It’s getting harder to secure your organization from cyber threats and attacks when the attack surface is continuously expanding. Adding to this expansion is the undeniable growth of Shadow IT – when infrastructure and services are used by an organization and its departments (think dev, finance, legal, marketing, and more) outside the purview of the IT and security teams. These ungoverned services include new business infrastructure, hosting partners, SaaS services, employees' connected apps, low-code/no-code software platforms, and more.
Gartner found that shadow IT is between 30% and 40% of IT spending in enterprise organizations, making it a constant challenge.
Shadow IT Security Risks
In a company where shadow IT proliferates, often several cloud services are in use, and these are frequently linked. There is an ease to setting up cloud environments, and coupled with the building and setting up of many environments – some automatically based on scripts – IT and security teams must rush to keep up with the growing attack surface this creates.
DevOps is often unwittingly creating security risks from shadow IT. Let's take, for example, a developer who sets up their own service by spinning up cloud infrastructure. This can be done using a master account of the company's cloud provider or via many other methods that make life easy for developers but difficult for IT to track.
Perhaps these services are unused after some time, but they remain in the company's cloud environment. Next, an attacker finds that service and looks to see if the underlying asset is protected. Attackers often seek out weaknesses related to the company's assets that should have been decommissioned or that fall outside the purview of those known and managed by IT. Multiply this by the number of developers in an organization and then by the number of cloud applications, and the problem increases. The fact is that an IT department may simply not be aware of the cloud assets in use.
As we now know, it’s easier than it has ever been for organizations to scale and accelerate IT operations by adopting public cloud platforms. But, as an organization’s cloud attack surface becomes more complex and more difficult to oversee, attackers can exploit cloud misconfigurations or exposed vulnerabilities more easily.
An Attacker’s Point of View
In a multi-cloud environment, where servers and services are fluid, security oversight often can’t get the job done. This leads to blind spots, unidentified and unchecked devices, and data.
According to an ESG Research survey of cybersecurity professionals, 76% say they’ve experienced a cyberattack because of an unknown, unmanaged, or mismanaged internet-facing asset. Nearly three-quarters of enterprises (73%) believe they have a strong awareness of less than 80% of their assets. This means that 1 in 5 internet-facing assets are blind spots that could be vulnerable to attack.
In today’s security environment, all organizations need to be proactive and have a 365-degree view to see the cloud from an attacker’s point of view. External Attack Surface Management is a powerful tool to achieve that view. This enables an organization to expose threats and not just assets to proactively defend the full digital supply chain.
Organizations today need to lay a foundation to identify Shadow IT as a part of this ever-expanding attack surface. The foundation includes:
- Continuous and accurate asset discovery. If the assets are constantly changing, continuous monitoring and discovery is step one to reducing risk. An organization needs to know what assets it has in order to protect them.
- Context around business-critical assets. Once you have gained visibility into your complete inventory of connected assets and are monitoring continuously for changes, then comes decision time. Which of these assets are mission critical? Which contain sensitive corporate, customer, partner, or personal information. In order to apply the proper protections, an understanding of IT assets needs to be mapped to their importance to the business.
- Third-party Assets. It’s not just about the assets you own. In today’s interconnected digital world – your organization's extended network of third-party software and vendor-managed and maintained assets. Attackers often exploit these assets and connections to gain access to their ultimate target in your organization. Therefore, mapping attack paths from the digital supply chain is a crucial part of gaining the attacker’s view.
With these pieces in place, blind spots can be reduced or eliminated, Shadow IT can become a little less scary, and proactive actions can take place to reduce the attack surface and the security risks facing an organization.
Marc Gaffan is CEO of IONIX.