The Shadow Cloud Knows
Author: Tim O'Connor
You may have heard of “Shadow IT”. Shadow IT is the term that describes when employees install their own hardware or software without the approval or even the knowledge of the people responsible for supporting, approving, designing or securing an organization’s information technology. These actions cause a laundry list of problems but some of the most serious are security related. When evil hackers are looking to get into an organization, or just looking around an internet service for what is open and hackable, these employee-installed apps and hardware are a goldmine for them.
Over the past decade, tools and policies have developed to help IT and security teams discover and deal with Shadow IT installations. It is still a problem, but a problem for which we have many choices of tools, policies and procedures for mitigation.
Times change and technology evolves especially with IT and security. “The Cloud” is changing the technology landscape in new ways every day. Remember the old adage that states “those who do not learn from history are doomed to repeat it”? Well the lessons learned when dealing with Shadow IT must be remembered as we tackle new issues with Shadow IT not on premises but rather in the Cloud.
Way back in 2016 Gartner forecasted that by 2020, a full one third of successful cyber-attacks on mid to enterprise-sized organizations would be infiltrated through Cloud-connected Shadow IT resources. We are now on the doorstep of 2020 and we find ourselves with some serious obstacles for discovering and dealing with Cloud-connected Shadow IT.
With traditional Shadow IT, network engineers and security professionals could hunt down unapproved hardware by simply looking for IP addresses assigned by Dynamic Host Configuration Protocol (DHCP) or analyzing traffic through a corporate firewall. Unapproved software could be located using any one of dozens of software inventory and discovery packages for enterprises, many of which are open source or built into other management products such as Microsoft SMS. These techniques are not only largely useless against Shadow IT in the Cloud but might give a false impression of security.
Shadow IT in the Cloud really is “shadowed” because it can be very difficult for the good guys to find and easy for the bad folks to exploit. Most Cloud traffic is difficult or impossible to inspect and identify because it is typically tunneled, protected by TLS/SSL or some other form of a VPN technology. Many forms of Cloud services are not on premises so the traffic never passes through a corporate firewall. Cloud data sharing apps and services can run on employee-owned devices such as phones and tablets which leave them outside of most IT management products.
Typically with traditional Shadow IT, an employee was aware they were installing an application that is not supported by IT or an appliance like a wireless access point that was not installed by a network engineer. With Cloud-based applications and services, employees might not even know the difference between Cloud and non-Cloud software or the difference between One Drive Personal, One Drive Business or One Drive Business SharePoint for example. We can’t rightly blame an employee for copying bank account access information, HIPAA data or corporate secrets to a personal unprotected Cloud file sharing service when they have not been trained to distinguish these often confusing and apparently almost identical products and services.
IT personnel can also be the source of accidental Shadow IT in the Cloud. Cloud products notoriously lack transparency. When that lack of transparency is coupled with the ability to spin up not only insecure virtual machines but whole networks with the click of a button or the execution of a script, it is not hard to see how unexpected resources could be deployed and only discovered after they have been exploited against the organization.
Now that we can see what some of the issues are with Shadow IT in the Cloud, what can we do to mitigate the risks?
Sometimes it is just as important to know what NOT to do as it is to know what can be done to work towards a remedy.
What we do NOT want to do is BAN the use of non-approved and unsupported Cloud products. Humans often struggle with the tempting idea of trying to solve a subtle and complex problem with a simple “feel good” reaction. We can learn from the U.S. Prohibition of alcohol that what seems like a solution can often not only fail to fix the problem but generate significant new problems that are even more difficult to assuage.
If we ban or punish employees for Shadow IT in the Cloud, it is likely it will become even harder to find and secure. We want to use security to enhance business practices and competitive advantages, not hinder them. Develop a way to welcome innovation and acceptance of new products that are discovered by employees; we are all part of a team. Many employees who implement Shadow IT are always looking for better ways to do their job and know their jobs and their needs better than others do. It is hard to have a well-tuned R&D department for efficiency! If employees are deploying Shadow IT, they likely have a need that should be filled or they are unaware of an enterprise product because of poor employee training or poor IT implementation. While there is a thriving 3rd party market for tools to help make the Cloud more transparent we still and will likely always need good security awareness training.
If our employees cannot do a reasonable job of knowing if the data and tools they are using are housed on premises or in the Cloud, and if that data or tool needs some form of standardized settings or security, then we don’t have an IT problem or a Cloud problem-- we have a worker knowledge problem.
Security Awareness is not just about phishing emails, it is about having a positive security culture where employees are open, free and motivated to ask how to use and secure new tools. Employees that work with any form of company information should be able to know the difference between information that needs to be confidential and what can be made public.
Security Awareness, while critical in the management of Shadow IT in the Cloud, is not a complete solution. Remember, we are working with a subtle and complex issue. Security Assessors and professional security Trusted Advisors can work with your organization and help you find other useful methods of finding and working with Shadow IT issues. One example is to look at employee expense reports. It is not uncommon for an employee to expense a Drop Box subscription, mobile app store purchases or subscription based SaaS products. You can trace the expense right back to the Shadow IT in the Cloud deployment and its users. Remember to use this as a discovery of a need or new solution, not to search for a rogue employee to punish.
In summary, Shadow IT in the Cloud is a serious problem that will only continue to get more complex. We can address and mitigate this problem but like most complicated and changing problems we need to approach it with thought, education and some creativity. If this problem is not one you are ready to deal with using your current resources, turn to a Trusted Security Advisor or a good firm that can act as one.