Shadow IT, the blind spot of IT security
Julien
What is shadow IT ?
Shadow IT, also known as shadow computing, parallel computing or rogue IT, is the practice of using technologies (software, SaaS platforms, hardware or other resources) without the knowledge or approval of a company or organization’s IT department. Employees/users bypass processes perceived as too slow, restrictive, unsuitable, or in order to meet urgent needs. It helps to overcome the limitations of existing resources within the organization. It also benefits the user, who feels in control of his or her working environment.
A study by Gartner in 2023 revealed that 69% of employees had intentionally circumvented cybersecurity.
The use of employees’ personal equipment (laptops, tablets, smartphones, connected watches…) is also part of Shadow IT. Even when used without malicious intent, this practice presents a number of IS security risks. That’s why many companies are adopting a “Bring Your Own Device” (BYOD) policy. The aim of this policy is to regulate the use of personal IT equipment in the workplace.
Des exemples concrets de shadow IT
Use of unauthorized cloud services
An employee shares files via Google Drive, WeTransfer or Dropbox, risking exposure of sensitive company data. These services, while convenient, may present vulnerabilities or a lack of control over the security of the information exchanged. This can lead to leaks or unauthorized access, compromising the confidentiality of shared data.
Third-party productivity applications or online tools
Business teams use Trello or Slack without IT validation, increasing security risks for the company. Also, the use of free online tools (such as PDF converters) can introduce significant security vulnerabilities.
These practices expose the organization to cyber risks such as password leaks or exploitable vulnerabilities.
Automated scripts and macros
An employee with elevated privileges sets up macros or scripts not validated by the IT department to automate certain tasks. These tools can introduce security loopholes or system errors of which the IT department is unaware. As a result, these undetected problems can compromise system security, performance and integrity, while increasing the risk of unforeseen incidents.
Personal equipment
Employees use their personal teleworking equipment, such as computers or USB sticks, which are sometimes unsecured. Unsecured home Internet connections further expose company data to cyber-attacks. The use of personal smartphones to access business systems can lead to risks of leakage or hacking.
Communication tools
The teams decide to use means they find faster for exchanges (WhatsApp,..) instead of the dedicated messaging system.
IT department test phase
An IT team creates a test environment for experimentation (e.g. a server deployment), but forgets to delete it. If this environment is to be used for a different purpose than originally thought, it may not be properly isolated, or worse, exposed on the Internet.
These practices illustrate the many forms of Shadow IT, making sensitive data more vulnerable and exposed online. This increases the likelihood of sensitive data leaks or unauthorized access via security breaches.
The risks associated with Shadow IT
The use of Shadow IT technologies exposes corporate data, which is not only easy for attackers to find with just a few clicks, but also very difficult to remove (what’s published on the Internet, stays on the Internet).
Here are the risks of Shadow IT :
- Data leakage : unapproved services fall outside the IT department’s perimeter and do not always comply with security standards by design or configuration, or with the latest updates. For example, encryption protocols do not comply with company policy. This can lead to leaks of sensitive data.
- Loss of data : if an employee has access to company resources via personal identifiers, he or she may intentionally or unintentionally alter or delete them (in the event of dismissal, for example, if he or she still has access to critical data).
- Lack of traceability : if an attacker reaches the IS via unrecorded/unknown sources, it will be difficult to find his point of entry…
- Non-compliance : using tools outside IT policies can violate regulations such as the RGPD, exposing the company to sanctions.
- Expansion of the attack surface : obviously, unsupervised tools increase entry points and therefore the external surface for cyberattacks. Escaping the vigilance of security teams, an attacker could infiltrate, retrieve information or passwords, move laterally or escalate privileges.
Towards Shadow AI (Artificial Intelligence)?
With the advent of artificial intelligence tools, employees are increasingly resorting to applications such as ChatGPT, Gemini, DALL-E… This informal use of AI escapes the supervisory framework, making it difficult for security teams to guarantee practice compliance and data protection.
