Why You Should Be Afraid of Shadow IT (And What to Do About It)

Just a few years ago, IT may have been perceived as the department of “no.” Today, they are unsung heroes. IT has a very complex job, and it’s central to the functionality and success of the organization. They must be innovators, firefighters, and provisioners of resource deployments, while simultaneously maintaining the governance, cost control, and security of their ecosystems.

Security, in particular, has been an eternal thorn in IT’s side — specifically, the convoluted task of providing secure infrastructure resources across an increasingly distributed and porous enterprise perimeter.

In 2019, the problem was made glaringly apparent by multiple news stories of high-profile data breaches. One of the most notable was the Capital One incident exposing the accounts of over 100 million customers and applicants—the result of an AWS misconfiguration error being exploited. The Marriott hotel chain kicked off 2019 with a devastating security failure when hackers accessed the records (including passport numbers and credit cards) of a whopping 380 million guests.

More recently, the COVID-19 pandemic has become a cybercriminal’s dream scenario, and coronavirus scams are rapidly proliferating. Defending an already porous distributed perimeter is hard enough. Now, a new work-from-home reality has made IT security exponentially more critical and difficult.

COVID-19: Defending the perimeter becomes infinitely harder.

The coronavirus era has vastly expanded an already-distributed workforce, creating millions of unprepared and distracted users. With IT teams juggling complicated family scenarios on top of a crowded work plate, it’s a guarantee that attackers will add to their burden, anxiously waiting for an opening into an enterprise’s clouds, databases, and systems to exploit.

If securing an enterprise IT perimeter is monumentally challenging in normal situations, it’s become a nightmare in the new work-from-home normal, where an organization’s attack surface has suddenly expanded to unprecedented levels.

The burden of shadow IT.

The added pressures of the pandemic come at a time when IT decisions are no longer centralized solely within IT. Larry Ponemon, the founder of the Ponemon Institute, has said that “many IT decisions are now distributed throughout the organization at the line-of-business level. From a security point of view, it’s a nightmare scenario.”

Gartner believes that these behind-the-scenes decisions leading to “shadow IT” are an enormous problem. In 2018, they predicted that this year, over one-third of cyberattacks will be on shadow IT and IoT resources.

Shadow IT is expensive, to begin with; having a bunch of disparate, ad hoc services running in the background and consuming valuable infrastructure resources is going to eat into any IT budget. Gartner estimates that shadow IT accounts for 30-40% of all IT spend in large organizations. The Everest Group puts it even higher at 50%.

However, the biggest costs associated with shadow IT comes in the form of security risks. In fact, a recent IBM report cites the average cost of a data breach at $ 3.92 million, a rise of 12% in the past five years. How can you protect assets you don’t know exist? How can you ensure the security of your enterprise when you have all these unprotected assets? In order to answer these questions, IT needs to start thinking and acting differently—they need to rein in shadow IT before attackers can exploit it.

Thinking and acting differently: Customer centricity

With all of IT’s responsibilities—putting out fires, provisioning resources, closing tickets, providing the necessary hardware and software for employees—they are understandably pressed for time. When people in other departments such as engineering or development can provision cloud resources on the fly with just a credit card and the click of a mouse, it’s tempting for them to do so instead of waiting on IT.

It’s not out of malice; really, who can blame them for immediately spinning up test servers on AWS if IT is this busy? In order to accommodate this chaotic new reality, IT ops need to change. Specifically, it needs to become customer-centric.

Developers, for example, already have enough on their plates, much like IT. If they need resources on-demand in an ever-changing and fast-moving environment, ordering them up via IT and within company policy needs to be as simple as if they were to do it themselves. Outdated policies and procedures therefore must be updated to reduce friction and expedite IT services without compromising security.

Eliminating friction with a self-service model.

One way that enterprises can solve this problem is by implementing a self-serve IT model: building an IT-sanctioned catalog of services that users can provision with a click of a button. The concept of frictionless self-service means IT can build and avail a catalog of resources (compute, storage, etc.).

Services (Terraform, ServiceNow, Ansible, etc.) that are available to DevOps with one click. Not only would this make it easier on DevOps to consume what they need, when they need it, but it will curb unnecessary expenses or cloud cost surges (for example, when servers are left spinning during lull times).

A self-service model built on intelligent automation allows IT teams to maintain control over user permissions, configurations, and usage rates. Built into the model are guardrails such as determining which groups can provision hybrid cloud resources, what they’re allowed to provision and their quotas.

Provisioning resources in a self-serve way inherently means that these resources have the right access and quotes associated with the various roles and permissions throughout the organization.

Not building it isn’t an option for some sectors.

While a self-serve model is logical and advantageous for all enterprises, it is more critical for some than for others.

Consider the following real-world example. In one US state, a single centralized IT team is responsible for the entire state’s IT needs. The state’s IT organization struggled with centralizing a large number of virtualization resources that were spread across separately-managed vCenter and XenServer clusters.

VM sprawl was costing the state thousands of dollars a month in infrastructure and licensing charges, and delays in resource provisioning resulted in a sharp increase of public cloud-based shadow IT environments that put sensitive agency data and security at risk.

By implementing a self-service portal to automate the provisioning and management of servers, the state not only solved the cost issue related to VM sprawl but most importantly, it addressed the risk of potentially leaking sensitive state government data.

Reining in shadow IT – and the risks that come with it.

IT has the opportunity to address one of the most difficult moving targets in the enterprise—shadow IT—by reducing the barriers to and complexities of provisioning resources with a self-service delivery model. Organizations should start building their self-service catalog by first adding their core services. Over time, more resources can be added as your teams require them.

As 2020 continues on with the uncertainty of COVID-19 and the ever-increasing threat of new cyberattacks, the stakes for defending the growing, distributed perimeter have never been higher than before.

IT may not be able to change employee behavior. However, it does have the power to eliminate friction and make their jobs much easier, while in the process addressing inherent internal risks and the growing risks of outside attacks.

Image Credit: George Becker; Pexels

The post Why You Should Be Afraid of Shadow IT (And What to Do About It) appeared first on ReadWrite.

ReadWrite

(44)