Establishing Security Guardrails in the Age of Shadow IT

Staying on top of customer expectations in the digital age means adopting new software at a dizzying pace. Enabling a remote workforce also requires provisioning dozens of SaaS apps and online productivity services. Juggling these business imperatives while keeping data secure can quickly become a CISO’s worst nightmare. Shadow IT risks swelling out of control, and cloud sprawl knows no bounds. Yet, refusing to evolve is not an option if you want to stay competitive.

So, how do you allow safe use of new, cloud-based IT resources without compromising governance or risk management? How do you avoid letting your attack surface grow exponentially while still moving fast?

It requires constructing flexible guardrails through policies and tools that secure data and access across all environments. The good news is that finding a balance between agility and oversight is possible, even in the chaos of digital transformation. The key is taking a governance-based approach that educates employees while still allowing productivity.

What is Shadow IT and Why Does it Matter?

Before examining solutions, you need to understand the heart of the problem – what exactly is shadow IT, and why does it create so much business risk? At a basic level, shadow IT refers to any hardware, software, servers, services or data that employees use or access for work without IT’s approval or oversight.

Sometimes, shadow resources are hosted as public cloud containers or spun out as serverless functions. Other times, they are simply a SaaS app, analytics dashboard, or productivity tool that employees sign up for to fill a need without considering security.

No matter what form shadow IT takes, the dangers are two-fold:

1.Visibility Gaps: IT and security teams need more insight into what data is processed and stored outside sanctioned systems. There is no chance to enforce data governance policies or ensure regulatory compliance.

2.Expanded Attack Surface: Each shadow IT solution likely relies on an internet connection and has some vulnerability that hackers could exploit as a backdoor into corporate networks, providing more ways to breach sensitive systems.

Plenty of high-profile hacks have originated from shadow IT, including the identity and access management company Okta. Not only does this show that these risks are real, but with digital transformation accelerating and cloud adoption ubiquitous, stamping out shadow IT completely is no longer realistic. The key is implementing flexible guardrails to balance security with employee productivity.

Constructing Pragmatic yet Effective Security Guardrails

So, how can your organization allow some safe use of shadow IT resources while still enforcing good data hygiene and access controls? It requires a multi-pronged approach:

Lead with Governance and Oversight

IT departments should focus first on improving the governance of sanctioned apps and resources before chasing every potential shadow risk. Ensure you have:

Comprehensive policies: Set enterprise policies for acceptable use of devices, networks, services, and data with specific security protocols required for cloud solutions. Make it easy for employees to request formal approval of new tools.

Asset inventories: Maintain current inventories of hardware, devices, software systems, and cloud services used across the business. Identify all dependencies and data flows. Use this baseline for audits.

Visibility tools: Install network traffic monitoring, endpoint agents, or user behavior analytics software to detect the use of unsanctioned apps and services. Many solutions specialize in identifying shadow-hosted containers or serverless workloads spinning out of control, and some offer features to evaluate container security configurations. Cloud Access Security Brokers (CASBs) also provide visibility into sanctioned and unsanctioned SaaS apps.

Risk assessments: Conduct in-depth cyber risk assessments to understand your weak points and refresh regularly as new shadow IT resources pop up. Quantify potential data breach costs or IP losses if containers are misconfigured.

Educate Staff on Security Best Practices

When adopting new tools, your employees likely intend to avoid putting company data at risk. They simply want to be more productive. Make security awareness training mandatory for all staff covering topics like:

  • Proper access controls and authentication protocols for cloud-based or container workloads
  • Dangers of overexposed container services or servers
  • How breach costs directly hurt bottom lines and bonuses
  • Easy procedures for requesting IT to vet and approve new apps or tools

Friendly reminders on security tips related to shadow IT usage should be persistent across internal communications, from emails to Slack messages to breakroom posters.

Focus on Securing Data Itself

Accept that some shadow IT usage will slip through the cracks no matter what. To complement governance and education, technical measures for securing sensitive data itself are necessary as a final line of defense. This data-centric approach puts safeguards directly around the company’s crown jewels.

Implement strong data classifications: Classify all enterprise data by sensitivity level (public, internal, confidential, restricted) and encrypt appropriately with keys controlled by IT security teams. This limits damage if employees misconfigure containers and data is exposed. Confidential data warrants finer-grained classifications like customer PII, financial records, product IP, etc.

Enforce rights management: Control usage authorization of classified data via identity and access management policies and privileged access tools. Integrate classifications with cloud access policies. This will disrupt malicious insider threats even if they access shadow IT resources.

Install data loss prevention software: Deploy DLP software on employee endpoints to detect risky data exfiltration behaviors, like copying databases or code repositories to personal drives or unsanctioned cloud storage services. DLP can also block restricted data from being uploaded—couple this monitoring with user education on responsible data handling.

Segment cloud workloads: Use micro-segmentation, VLANs, and security groups to isolate different cloud workloads from other production infrastructures based on their classification levels. Limit the blast radius of any breaches originating from shadow resources like contaminated containers or serverless functions that gain unauthorized access. This technique complements zero-trust architecture.

Practice least privilege access: Provide employees and applications minimal access to data stores based on their role and intended usage. Blaming blanket access is unnecessary if shadow IT components become compromised. Integrate legacy systems with cloud access brokers and identity providers to enable this at scale.

The key insight is that while governance and education aim to reduce shadow IT risks on the front end, securing sensitive data acts as the last line of defense if all else fails. A resilient data-centric approach limits the impact of inevitable shadow IT usage while still enabling your company to capture the productivity benefits of the cloud.

Sustaining Security in the Cloud Era is About Balance

There you have it – establishing pragmatic guardrails to secure shadow IT is possible by combining oversight, training, and data-centric protections. Of course, this also allows employees the freedom to safely leverage new technologies that drive competitive advantages, like cloud services, data analytics, and container platforms. With the right balance of flexibility and governance, your organization can securely embrace digital innovation rather than restrict it.

Ad
Join over 500,000 cybersecurity professionals in our LinkedIn group "Information Security Community"!

No posts to display