Today the ready availability of cloud-hosted software has made it easier than ever for individuals to adopt unofficial software.  This Shadow IT significantly increases the complexity of the attack surface an organization must protect.   Many IT and governance teams and the tools they use are ill-prepared for the size of this challenge. 

Shadow IT – As Old as Software Itself

Ever since organizations first adopted computing for business purposes, there has been a certain tension between the professionals in the IT team who control the systems and software, and business folks who want to solve their problems and use technology to make their lives easier.

At the heart of the tension has been the desire of the IT and governance teams to control how users adopt new technology.  The premise of this approach is to minimize exposure to risk, but end-users often view such an approach as unresponsive and standing in the way of their legitimate and urgent business needs.

Thus, was born Shadow IT – the practice of end users building their own IT infrastructure to meet their individual needs, outside of normal IT processes and usually without any of the central teams (IT, purchasing, or compliance for example) even being aware.

Shadow IT has evolved through many eras.

The IBM PC democratized access to hardware, with many acquired and used by tech-savvy users in offices across corporate America while IT teams focussed on mainframes and mini-computers. In the 1980’s business users obtained and used pre-Internet ‘shareware’ software from bulletin boards and computer magazine cover disks.   The rise of the early Internet made this process even simpler.

But today Shadow IT has evolved further to move away from local infrastructure to the Cloud. The ready availability of Cloud-hosted software, accessed via a web browser and paid for (if at all) using a credit card, has made it easier than ever for individuals to adopt unofficial software into the business.

SaaS – A New Era for Shadow IT

This latest era of Shadow IT is by far the most worrying we have seen.

Cloud-hosted Software-as-a-Service, or SaaS, leaves no footprint inside the organization as it requires no computer to run it and there’s nothing to install. 

The ease of adoption and attractive payment terms mean that companies are using far more SaaS applications than they realize.  This can often be more than ten times as much, leading to hundreds of Shadow SaaS applications.

As a result, the same users are bypassing and disenfranchising the IT and compliance teams at an ever-increasing rate.

That’s a fundamental change in how software is consumed, and it completely changes the risk profile. With traditional software, whether it ran on the user’s PC, on a server in the data center, or even on a virtual machine in a private Cloud, it was entirely under the company’s control. People within the organization managed the infrastructure – servers, networks, operating systems – they installed the application, and they managed the data. That meant the organization controlled most of the risks directly, understanding the risk profile and mitigating where required. The only vendor risks were those within the application code itself, so there was a dependency on the vendor to develop the code properly without vulnerabilities – but even those could be controlled by good testing and patching.

But when a SaaS application is in use, the operating model is very different – SaaS is more like an outsourcing arrangement than traditional software. The vendor provides and manages all the infrastructure, people within the organization have no access or insight into it, and the vendor is responsible for most of the security. There is a much greater level of trust in the vendor, and the vendor becomes deeply embedded in day-to-day operations.

Are You “Feasting” on Shadow SaaS?

The veritable feast of new apps being adopted by your users might be great for agility, innovation, and efficiency, but have you stopped to consider the other side of the equation?

Your critical, confidential data is now in the hands of the supplier, and there are risks of that data being exposed through a breach or misused by the supplier or their people. Any one of those apps could be supporting a business process, could have customer data in them, and each one is a potential for passwords to be compromised.

So, the overall result is that Shadow IT is still with us in the age of Cloud, and in many respects, it is a bigger headache for the IT team than ever before. When it consisted mainly of software running on desktop machines, it was easy to control and protect within the organization’s perimeter – but now that Shadow IT is mainly out in the Cloud, it is exposed in ways that significantly increase the risk.

Credential theft or compromise remains the single biggest route for attack.  Unfortunately, SaaS means that these credentials are now more exposed than ever. 

How to better secure and simplify access to your company’s digital assets.

Despite the risks that come with SaaS and Shadow IT, there are simple steps you can take today to protect your enterprise – both inside and outside the cloud.

Credentials – usernames and passwords (including one-time passcodes (OTPs) and PINs) – are the biggest targets for bad actors because they are the most easily obtainable ‘keys’ to the ‘front door’ of your company. Anything you are required to type in, in fact, is what we call ‘Phishable’ – bad actors can potentially obtain those credentials through phishing emails, calls, etc. via various methods and with technology that is more and more sophisticated. Eliminating Phishable credentials – particularly the password – can not only enhance security but also simplify login and vastly improve the user experience.

By now we’ve all heard from the experts that Multi-factor Authentication (MFA) is a must-have for security and will likely soon be required for all businesses.  But not all MFA is created equal. Traditional or ‘Legacy’ MFA often still requires a password for access, as one of the factors for authentication. Modern MFA – that is inherent, or built into the solution, with authenticating factors that are tied to the user (biometrics coupled with a token or device the user already carries, for example) is more secure and ‘invisible’ to the user, therefore reducing friction and increasing adoption across the enterprise.

What’s more, much MFA requires a separate login for your various applications. A solution with MFA + Single Sign-On (SSO) will mean your users only have to log in once to all applications. SSO reduces friction and enhances security by decreasing the attack surface.

Ask us how TraitWare’s Passwordless MFA + SSO for Zero Trust Access can help.

But how can I be sure that ALL enterprise users are using MFA for access across ALL applications?

Improving access control across the enterprise – inside and outside of the cloud – with Active SSO™

While we know the clear benefits of Passwordless MFA + SSO for the Enterprise, the protection and simplicity will only work fully when all your Enterprise Apps are looking in the right direction – at your MFA provider. With our move to the Cloud along with remote work, your users may be bypassing MFA.

TraitWare + Ampliphae is Active SSO™. Rather than passively authenticating, Active SSO™ employs Ampliphae’s SaaSGuard technology to assess how all your users are being authenticated when using SaaS Cloud Apps. This provides customers with 360º Protection. Active SSO™ uses SaaSGuard capability to automatically detect and advise you about:

Incorrect Configuration – not configured to use TraitWare MFA

Unknown Apps – not supporting TraitWare

Mis-behaving Apps – Apps that are allowing users to bypass MFA

Customers with a TraitWare subscription can directly access the TraitWare reports from within SaaSGuard’s dashboard.  This allows you to reduce the cost of manual checks needed to ensure your TraitWare Passwordless Access is used at all times to protect your company. 

For more information about TraitWare + Ampliphae and Active SSO for enhanced security and usability, contact us at any time.