity incident can affect an organization’s digital trustworthiness, that number is one of grave concern. Shadow IT only seems to be growing, meaning that percentage will likely also grow.

Cisco has a great definition for what shadow IT is: “Shadow IT is the use of IT-related hardware or software by a department or individual without the knowledge of the IT or security group within the organization. It can encompass cloud services, software, and hardware.”² In the past, shadow IT meant acquiring resources on-premises, and while the occurrences of shadow IT were an issue, they were not nearly as risky to an organization as shadow IT in the cloud. At least when they were on-premises, inherent on-premises protections like data loss prevention (DLP), network security, and the like, reduced the risk of these shadow IT implementations. That is not to say all risk was eliminated.

After all, one system not properly managed by IT and security could be the entry point used by a bad actor to compromise the network and begin lateral movement, compromising other systems. However, at least in on-premises cases, IT and security have the potential to detect and react to a threat. If a department stands up shadow IT in the public cloud and puts sensitive data out there leading to a data breach, the IT and security folks will not know about it until it is too late. As a result, shadow IT represents a growing threat to most organizations, especially those with a digital presence.

The list of potential risk and vulnerabilities related to shadow IT³ is long and includes:

• Collaboration inefficiencies
• Compliance violations
• Data inconsistency
• Data insecurity
• Lack of IT visibility and control
• Operational inefficiencies
• Security issues

Let us put aside the efficiency risk and focus on the compliance, data, and security-related issues. Inefficiencies may result in lost revenue and loss of reputation because an organization may be slower to deliver than its competitors, but compliance, data, and security issues will likely cause greater damage to an organization.

Compliance Considerations

Adding controls to meet compliance requirements after something has been deployed and in use is almost always more difficult and significantly more costly than “baking in” controls from the start. However, the risk is greater than just cost. Other potential issues⁴ include:

• Reputational damage
• Loss of computer and investor trust
• Financial losses
• Legal trouble
• Privacy concerns and data breaches
• Operational inefficiency

The first two are directly related to digital trust. Of course, legal trouble will potentially result in bad publicity, which also impacts reputation, as does any data breaches that may result. One of the core issues with shadow IT is that there is no guarantee that organizational controls will be put into the solution. In many cases shadow IT is adopted to circumvent organizational controls. The main reason for shadow IT is to quickly build a usable solution for organizational purposes, often because the organizational controls are slowing things down or making things “too difficult.”

For instance, shadow IT bypasses due diligence reviews,⁵ which can take some time to conduct. Depending on the vendor, getting the needed information from them to conduct the review can be a matter of hours to weeks to not at all. Anyone who has spent any time working on due diligence reviews of potential vendors has experienced the case where a particular highly favored vendor either did not provide the necessary documentation or, when they did, the documentation revealed issues with the vendor that did not permit their selection. Ultimately, in most cases, stakeholders seek to bypass this sort of third-party risk management process due to the time it takes.

Data, Data, Data

As a data professional, one of the greatest IT challenges I encounter is when different systems have different versions of the same data. Data inconsistency is a headache for most organizations because despite master data management (MDM) solutions and defined systems of record (SoR), as data moves around, it inevitably becomes “stale” as copies are not updated at the same rate as the SoR. In some cases, data does not get updated at all as it sits in Excel spreadsheets and the like. With shadow IT, the likelihood of proper updates is even rarer still because IT is not aware that there is another data set out there to be updated. This means that the process to update data is outside of IT and likely manual. The obvious organizational risk is that decisions are being made with that old data. How great a risk this presents is dependent on the age of the data. Since all of this exists outside of proper controls and IT/security oversight, it is nearly impossible to assess the risk for any specific solution.

In addition to data inconsistency, we must be worried about data security. Even in cases where IT and security are the ones deploying cloud solutions, we have seen gaps in proper security configurations, which led to data breaches hosted in public cloud solutions. If IT and security professionals are getting this wrong, we should expect that individuals who are attempting to build solutions without equivalent skills and experience are going to make even more mistakes, thereby putting data at greater risk. Also, since organizational controls are likely not accounted for in shadow IT solutions, the risk for any given shadow IT solution is likely higher than regular solutions.

