Shedding Light on Your Shadow IT

Shadow IT has long been a problem for companies, from personal devices brought into the workplace to untested software installed inside the perimeter. As companies have moved to cloud, the problem has only become more tangled: Well-meaning employees set up unsanctioned services, and technical teams use unapproved cloud services to add functionality to their projects. 

Plus, remote employees and their mashup of consumer and pro-sumer technologies bring less visibility and more risks into the IT-security equation.  

According to HashiCorp's 2024 study, only 8% of companies had “highly mature" practices across both infrastructure and security lifecycle management. Add to that mix the chaos of a merger or divestiture, and problems can grow quickly. The blending of two technology platforms in a merger or the breaking apart of common infrastructure in a divestiture likely leads to breakage and the loss of security oversight.  

Managing shadow IT is an ongoing challenge that requires a combination of technical controls, governance processes, and cultural change to address it effectively. Here are three ways that companies can get a handle on shadow IT. 

1. SSO is necessary, but far from sufficient. A common way to gain visibility into cloud and on-premises services is to rely on single sign-on (SSO) platforms to know which applications and services employees are using. The challenge, however, is that not every application is SSO-enabled, especially cloud or mobile applications on employees’ personal devices that are often used for work. 

Related:2024 Cyber Resilience Strategy Report: CISOs Battle Attacks, Disasters, AI ... and Dust

Separations and divestitures produce duplicates of most critical services, new devices for employees, and the need for a revamp of all security controls, as a company moves from legacy services to a new platform. During these times, detection, analysis and response to threats (DART) can be particularly challenging. 

The lesson for corporate security teams is not only to gain visibility, but to create a backend process that educates employees and diverts them from non-approved risky applications to approved platforms. 

2. Assets must be discovered across hybrid infrastructure. Another challenge is the proliferation of remote and mobile workers, whose devices -- often poorly managed -- exist in home offices or often connect from the road.  

For in-house workers, companies have default control over on-premises technology, even if that technology is non-sanctioned shadow IT. To help manage remote technology, companies should have agents on any device connecting to a corporate cloud service or using a virtual private network. Such security can be sufficient, depending on how your company implements the defenses and checkpoints. 

Related:Next Steps to Secure Open Banking Beyond Regulatory Compliance

During a merger, organizations must gain clear visibility of all IT assets across the new enterprise and enforce a zero-trust approach to any access to sensitive corporate data. During a separation, organizations may lose visibility of devices and applications, resulting in shadow IT and potential vectors of attack. 

The transition to remote work caused by the coronavirus pandemic forced many companies to switch to secure web gateways to enforce policies with in-house and remote employees. Companies should focus on additional zero-trust security measures to enforce security policies even when employees are outside of the corporate firewall. 

3. Cultural changes are necessary. Organizations must make sure that every cloud service supports their mission of security, and no technology is unmanaged. This is especially true during challenging events, such as a merger or divestiture. 

Shadow IT comes from a culture that treats the security teams as gatekeepers that can be evaded. According to software supply-chain firm Snyk, more than 80% of companies have developers skirting security policies and using AI code completion tools to generate code. ChatGPT and other large language models (LLMs) became the top shadow IT in 2023, months after release.  

Related:Beyond the Election: The Long Cybersecurity Fight vs Bad Actors

Companies need to show employees why security is necessary to keep the business running and what the consequences could be if that focus is lost. Keeping that focus is admittedly difficult, especially when companies often go through a cycle of alternately emphasizing security and cost savings. 

Effective management of shadow IT calls for a combination of strong technical measures and cultivating a culture of security awareness, thereby reducing the risks associated with unapproved tools and services. In times of rapid digital transformation, especially during mergers and divestitures, creating a flexible IT infrastructure that adapts to change is key to safeguarding security and maintaining trust across the business.