In 2023, Samsung banned its employees from using ChatGPT following an inadvertent disclosure of confidential data. Given the growing popularity of these open-access tools, Shadow IA represents a growing challenge for companies, who need to find ways of understanding, controlling and framing these uses.
The ease with which these tools can be accessed and used makes it difficult for companies to control them. Without clear governance, organizations expose themselves to security breaches, data loss and privacy violations. It is essential to monitor the use of these tools by teams to identify potential risks. Companies must first define clear policies and train staff in the dangers of Shadow IT.
According to a study by IFOP (French Institute of Public Opinion) in May 2023, 68% of French people using generative AI in business hide it from their line manager.
How do you manage Shadow IT ?
-
Surveillance proactive du Shadow IT :
Utiliser des solutions telles que l’EASM (External Attack Surface Management) permet d'identifier et de surveiller les actifs numériques exposés, y compris ceux résultant du Shadow IT. L'EASM aide les entreprises à cartographier leur surface d'attaque externe, y compris les données et les services non supervisés, afin de détecter et de gérer les risques avant qu'ils ne deviennent des menaces majeures. Avec AlgoLightHouse, nous pouvons identifier les services liés au périmètre sur des plateformes externes à l’infrastructure.
-
Formation et sensibilisation :
Sensibiliser les employés aux risques du Shadow IT et à l’importance de suivre les protocoles est un point important. Cela peut être réalisé à l’arrivée d’un nouvel employé ou lors de différentes sessions de sensibilisation. Une communication continue sur les dangers potentiels et les bonnes pratiques contribue à réduire les incidents liés au Shadow IT.
-
Mise en place de politiques BYOD (Bring Your Own Device) :
Il est essentiel d’encadrer l’utilisation des appareils personnels au sein de l’entreprise en mettant en place une politique BYOD. Cela doit inclure des solutions de gestion de sécurité appropriées (cloisonnement, contrôle d’accès, chiffrement…) et une charte informatique claire qui définit les règles concernant l'utilisation des appareils personnels pour accéder aux ressources de l'entreprise.
-
Surveillance et encadrement des outils d’intelligence artificielle :
Mettre en place des moyens en interne pour encadrer l’usage de ces nouvelles technologies sans freiner l'innovation. La mise en place d'une IA hébergée et gérée en interne (avec des outils comme LM Studio) permettrait aux entreprises de fournir des outils technologiques de nouvelle génération en toute sécurité.
-
Encourager le dialogue :
Le développement du Shadow IT peut être favorisé par une méconnaissance des outils disponibles ou des politiques internes. Les employés doivent avant tout pouvoir exprimer facilement leurs besoins, qui seront ensuite examinés par le DSI ou le RSSI. Si certaines demandes d’outils sont refusées, des alternatives sécurisées peuvent être proposées. Le processus de validation des nouveaux outils doit être clair et accessible.
-
Favoriser une politique IT « ouverte » :
Les entreprises qui reconnaissent les besoins des employés et intègrent des outils sécurisés et conformes à leurs processus IT peuvent mieux prévenir les pratiques de Shadow IT. En encourageant un dialogue ouvert et en sensibilisant les équipes aux enjeux de sécurité, les organisations peuvent réduire une menace potentielle en une opportunité de renforcer leur résilience et leur cybersécurité.
Conclusion
Shadow IT highlights the many challenges facing businesses. The rise of unregulated tools, and the emergence of Shadow IA, considerably increase the attack surface and associated risks.
In response, External Attack Surface Management (EASM) is emerging as a key solution. By mapping and monitoring exposed digital assets, even those originating from Shadow IT, this approach enables risks to be identified and managed upstream. Combined with appropriate IT policies, employee awareness campaigns and the use of secure tools, EASM helps to reduce the surface of exposure without hampering innovation.
Share this article