The Shadow IT Problem

A common issue in modern organizations is the risk introduced by shadow IT projects. Gartner estimates that 33% of enterprise attacks will come from Shadow IT by 2020. While under-staffed teams spend time trying to secure the environment that they’re responsible for, other teams introduce risk by launching IT projects without warning IT or asking for their supervision. Such projects might involve unapproved software, web apps, IoT devices, servers, or services run by marketing, engineering, or other functional teams in the organization. Since shadow IT projects are normally administered by teams who aren’t trained to maintain secure systems, they’re often poorly deployed. Many such projects quickly become deserted efforts, often meaning that an attack vector is left behind long after the project is run. Here we will review which specific risks shadow IT projects introduce and solutions to those risks.

Which types of risk does shadow IT introduce?

A common risk involves missed patches in vulnerable applications. Many new software vulnerabilities are revealed each year, and a great portion of these stem from shadow IT projects. To make matters worse, sample exploits are often published to validate a given vulnerability, which hands attack vectors to hackers. So, when IT is unaware of vulnerabilities in their shadow IT applications, they don’t focus on patching and updates. Another common risk comes from missing security controls. Developers involved in shadow IT projects don’t always understand where security controls are needed. Usually, missed security controls are discovered in regular security testing, but since shadow IT projects aren’t as visible, they often miss these tests. Vulnerable devices are another common risk. IoT devices, for instance, usually have default passwords. It’s often the case that shadow IT projects do not strictly adhere to corporate policies that require the default password to be changed to a new, stronger password.

Solutions to Shadow IT Risk

The general solution to the risk introduced by shadow IT projects is straightforward but difficult to implement. First, IT and security in organizations need visibility into all assets in the organization. Next, appropriate controls are required to minimize risk across all assets. An automation platform for security and compliance can help to bridge this gap.

Visibility Across Your Infrastructure

An automation platform for security and compliance can provide visibility into your web assets, continuously monitoring your domains for changes and new assets.  As a result, an inventory of anything an attacker could access can be created, including shadow IT projects that were previously invisible to IT.

Actionable Controls

Such an automation platform can translate policies into actionable tasks and controls.  Controls can be immediately mapped to your policies, security standards, and frameworks.

Control and Auditable Compliance

With such an automation platform, risks can be identified and prioritized automatically. With a centralized repository for all risk data with an auditable record of changes, teams can more easily provide evidence of compliance with internal and external policies and standards.

To learn more about our automation platform for security and compliance, SD Elements, visit here.


About Security Compass
Security Compass, a leading provider of cybersecurity solutions, enables organizations to shift left and build secure applications by design, integrated directly with existing DevSecOps tools and workflows. Its flagship product, SD Elements, allows organizations to balance the need to accelerate software time-to-market while managing risk by automating significant portions of proactive manual processes for security and compliance. SD Elements is the world’s first Balanced Development Automation platform. Security Compass is the trusted solution provider to leading financial and technology organizations, the U.S. Department of Defense, government agencies, and renowned global brands across multiple industries. The company is headquartered in Toronto, with offices in the U.S. and India. For more information, please visit https://www.securitycompass.com/