I’ve spoken before about Zero Trust approaches to security, but for many of those starting on their journey, there isn’t an obvious place to start with the model. With this post, I wanted to share an example approach I’ve seen working that many organisations already have in place and can be easily rolled into a larger program of Zero Trust hardening: understanding your Shadow IT.
Shadow IT – What is it and what risk does it present
Shadow IT refers to software and configurations that are deployed by departments other than the centralized IT department, often as a means of working around limitations (or security controls!) to enable functionality that is deemed “necessary” by the implementer. Whilst not intending to do harm, such implementations are rife with risk, and with “Bring Your Own Devices”-type approaches becoming increasingly common, particularly alongside rapidly deployed work-at-home schemes, Shadow IT has grown significantly. Today, many more applications and services are being used to interact with business data than ever before—all without the visibility or scrutiny, which is key to preventing leaks.
Security teams have long known that even well-organised IT departments run up significant risks from the acts of a negligent administrator. Even an approved line-of-business application that gets deployed without the security team’s awareness can prove to be a risk if it escapes patching and default hardening procedures because it was deployed without the usual controls in place.
The reality I’ve seen time and again is that security teams are left out of the loop when machines are deployed or reconfigured, and once systems slowly drift away from an initially secure configuration state, correcting them proves much harder than ones which have been deployed in line with approved security controls in place from day one. With unofficial software implementations that aren’t owned by formal IT teams within the organisation, there’s far less willingness to make changes to bring them in line with security standards lest they inadvertently impact a service that the business has unknowingly sleepwalked into having to support and that is key for day-to-day operations.
A Tactical Approach to the Threat
With the threat that Shadow IT poses, it’s a key area where a Zero Trust approach makes sense. Getting started is easier than you might think. If you’re using Tripwire Enterprise, you can leverage its flexible agent and agentless-based integrity monitoring controls to watch for changes that might indicate that unapproved applications or configurations are being implemented. In many cases, you can use this same information to identify whether an approved IT staff member was responsible for the installation.
Building on this framework of detection, Tripwire Enterprise’s secure configuration management tools can help you address the risks associated with any detected unexpected software implementations by providing insight into the configuration of applications whether it’s a database instance added to a host or a new browser application deployed outside of change control.
Importantly, all of these processes should be undertaken automatically. (Applying a Zero Trust approach should mean that no instance of an application is any less of a risk than another.) Fortunately, Tripwire Enterprise’s automated “Actions” allow you to build up responses to changes in configuration, providing an opportunity to automatically assess newly detected applications as well as to provide suitable notification and reporting to help determine the impact of a new Shadow IT instance.
Shadow IT in the Cloud
Beyond your onsite infrastructure, there’s an increasing risk of Shadow IT showing up in the form of new cloud services. Whether it’s IaaS, PaaS or SaaS, any cloud system can become an area where “feral” systems can sneak into the business, resulting in increased exposure. And once again, the key is detection (typically by detecting client apps, firewall or proxy logs) and then response. For Shadow IT in the cloud, the strategy I’ve found most successful is to shine a bright light on the systems since shutting them down can be challenging for any number of reasons. Fortunately, bringing cloud solutions into compliance is becoming increasingly simple. Our cloud management assessor service, for example, gives you automated ways to harden any new systems that you discover and want to reduce the risk around.
Small Steps on your Zero Trust Journeys
Every Zero Trust journey will require some significant changes to most security teams’ approaches, but the payoff of a secure network means it’s a trip that most teams might want to consider. Whilst Zero Trust as a concept remains relatively new, for many, the tools required to achieve it are already deployed and ready to help you get to your destination that little bit faster.