Addressing Shadow IT Issues During COVID-19 CrisisSecurity Experts Offer Risk Mitigation Tips
With the massive shift to telework as a result of the COVID-19 pandemic, shadow IT is becoming a more critical security issue around the world. That's because some workers are using their own hardware and sometimes downloading free applications without first taking precautions with the help of the security department.
See Also: Private Access as an Alternative to VPN
Among key shadow IT risk mitigation steps in the current environment, security professionals say, are:
- Installing technologies, including network traffic analyzers, to help ensure visibility and monitoring capabilities;
- Deploying cloud access security brokers to help enhance security for those accessing data remotely from a wide variety of devices, some of which were not sanctioned;
- Enforcing strict governance policies for the remote workforce.
In the manufacturing sector, one emerging shadow IT challenge is remote workers deploying free applications without first addressing security.
"The production teams in the plants do not understand the implications of using the free software without any security tools, which results in a chaotic situation as the production stops when the license expires," says Ravikiran Avvaru, head of IT and security at Apollo Tyres Ltd., an India-based manufacturing firm.
Another emerging shadow IT issue in all sectors is that some organizations are relying on collaboration tools - without the knowledge of IT and security teams - to work on joint projects with other organizations, says Subhajit Deb, CISO at Dr. Reddy's Laboratories, an multinational pharmaceutical firm based in India.
"This often leads to the security team not being aware of the risks arising out if these devices - and by the time they come to know it is often too late," he says.
David Finn, executive vice president of strategic innovation at CynergisTek, a California-based consultancy, points out that some workers shifting to working at home are procuring new devices on their own. "So they often do not reach out to the IT team while procuring a device. They buy it and bill it, resulting in Shadow IT," Finn says.
Network Traffic Analyzers
In light of these and other shadow IT challenges, Deb of Dr. Reddy's Laboratories suggests the use of network traffic analyzers, cloud-based data loss prevention solutions that can help identify shadow IT.
"There are also many digital asset discovery services being offered on the market right now that can help an organization to create an inventory of the approved digital and social assets and that can be the baseline by which organizations can go and discover shadow IT assets," Deb says.
Finn suggests a "zero-trust" approach to minimizing risks tied to a remote workforce that in some cases uses shadow IT.
"If you can limit access to corporate resources to a single entry point, you've got a better shot at managing the situation. If you can apply multifactor authentication to that point, that is even better," Finn says.
He also suggests expanded use of encryption, multifactor authentication as well as identity and access management.
Mark Johnson, a former healthcare CISO who now leads the healthcare security practice at the consultancy LBMC Information Security in Tennessee, notes: "There are tools which can monitor and possibly block cloud connections. These tools could be used to identify shadow IT. The question, is what happens when you find it? If you take a too harsh or negative approach, you may engender more shadow IT."
The Role of CASBs
CASBs can help with the challenge of shadow IT security in organizations that make extensive use of the cloud for data storage and other purposes, security experts say.
"CASBs allow security and remote access, which follows the user anywhere they go and are not bound by appliance capacity. In today's times, this is proving to be invaluable in building data visualization," says Bil Harmer, CISO at SecureAuth Corp., a U.S.-based authentication firm.
Other security experts say CASB enables organizations to uncover shadow IT usage that is not visible via a query in a SIEM or with next-generation firewall or secure web gateway tools. "CASBs provide a central location for policy and governance concurrently across multiple cloud services for users and devices and granular visibility into and control over user activities and sensitive data", Deb says.
Pankaj Dikshit, senior vice president of IT and IT security at India's Goods and Services Tax Network, says documenting policies and making them available to all the employees has helped his organization address the problem of shadow IT.
"Our governance is very strict - we know exactly what applications one can use and one cannot use. That list, fortunately, is small," he says. "But if and when we notice a violation, we ensure corrective action is taken immediately and we make sure all employees know about the action. This goes a long way in ensuring that employees do not do anything outside of what is allowed."
But Johnson, the consultant, warns that having guidelines that are too strict may aggravate the problem of shadow IT.
"We need controls that are able to balance security with usability," he argues. If a company has controls that are too tight, workers will be apprehensive about approaching the IT team to resolve issues, he contends. "They will find a way to get past the IT, leading to a rise in the shadow IT problem."
Singapore-based Aloysius Cheang, executive vice president for Asia Pacific at The Center for Strategic Cyberspace + International Studies, suggests companies impose penalties for those who do not follow the policies around shadow IT.
"BYOD and telecommuting have been around for a long time. I recommend using the NIST standard as a reference if your organization has yet to implement any kind of work-from-home policies and guidelines," Cheang says. NIST SP 800-46 guides enterprises on telework, remote access and bring-your-own device issues.