Proper IT and Security Controls

Many non-functional requirements are handled by IT and security teams that are not typically visible to other parts of the organization. For example, proper backup and recoverability are something that many business users assume is taken care of and are not aware of the details and/or the requirements an organization might be required to meet. For instance, what are the expected recovery point objective (RPO) and recovery time objective (RTO) numbers? How long should data be retained? Should it be encrypted at rest and with what protocols/ciphers? Are there audit requirements regarding who logged in, from where, and what actions they took? Are there General Data Protection Regulation (GDPR) and other regulatory requirements that could lead to fines if not properly enforced? These are the first items which come to mind when we think about platforms and systems outside of IT and security teams’ visibility and control.

However, it does go deeper than that. Proper controls should be based on appropriate risk assessment and mitigation measures. There is the need to be able to look at the logging data and other important security signals across platforms to detect if an adversary is in the environment and moving around. Shadow IT systems will not be sending data to a central security information and event management (SIEM) platform or a security operations center (SOC), so the ability to track what has been impacted by a bad actor will be impaired.

Also, we typically use single sign-on (SSO) solutions based around SAML and OAuth/ODIC to be able to tie user identities to a single platform such as Active Directory. With shadow IT, many solutions use accounts local to that platform. This prevents disabling access in a leaver process for identity and access management (IAM). If someone must be terminated immediately and access revoked from all systems, only those systems within IT/security’s purview will be affected. The termination actions will not automatically happen on those shadow IT systems. And if the person being walked out the door is looking to do real harm, the longer the access persists, the more risk the organization faces.

What Can We Do about Shadow IT?

Given the increase in shadow IT and the risk shadow IT poses, what can we do about it? There are entire books written on the subject, but the reason people choose shadow IT usually comes down to cost, ease, and speed for a solution. With that in mind, here are my recommendations on how to reduce shadow IT in any organization:

1. Ensure everyone knows where to find the services available, their use cases, and how to request them.
2. Determine the pain points around cost, ease of use, and time to deliver that are causing users to choose shadow IT.
3. Improve the processes surrounding those pain points and implement feedback loops to continually improve these processes.
4. Implement strict repercussions for implementing

The first three recommendations are focused on why the majority of folks head down the shadow IT road: either they do not know that the organization already has the functionality they want, or they know it does not and the process to onboard a solution takes too long or is too complex or difficult. The last recommendation addresses those outliers who do not care about the potential risk and want to implement their own solution without being answerable to anyone.

Most people will gladly embrace an existing service if they know about it and if it is relatively easy to onboard and use. Likewise, if the organization does not have a particular service but the process to select and onboard a new service is quick and straightforward, most people will be happy to allow that process to work for them. After all, while shadow IT is often embraced because it is easier and less costly for the team doing the implementation; this does not mean that it is cheaper or easier in the long run for the organization. It is a trade-off comparison that pushes people to use shadow IT. When organizational processes cost a team more than implementing a shadow IT solution themselves, they will be tempted to go down the shadow IT route. Therefore, if the organization can remove the temptation by making processes easier and faster (while still ensuring proper controls are met), most people will choose to use the organization’s processes.

Endnotes

¹ Mascellino, A.; “New Report: 85% Firms Face Cyber Incidents, 11% From Shadow IT,” Infosecurity Magazine, 20 December 2023
² Cisco, “What Is Shadow IT?”
³ SailPoint, “What is Shadow IT?,” 6 July 2023
⁴ LogicGate,“Why Compliance Controls Should Be Embedded in Business Processes,” 14 January 2024
⁵ Pratt, M. K.; “Shadow IT is Increasing and so are the Associated Security Risks,” CSO, 6 June 2023

K. BRIAN KELLEY | CISA, CDPSE, CSPO, MCSE, SECURITY+

Is an author and columnist focusing primarily on Microsoft SQL Server and Windows security. He currently serves as a data architect and an independent infrastructure/security architect concentrating on Active Directory, SQL Server, and Windows Server. He has served in a myriad of other positions, including senior database administrator, data warehouse architect, web developer, incident response team lead, and project manager. Kelley has spoken at 24 Hours of PASS, IT/Dev Connections, SQLConnections, the TechnoSecurity and Forensics Investigation Conference, the IT GRC Forum, SyntaxCon, and at various SQL Saturdays, Code Camps, and user groups.