Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Top Three Reasons to Manage Shadow IT

Top Three Reasons to Manage Shadow IT

We’ve shared a few blog articles in recent months about shadow IT - what it is and how to manage it. We’ve also had many interesting conversations with customers and prospects about their own reasons for wanting to get better visibility into shadow IT on their networks. In this article, we’ll share the top three reasons that we hear, in no particular order.

1. You can’t secure what you can’t see

The first step in the majority of security frameworks is to inventory assets. For example, step one in the CIS Critical Security Controls (formerly the SANS Top 20) is to do an "Inventory of Authorized and Unauthorized Devices."

Organizations that follow this or another framework are following the advice "You can’t secure what you can’t see." For them, getting visibility into unauthorized devices and shadow IT is critical to laying the foundation for a comprehensive security program.

2. Many little costs can add up to a big expense

It’s interesting that many people tell us they want to manage shadow IT for a reason that has little to do with security. Instead, they’re not sure how much shadow IT is costing their organization and they want to figure that out.

It’s easy to see how the cloud applications and services that are so easy for anyone to set up and pay for via their corporate credit cards can easily add up to a big expense for the organization. While many of these applications and services start out as a free service, many users quickly bypass the free offering to unlock additional features, gain more capacity or to use them for extended periods of time.

We’ve heard of some IT teams partnering with accounting, to get information on whose expense reports include cloud services and applications. That’s one way to try and uncover this information. It’s also worth noting though that the same Tenable solutions that give professionals visibility into shadow IT for security purposes can help with the IT/usage challenge as well.

3. Shadow IT can introduce risk

The majority of people tell us they want to manage shadow IT because of concerns that unauthorized or unknown applications, services or devices will introduce risk into their networks and they won’t have visibility into these possible attack vectors.

On one hand, I think you could make the argument that cloud services may not introduce any more risk than other assets because cloud providers work very hard to harden their applications and services. Last year, threat prediction firm NopSec released a study on the state of vulnerability risk management. Part of that study looked at the length of time for organizations in different industries to identify and patch vulnerabilities. In this study, they noted “...cloud providers rank as the most progressive industry in terms of the remediation of known security issues - closing 90 percent of identified vulnerabilities in less than 30 days."

On the other hand, even if cloud services and application vendors are working hard to harden their applications, there still will be some vulnerabilities in those applications some of the time.

But the bigger concern is that people frequently use (or misuse) cloud services and applications. It’s just past tax season here in the USA so I’m reminded of Graham Cluley’s reporting last year on how many users of the free Dropbox service were unknowingly leaking tax returns and private data via sharing links that were publicly accessible. What if at your organization that was someone inadvertently sharing a customer list or employee data instead of their own tax information? Gaining visibility into the use of this type of shadow IT can help you manage who’s using it, what data is being shared and where the shared data is going.

What we don’t hear...

What we rarely hear as a reason why security professionals want to manage shadow IT is because they want to shut it down. It seems many feel that trying to block shadow IT will only make those using it work that much harder to do so. Instead, most approach shadow IT as something that they should manage like they manage other assets in their environment.

It all starts with them having visibility. Once that’s achieved, security professionals can look for opportunities to move shadow IT to approved applications and platforms and/or determine how shadow IT can become managed IT so it doesn’t introduce unnecessary cost or risk to the organization.

Determine how shadow IT can become managed IT so it doesn’t introduce unnecessary cost or risk to the organization

Visit our website to learn more about how Tenable is helping organizations manage unknown assets and shadow IT. And while you’re there, download our Eliminating Cyber Security Blind Spots white paper.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training