It’s getting harder to secure your organization from cyber threats and attacks when the attack surface is continuously expanding. Adding to this expansion is the undeniable growth of Shadow IT – when infrastructure and services are used by an organization and its departments (think dev, finance, legal, marketing, and more) outside the purview of the IT and security teams. These ungoverned services include new business infrastructure, hosting partners, SaaS services, employees' connected apps, low-code/no-code software platforms, and more.
Gartner found that shadow IT is between 30% and 40% of IT spending in enterprise organizations, making it a constant challenge.
In a company where shadow IT proliferates, often several cloud services are in use, and these are frequently linked. There is an ease to setting up cloud environments, and coupled with the building and setting up of many environments – some automatically based on scripts – IT and security teams must rush to keep up with the growing attack surface this creates.
DevOps is often unwittingly creating security risks from shadow IT. Let's take, for example, a developer who sets up their own service by spinning up cloud infrastructure. This can be done using a master account of the company's cloud provider or via many other methods that make life easy for developers but difficult for IT to track.
Perhaps these services are unused after some time, but they remain in the company's cloud environment. Next, an attacker finds that service and looks to see if the underlying asset is protected. Attackers often seek out weaknesses related to the company's assets that should have been decommissioned or that fall outside the purview of those known and managed by IT. Multiply this by the number of developers in an organization and then by the number of cloud applications, and the problem increases. The fact is that an IT department may simply not be aware of the cloud assets in use.
As we now know, it’s easier than it has ever been for organizations to scale and accelerate IT operations by adopting public cloud platforms. But, as an organization’s cloud attack surface becomes more complex and more difficult to oversee, attackers can exploit cloud misconfigurations or exposed vulnerabilities more easily.
In a multi-cloud environment, where servers and services are fluid, security oversight often can’t get the job done. This leads to blind spots, unidentified and unchecked devices, and data.
According to an ESG Research survey of cybersecurity professionals, 76% say they’ve experienced a cyberattack because of an unknown, unmanaged, or mismanaged internet-facing asset. Nearly three-quarters of enterprises (73%) believe they have a strong awareness of less than 80% of their assets. This means that 1 in 5 internet-facing assets are blind spots that could be vulnerable to attack.
In today’s security environment, all organizations need to be proactive and have a 365-degree view to see the cloud from an attacker’s point of view. External Attack Surface Management is a powerful tool to achieve that view. This enables an organization to expose threats and not just assets to proactively defend the full digital supply chain.
Organizations today need to lay a foundation to identify Shadow IT as a part of this ever-expanding attack surface. The foundation includes:
With these pieces in place, blind spots can be reduced or eliminated, Shadow IT can become a little less scary, and proactive actions can take place to reduce the attack surface and the security risks facing an organization.
Marc Gaffan is CEO of IONIX.
Related articles:
NetOps teams, like Spider Man, have great powers and great responsibilities. Increasingly, they are adopting a Zero Trust approach to network operations to help fight their battles.
Senior stakeholders who want to hold on to their CISOs must ensure that they have sufficient incentives and, more importantly, support to cope with the burden of risk that they are carrying.
The most alarming takeaway from Cisco’s new Cybersecurity Readiness Index report is that even after decades of having the importance of cybersecurity driven home, cyber threats are still taken too lightly.
