Skip to main content
Today’s columnist, Jeff Costlow of ExtraHop, says employees will tell you what they like using. Slack offers a good case in point, which is why he writes security pros should embrace Shadow IT as an opportunity to improve the business. (Credit: CC BY 2.0)

There’s really no perfect marriage between convenience and security. And to the dismay of security teams, employees will always do whatever they find convenient. In fact, there’s even a common name for it: Shadow IT. While Shadow IT has been around for several years, it continues to plague enterprises and the shift to work-from-home (WFH) has only exacerbated the issue. So how do security teams make the best of that trade-off, especially with newly distributed workforces?

Shadow IT refers to any hardware or software used without the explicit authorization of the IT department. Employees don’t typically have malicious intentions. They turn to Shadow IT for a legitimate reason: to get their jobs accomplished.

In one case, a vice president at a struggling retailer paid out-of-pocket for a cloud-based customer relationship management system, desperate for immediate access to the digital tools that could help the company. When faced with disciplinary action for the potential security risks of the project, it turned out the vice president had generated $1 million in revenue each month since implementing the rogue software. While tech solutions that aren’t approved by IT can pose security or compliance risks, a zero-tolerance policy isn’t necessarily the best answer.

Turn risk into opportunity

Instead of viewing Shadow IT as an inviolable risk, security teams should accept it as a reality and work to manage it better. Consider Shadow IT an opportunity to discover what types of tools employees are interested in using. By working closely with network operations and IT teams, security teams can observe which technologies people are using and quickly determine whether they present a serious risk or can they can safely onboard it with the correct security policies.

By taking this approach, organizations can simultaneously cut down on Shadow IT and securely deliver employees with the tools that will boost their productivity and satisfaction. The best part? It transforms security from the team of “no” to drivers of innovation in the business.

Champion the BISO

CISOs have enormous jobs, making it impractical to keep track of and understand the varying needs of every single business unit within the enterprise. At the same time, Shadow IT has become too vast to sit on one team’s shoulders. To effectively manage Shadow IT, the CISO needs to foster an alliance.

Business Information Security Officers (BISOs), are now important players that can help better manage Shadow IT. Because BISOs are embedded in the nuances and requirements of their respective units, they can offer important intel to the CISO about which technologies are mission-critical. From there, the CISO can help build new policies, granting access to the necessary resources while safeguarding the business.

The increase in remote work has also added a layer of difficulty to the task of monitoring employee usage of unauthorized apps and technology. With employees connecting remotely, usage of VPNs  and remote protocols like RDP have gone up spectacularly, and employees are using their own devices rather than company- issued ones. Instrumenting every device with an endpoint agent or activity logging policy presents a challenge. Focus on monitoring employee connections to corporate resources. It’s a more effective way to secure valuable assets than attempting to regulate every tool or program they use. A few questions security operators need to be able to answer are the following:

  • How can I detect large data transfers within my network? And from inside to outside my network? If I see a large data transfer, how do I tell what data was moved?
  • How can I tell if a user accesses unauthorized cloud services?
  • How can I tell whether a remote connection, via RDP, VPN, or other methods, behaves normally, or takes risks or acts maliciously?

The answer to all of these questions lies in monitoring network connections and behavior. Remote workers still connect to corporate resources, and it’s possible to observer their behavior on the network. While the overall picture of “normal” behavior has shifted because of increased remote working, networks are still the connective tissue that binds remote workers, data centers, and cloud services together. There’s still a behavioral baseline that security teams can observe and quantify and compare against to detect and respond to threats.

No policy or solution can completely stop employees from using unapproved devices or services, especially in this climate when employees are just doing their best to make WFH work. This doesn’t mean security teams should adopt a lenient approach, but it does mean they have to plan for the inevitability of non-sanctioned IT and work across departments to avoid security vulnerabilities along the way.

Jeff Costlow, chief information security officer, ExtraHop

Original article source was posted here