Top Three Reasons to Manage Shadow IT
We’ve shared a few blog articles in recent months about shadow IT - what it is and how to manage it. We’ve also had many interesting conversations with customers and prospects about their own reasons for wanting to get better visibility into shadow IT on their networks. In this article, we’ll share the top three reasons that we hear, in no particular order.
1. You can’t secure what you can’t see
The first step in the majority of security frameworks is to inventory assets. For example, step one in the CIS Critical Security Controls (formerly the SANS Top 20) is to do an "Inventory of Authorized and Unauthorized Devices."
Organizations that follow this or another framework are following the advice "You can’t secure what you can’t see." For them, getting visibility into unauthorized devices and shadow IT is critical to laying the foundation for a comprehensive security program.
2. Many little costs can add up to a big expense
It’s interesting that many people tell us they want to manage shadow IT for a reason that has little to do with security. Instead, they’re not sure how much shadow IT is costing their organization and they want to figure that out.
It’s easy to see how the cloud applications and services that are so easy for anyone to set up and pay for via their corporate credit cards can easily add up to a big expense for the organization. While many of these applications and services start out as a free service, many users quickly bypass the free offering to unlock additional features, gain more capacity or to use them for extended periods of time.
We’ve heard of some IT teams partnering with accounting, to get information on whose expense reports include cloud services and applications. That’s one way to try and uncover this information. It’s also worth noting though that the same Tenable solutions that give professionals visibility into shadow IT for security purposes can help with the IT/usage challenge as well.
3. Shadow IT can introduce risk
The majority of people tell us they want to manage shadow IT because of concerns that unauthorized or unknown applications, services or devices will introduce risk into their networks and they won’t have visibility into these possible attack vectors.
On one hand, I think you could make the argument that cloud services may not introduce any more risk than other assets because cloud providers work very hard to harden their applications and services. Last year, threat prediction firm NopSec released a study on the state of vulnerability risk management. Part of that study looked at the length of time for organizations in different industries to identify and patch vulnerabilities. In this study, they noted “...cloud providers rank as the most progressive industry in terms of the remediation of known security issues - closing 90 percent of identified vulnerabilities in less than 30 days."
On the other hand, even if cloud services and application vendors are working hard to harden their applications, there still will be some vulnerabilities in those applications some of the time.
But the bigger concern is that people frequently use (or misuse) cloud services and applications. It’s just past tax season here in the USA so I’m reminded of Graham Cluley’s reporting last year on how many users of the free Dropbox service were unknowingly leaking tax returns and private data via sharing links that were publicly accessible. What if at your organization that was someone inadvertently sharing a customer list or employee data instead of their own tax information? Gaining visibility into the use of this type of shadow IT can help you manage who’s using it, what data is being shared and where the shared data is going.
What we don’t hear...
What we rarely hear as a reason why security professionals want to manage shadow IT is because they want to shut it down. It seems many feel that trying to block shadow IT will only make those using it work that much harder to do so. Instead, most approach shadow IT as something that they should manage like they manage other assets in their environment.
It all starts with them having visibility. Once that’s achieved, security professionals can look for opportunities to move shadow IT to approved applications and platforms and/or determine how shadow IT can become managed IT so it doesn’t introduce unnecessary cost or risk to the organization.
Determine how shadow IT can become managed IT so it doesn’t introduce unnecessary cost or risk to the organization
Visit our website to learn more about how Tenable is helping organizations manage unknown assets and shadow IT. And while you’re there, download our Eliminating Cyber Security Blind Spots white paper.