The Real Risk of Shadow IT – Multiple Identities

Written by Greg Keller on April 24, 2015

Share This Article

Today, even kids can develop websites and create programs or apps. Every day, the technology industry is working to lower the bar to being able to leverage IT services. This shift in the ability for just about anybody to leverage IT services is impacting organizations.

The Rise of Shadow IT

One of the largest impacts is the pervasive spread of Shadow IT across organizations. Shadow IT refers to IT systems that are built or implemented inside organizations without explicit organizational approval. With cloud infrastructure and web-based applications, virtually any group or person within an organization can create their own IT capabilities.

Risks of Shadow IT

There is an immediate benefit and instant gratification to Shadow IT. That’s what drives employees to seek out and create their own solutions. But Shadow IT, while often convenient and innovative, generally comes at the expense of security, scalability, and availability.

When departments other than IT cook up services, things inevitably fall through the cracks. Other groups within an organization aren’t setup to evaluate and scope IT projects. As a result, the decisions are made with different drivers – such as time to project completion, cost, and ease of use. These are important value points, but other critical requirements that can expose an organization to a great deal of risk are not given proper attention.

The Real Risk of Multiple Identities

identity management market alternative

Higher cost, duplicate services, wasted time and resources — all of these are potential risks of Shadow IT. But the largest risk is users having multiple identities.

As we have previously discussed, corporate identities are incredibly valuable to hackers. They are the gateway into an organization. With the right identities, a hacker could have the keys to the kingdom (think Sony).

The worst part of Shadow IT is that it is not connected to the core directory structure. User identities are re-created in a number of other applications, devices, and networks. Often, users will just re-use their existing credentials – i.e. their username and password from their core corporate identity. But since the two aren’t connected, IT has no way of revoking access, tracking access, or even managing the credentials.

Why is that scary? A compromise in one of those Shadow IT applications or devices now means that potentially identical credentials to the core directory are on the loose. It will only be a short amount time before those credentials are tested on core applications and devices that are controlled by the IT organization. Up until this point, the IT organization will have no knowledge that a user’s credentials had even been compromised.

The result is that IT is left flat footed when they learn that an application or device out of their purview has been compromised. Shadow IT may exist outside of IT’s purview, but it doesn’t stop security breaches from having a direct impact on the organization!

How Can IT Prevent the Risks of Shadow IT?

IT isn’t going to stop Shadow IT from happening, but they can encourage one step that will make a world of difference: connect the newly created/implemented devices, applications, and networks back to a core directory service.

How is this possible? A leading solution currently available is a Directory-as-a-Service® from JumpCloud. A DaaS platform will allow you to have one set of credentials for all of your IT resources – whether they are under IT management or not.

This quantum leap in security makes life better for users and for the IT department. Single Sign-on access means ease and efficiency for users. Meanwhile, IT is back in control of the most important digital asset – credentials. In tandem with a DaaS, IT can revoke credentials when necessary and also help detect compromises early.

Consolidate Multiple Identities and Platforms with DaaS

Cloud IAM Check

Shadow IT isn’t going away – it’s likely only going to increase in the short-term.

But IT can help to protect the organization by taking advantage of services that allow third party applications and devices to be connected to the core user directory. Directory-as-a-Service makes this process quick and easy. Reasonably technical personnel from other groups will often be able to connect to the cloud-based directory, making it easy for the other departments to solve their own problems while protecting the company.

If you would like to talk about how JumpCloud can help you bring a little more control to an uncontrollable situation like Shadow IT, give us a call. We would be happy to chat with you about it further.

Continue Learning with our Newsletter