Whether they realise it or not, organisations across various markets and industries have recently found themselves having to deal with the effects of shadow IT. Shadow IT refers to the technology that has been adopted and brought in by individual employees or business units to the office environment, without the consent or the knowledge of the organisation’s IT security teams. Due to the vibrant market of software-as-a-service (SaaS) services and applications rising in popularity, many business managers no longer feel the need to go through the corporate IT teams to obtain the application functionalities they need for their jobs. This as a result enables shadow IT, made more prevalent because of how accessible and convenient the market is. Just through superficial surveying, many corporate executives are not aware that there are shadow applications and services being in use within their workplace environment. Some of them may not even be familiar or informed about the concept of shadow IT. While the organisation may be infiltrated by the presence of these shadow applications and services, it does not spell doom and gloom for them. While these applications can serve to help business units and employees in their job scopes, there is however potential risks to IT and data security.
One such immediate concern is identity and access management (IAM). Employees may find themselves locked out of important applications and services should they fail to recall their passwords. On the other hand, there is the great risk of employees reusing the same passwords for different services and applications, from personal web sites to corporate accounts. This could open up organisations to vulnerabilities and expose them to attacks from hackers and cyber terrorists if these accounts and services end up becoming compromised. In addition, there is the issue of making sure that employees can only access features and data that is relevant to their duties and scope of work. It is also crucial for the timely removal of application access and other account privileges when employees leave an organisation. If the IT team is not aware or able to monitor the records of account and log-in details of a given cloud service or application, this deprovisioning of accounts will not be completed. Beyond that, given the nature of the shadow application or service, IT teams will not be able to track the usage of applications across the organisation. This is important for the criteria of cost control especially when paying for SaaS applications based on the number of employees and business units.
In the face of cloud based applications, how can IT departments get back control over IAM? One idea is to utilise single sign on (SSO) for all cloud based applications. Doing so will eliminate the issue of reusing passwords while adding extra layers of security. IT teams can also take a risk-based approach and edit security policies accordingly.
For financial services firms, shadow IT poses a serious risk to the security of organisations and could have major consequences for regulatory compliance and operations.