Today, we are spoiled for choice when it comes to the tools we use to do our jobs. Startups are constantly innovating, providing us with new ways to solve complex problems. One of the most common mediums for delivering these tools is Software-as-a-Service (SaaS).
It’s almost too easy. You’re only ever one registration form away from making your job easier.
That also means that if you’re in IT Security, staff members at your company are also only one registration form away from uploading company data, like customer or staff emails, or other documents to these tools.
When staff take matters into their own hands and start using their own software, we call it Shadow IT. It’s a huge threat to organizations and spins the narrative that breaches and data leaks are caused by bad actors. It’s often well-meaning staff just trying to do their job more efficiently. They often justify their use of these tools without seeing the bigger picture (which I can understand, not everyone is a cybersecurity professional).
In the context of Identity Security, all of this can give us headaches. When SaaS services are implemented strategically in an organization, we want to cover our bases:
- Handle authentication to the application using corporate credentials (e.g., on our SAML IDP or Open ID Connect Authorization Server), and block the ability to log in directly to the application with different credentials.
- Verify the user is authorized to access the application with the right permissions.
- Automate account creation and removal in the application system instead of doing this manually.
This lays the foundation for building out even stronger security controls such as Multi-Factor Authentication, Access Reviews, and Privileged Access Management, since you control the identity lifecycle and authentication layer.
When staff circumvent the proper application onboarding process and spin up their own tenancies, they will certainly overlook these controls and put the organization at risk. Often this ideology is sold as ‘agility’ and ‘getting it done,’ but think about the exposure:
- Is the SaaS application reputable? Many of these SaaS solutions are bleeding edge and look very modern. But behind the scenes, it might be a very lean operation where functionality takes precedence over security. You may think data is encrypted and only visible to you, when in reality, you’re one SQL injection attack away from having all your data exposed.
- Is it publicly accessible? If SaaS is internet accessible, and the correct IT security controls aren’t in place, you may not need to worry about hackers hacking the SaaS solution; they may just log in the front door with weak passwords.
- Who’s managing the users? In Shadow IT, end users become system administrators and often don’t follow best practices. This can lead to users not being properly removed from these systems, resulting in massive breaches where former employees can still access systems long after their employment ends. Shadow IT users often subscribe to free plans or trials, which have user count limits. This leads to account sharing, where, of course, the passwords to these accounts are never rotated.
Preventing Shadow IT from taking hold in your organization is key to any cybersecurity strategy. In the context of Identity Security, here are a few takeaways:
- Publicize your Application Onboarding process clearly in your organization. If nobody knows there is a process, they won’t use it.
- Refine your Application Onboarding process. If your process is too cumbersome, the business will work around your controls. Strike the right balance of business agility with security control strength.
- Communication is key. As mentioned earlier, staff are generally well-meaning, and Shadow IT is often a side effect of staff trying to get a better outcome for the business. Explain in plain English what Shadow IT is and the possible consequences the organization can face if left untamed.
We’ve helped many businesses streamline their App Onboarding processes while implementing strong Identity Security controls. This actively battles the Shadow IT villain that exists in many organizations. We’d love to help you in your fight; drop me a message if you’d like to work together.