Shadow IT poses an immense risk to the security of organizations around the world, but few teams feel prepared to tackle the problem. A Deloitte research report found that 32% of organizations believe “shadow IT” assets are the greatest challenge for IT asset management, but that only 30% of organizations are gathering metrics about the accuracy of their ITAM reporting.
What is “shadow IT” #
Shadow IT refers to assets and infrastructure that were set up outside the approved channels and processes. While most IT departments and cybersecurity teams have policies and procedures to guide how new devices or users can be added to their environment, shadow IT circumvents them. Shadow IT doesn’t only refer to the unmanaged assets that were connected without approval, but also to the employees opting to break the rules.
Generally, shadow IT can be categorized under two umbrellas:
- Accidental, where through organizational changes IT ownership and responsibilities are fractured, leaving parts of the organization to manage it for themselves with no collaboration or oversight, and
- Intentional, where end users intentionally bypass the approved processes to add assets to the environment.
In either case, shadow IT results in pockets of unmanaged assets that may not be effectively protected. They might not getting updates and patches regularly, as well as not being onboarded to the cybersecurity tools used across the rest of the organization. In many cases, the assets were also never joined to the organization’s domain or IAM solution.
The big, the small, and the scary #
Shadow IT can exist on a wide scale. On the small end, you might have end users with a couple too many permissions able to install (or uninstall) unvetted software. On the big end, a department’s internal IT member might be adding assets to an isolated network and installing their own administration and cybersecurity tools.
But where do things turn scary? When unmonitored, unprotected assets are given access back into the organization, introducing security risks where no one can see. When some new cloud services are stood up through someone’s personal account just to “test something out,” but then they use their work credentials to access your environment and pull proprietary or sensitive data.
On every scale, shadow IT weakens an organization’s security posture, possibly leading to breaches or data loss. The presence of unmanaged devices on the network also negatively impacts an organization’s ability to meet compliance requirements and operate efficiently.
Ghosts in shells and assets in shadows #
No matter how or why shadow IT came to exist in an organization, the result is the same: unmanaged assets with an unknown amount of access storing who knows what kind of data. We won’t get into the classifications of unmanaged assets here, but check out our article on IT inventory management if you want to read more on that topic.
Plenty of IT departments and cybersecurity teams don’t know there’s a shadow IT problem in their organization unless they find time to go looking. Otherwise, the unmanaged assets and insecure implementations created by shadow IT could be hurting the security posture of the organization without anyone even realizing it.
Gotta find ‘em all #
Enough with the doom and gloom, how can we actually discover and identify assets created by shadow IT? While asset management and vulnerability scanning tools can be useful for identifying managed assets, unmanaged assets are more easily overlooked. That same Deloitte report found that most discovery tools require agents or use authenticated scanning. But if you can install an agent on an asset, you’re probably already managing it. Similarly with authenticated scanning: if you know the credentials and IP address, then you know the asset is there.
To close the gaps, you need agentless discovery that performs unauthenticated scanning, getting into every corner of the network where shadow IT might be hiding assets. To learn more about how authenticated and unauthenticated scanning works, read our post on network discovery.
You can close the loop to start managing unmanaged assets once you know about all of them. Their IP addresses can be folded into the appropriate vulnerability scans. You can install and maintain endpoint management and security software. They can become part of your patch management and IAM processes. When you can maintain a complete and accurate asset inventory, you can effectively manage and defend your network.