Extending network security to include shadow IT

The increased use of personal digital devices and internet-based IT services in the workplace is causing headaches for security teams around the world.

Dubbed 'shadow IT', the trend is growing rapidly. It can involve employees accessing corporate systems and data from their private smartphone or tablets, or making use of services such as Dropbox, Google Docs or a range of other hosted services.

For employees, the motivation is one of expediency. Rather than having to arrange requisition orders, seek managerial approval and battle the IT department, they can source their own resources. This means the process can be reduced from weeks to just minutes.

For organisations, the trend is causing significant security problems. Shadow IT resources fly 'under the radar' of the IT department and so bypass the controls and measures put in place to secure the organisation's IT infrastructure.

Employees may be storing sensitive data on cloud-based platforms that are outside the IT department's control. It might be convenient for them to share documents using Dropbox, but doing so means that data may no longer be protected.

Such usage patterns may also cause compliance issues for an organisation. Regulations may require sensitive data to be stored in Australia; however using a web-based platform could mean it actually ends up on servers in Singapore or the United States.

There is also no way for the IT team to be sure that external platforms have sufficient levels of security in place. Cyber criminals are routinely attacking third-party services and some are found not to have enterprise-grade protection.

According to research firm Gartner “by 2020 a third of successful attacks experienced by enterprises will be on their shadow IT resources.” Gartner recommends that “business units deal with the reality of the enterprise and will engage with any tool that helps them do the job. Companies should find a way to track shadow IT, and create a culture of acceptance and protection versus detection and punishment.”

A new approach to security

Traditionally, organisations have approached infrastructure security by creating a defensive ring around core applications and data. Threats are kept out using a mix of anti-virus software, firewalls and other monitoring tools.

However, with the shadow IT trend unlikely to disappear, security teams are realising that a new strategy is required. Rather than banning the use of personal devices and cloud-based services, they need to extend their security to encompass these areas.

The steps to take include:

1. Ensure continuous visibility:

Conventional security solutions tend to be designed to undertake periodic vulnerability scanning. However this approach, not matter how frequent, can only provide a snapshot in time. This means that at all other times the organisation susceptible to undetected attacks.

When shadow IT resources are deployed, a better approach is to implement real-time, continuous security monitoring. This ensures that transient devices, as well as external applications and services, are recognised and monitored.

By deploying tools to support this approach, the IT department can run both active and passive scans to detect and identify transient laptops, personal mobile devices and external services. If threats are recognised, remedial steps can be taken.

2. Understand the context:

The second step is to monitor all recognised assets within the infrastructure (including shadow IT resources) and understand how they interact. Data flows between devices and core applications need to be tracked, as do all interactions with cloud-based resources.

Once the interactions are understood, steps should be taken to ensure that traffic is protected and only authorised users can gain access to the organisation's infrastructure.

One of the best ways for an organisation to ensure its security defences are providing this required level of protection is to confirm they adhere to recognised industry guidelines and frameworks. Examples include those provided by the US-based Centre for Internet Security and the National Institute of Standards and Technology (NIST).

While it has to be recognised that no organisation can have perfect security, such frameworks provide solid guidance when putting protective measures and strategies in place. By conforming to industry standards, organisations can ensure they end up with security that matches their particular requirements.

3. Prioritise and educate:

No organisation has unlimited budgets for security. Careful assessment of what systems are in place and the nature of the shadow IT that is deployed is essential. The security team can then insure that the investments made in security tools and services are providing the maximum level of protection possible.

At the same time, staff need to be educated about the security implications of using shadow IT. By increasing awareness of the potential problems they can cause, staff will be less likely to make rash choices that could cause disruption and loss to their employer.

If organisations follow these steps, the security concerns created by shadow IT can be significantly mitigated. Staff will be able to make use of resources such as personal devices and web-based services while understanding the implications of their choices.

Rather than being a looming security problem, shadow IT can become a useful and secure part of an organisation's IT infrastructure.