Overview
Shadow IT are those IT assets that are created or are being used by the employees in the organization without the knowledge of the IT team or the Security Team. While these assets can improve employee productivity to a great extent it poses a massive threat to the security of the organization. In 2016 Gartner predicted that by 2020, 1/3rd of security attacks would be caused because of shadow IT.
Why Shadow IT poses a risk for Cyber Security?
Knowledge of what you need to protect is the key to maintaining optimum security. Creating an asset inventory is the first step in any cybersecurity management function. However due to rapid digitization, cloud adoption, IoT adoption and agile disperse teams, 3rd party integrations, etc cybersecurity organizations no longer have control as well as visibility of assets.
Several high profile breaches like that of NASA breach was caused due to Shadow IT.
We will see how the following 9 steps can help you manage your shadow IT risk:
Ask For Asset List from all teams
The digital attack surface is very complex and typically very large which includes your domains, subdomains, online IPs, exposed APIs, third-party libraries, vendor exposures, and lot more. It is super difficult if not impossible to identify the entire digital attack surface. You should ask all the key stakeholders to create an asset inventory list either in the form of CMDB entries or spreadsheets. The hard problem is that typically the stake-holders themselves would not have full visibility of their assets.
Use Digital Asset Discovery Tools
Along with the manual discovery and identification of your digital assets, you must also use automated attack surface discovery tools. These tools scan the entire internet to find if any of the exposed assets belong to you. This can help you to discover the unknown unknowns or Shadow IT created by the organization. You may also use CASB products to identify those assets which are used by the organization but may not be owned/maintained by your team, for example, mobile apps, etc.
Use Internal Asset Discovery Tools
You can also use internal asset discovery tools provided by various vulnerability management vendors or tools like there are a newer set of technologies that can collect logs from various security tools and then build up your asset register.
Used Asset Management Tools or CMDB
Once you get the list of assets you may either use software like CMDB or use simple spreadsheets based on your preference or budget.
Create an Organizational Process for asset creation
You need to work with the key stakeholders and convey to them the importance of maintaining an updated asset register. You should educate them on the most recent braches being caused largely due to the unknown unknowns or Shadow IT. You should work with them to create a process of asset creating and maintaining a single list of asset registers and give access to cybersecurity so that the security team can monitor the risk associated with them. This is not practical and is too difficult to implement. For a large organization, you may never have full visibility and hence you should also use continuous attack surface monitoring tools to keep an eye on new assets getting created.
Get Stakeholders On Board
Getting all the stakeholders aligned is very critical to the success of the program. You need to educate them and get them on board instead of trying to thrust a process on them.
Create a Continuous Education & Awareness Program
You need to create a continuous education and awareness program by way of mailers, security learning session, and any other creative means. A one-time alignment activity shall not work in the future. You will need to do this on a regular basis.
Periodic Manual Assessment & Asset Inventory List Updation
The asset list needs to be updated periodically. In case you have a set process that is being followed by all, the task shall get easier. However, this is never the case in the real world. You may decide to appoint either a consultant or an in-house resource to talk to all the key stakeholders and update the list once a quarter or the frequency you find appropriate.
Continuous Monitoring Using External Attack Surface Discovery Tools
Using continuous Shadow IT monitoring tools is easier in case your budget for it. These tools can identify changes in your asset list automatically. However, just the tool alone is not enough. Sometimes tools may have some false negatives since it is impossible to have 100% coverage. So you should also augment the tools with manual asset inventory assessment as described earlier.