{"id":1843,"date":"2019-07-25T04:38:06","date_gmt":"2019-07-25T04:38:06","guid":{"rendered":"http:\/\/kusuaks7\/?p=1448"},"modified":"2023-08-09T10:58:34","modified_gmt":"2023-08-09T10:58:34","slug":"what-is-shadow-it","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/bigdata-cloud\/what-is-shadow-it\/","title":{"rendered":"What is Shadow IT?"},"content":{"rendered":"<h3 style=\"color: #aaa; font-style: italic;\"><strong>Shadow IT + Digital Certificates = Ticking Timebomb <\/strong><\/h3>\n<p>When your employees use software or hardware at work that your IT or security team is unaware of \u2013 that\u2019s Shadow IT. Calling the use of these tools \u201cunsanctioned\u201d might be a bit strong, but either way, employees have neglected to go through the proper channels and notify the right parties.<\/p>\n<p>There are risks associated with that.<\/p>\n<p>In the IT world, when you ask someone, \u2018what is Shadow IT?\u2019 The answers you get are going to vary quite a bit, some in the industry refer to it as a threat, others are far more optimistic and advise organizations to embrace it.<\/p>\n<p style=\"text-align: center;\"><img decoding=\"async\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/07\/Shadow-IT-feature-698x419.png\" alt=\"What is Shadow IT?\" \/><\/p>\n<p>And from some vantage points that might be true, especially if you\u2019re one of the companies selling the products that are being acquired outside of the standard channels. That\u2019s good for business. Of course you like that.<\/p>\n<p>But when it comes to cyber security, things aren\u2019t so rosy. Especially in the context of digital certificates, where Shadow IT can lead to unexpected expirations, operational downtime, loss of revenues and compliance penalties.<\/p>\n<p>So, today we\u2019re going to talk about Shadow IT, the bad things that can happen with shadow certificates and how you can avoid these problems entirely with good certificate management choices.<\/p>\n<p>Let\u2019s hash it out.<\/p>\n<h2>Is Shadow IT a good thing or a bad thing?<\/h2>\n<p>Beauty is in the eye of the beholder. If you\u2019re the head of a security team or an IT admin, shadow IT is likely the herpes of your profession \u2013 you\u2019ll never be able to completely get rid of it so your best bet is just to manage it as well as you can.<\/p>\n<p>If you\u2019re the <a href=\"https:\/\/www.skyhighnetworks.com\/cloud-security-university\/what-is-shadow-it\/\" rel=\"noopener\">head of a technology company like HP<\/a>, you\u2019re a bit more charitable.<\/p>\n<blockquote><p>\u201c<em>We embrace the idea of this shallow exploration of new technologies, new tools, and new processes by our users. To the degree that they discover these applications or services that make their jobs easier, that make them more efficient at selling or better at running a supply chain or better at sourcing talent, then everybody wins<\/em>.\u201d<\/p><\/blockquote>\n<p>Or <a href=\"https:\/\/www.cisco.com\/c\/en\/us\/products\/security\/what-is-shadow-it.html\" rel=\"noopener\">Cisco<\/a>:<\/p>\n<blockquote><p><em>Empowered users can quickly and easily get tools that make them more productive and help them interact efficiently with co-workers and partners. <\/em><\/p><\/blockquote>\n<p><a href=\"https:\/\/www.skyhighnetworks.com\/cloud-security-university\/what-is-shadow-it\/\" rel=\"noopener\">According to McAfee<\/a>, 80% of workers admit to using SaaS applications at work without IT approval. In fact, for many employees it\u2019s not something they even think twice about.<\/p>\n<p>Generally speaking, there are three kinds of Shadow IT application:<\/p>\n<ul>\n<li>Cloud-based applications accessible from the company network<\/li>\n<li>Cloud-based applications accessible with 0Auth tokens<\/li>\n<li>Off-the-shelf software that\u2019s loaded into devices or systems<\/li>\n<\/ul>\n<p>But that\u2019s just applications. There\u2019s also hardware, which can be anything from an employee\u2019s personal phone to purpose-made tech that\u2019s acquired to handle specific functions within an organization.<\/p>\n<p>If the IT department or security team doesn\u2019t know about it, it\u2019s Shadow IT.<\/p>\n<p>A digital certificate is more of a Shadow IT asset than hardware or an application. But it can be even more dangerous because being unaware of even a single certificate opens the doors to a whole range of potential dangers. We\u2019ll get into what those are specifically in just a moment, for now let\u2019s focus on this:<\/p>\n<p>While it\u2019s OK to be agnostic about Shadow IT in other contexts, when it comes to security certificates \u2013<strong> it\u2019s unequivocally a bad thing<\/strong>.<\/p>\n<h2>What can go wrong with digital certificates and shadow IT<\/h2>\n<p>For many organizations, the threat of <a href=\"https:\/\/www.thesslstore.com\/blog\/what-happens-when-your-ssl-certificate-expires\/\" rel=\"noopener\">certificate expiration<\/a> seems fairly abstract until it rudely slaps their face. That\u2019s usually jarring enough to make it come into focus. When you hear things like \u201coperational downtime\u201d or \u201clost productivity\u201d it doesn\u2019t mean much until you\u2019re actually dealing with it.<\/p>\n<p><a href=\"https:\/\/www.thesslstore.com\/blog\/linkedin-suffers-ssl-tls-certificate-expiration-again\/\" rel=\"noopener\">Take a company like LinkedIn<\/a>, for instance, who just had a certificate expire and knock out its link shortening service. That meant that anyone attempting to click a LinkedIn-shortened link received an error and couldn\u2019t reach their intended destination. Just the downtime alone, given the amount of money LinkedIn makes each year, cost millions of dollars. And that doesn\u2019t even get into all the pissed off customers who either couldn\u2019t use the service, or were marketing with the service and couldn\u2019t reach their own customers.<\/p>\n<p>And that last part is difficult to quantify but on some level it boils down to trust. Trust is currency. Customers and business partners expect you to be open for business when you say you are. They trust your services to run smoothly \u2013 without interruption. When things don\u2019t work that way, the trust starts to strain.<\/p>\n<p>Again, you can\u2019t quantify all of that.<\/p>\n<p>Still, KeyFactor has attempted to. <a href=\"https:\/\/www.thesslstore.com\/blog\/71-of-organizations-dont-know-how-many-certificates-keys-they-have\/\" rel=\"noopener\">In a recent study<\/a>, it extrapolated the cost per organization over a 24-month period after polling hundreds of IT and security professionals.<\/p>\n<p>It starts to add up.<\/p>\n<p>The problem with digital certificates is that it\u2019s easy to lose sight of them when considering the bigger picture. For instance, you\u2019re working on a priority project, you\u2019re in the midst of the final crunch to hand it off \u2013 purely as a matter of utility someone grabs a certificate and IT\/Security never catches wind.<\/p>\n<p>It\u2019s totally understandable. And even four or five years ago it still wasn\u2019t that big of a deal in the greater scheme of things. But now that digital certificate use has exploded and PKI has become such a critical component of the internet and networking in general \u2013 <a href=\"https:\/\/www.thesslstore.com\/blog\/what-happens-when-your-ssl-certificate-expires\/\" rel=\"noopener\">it can be catastrophic<\/a>.<\/p>\n<p>And when certificates expire, a lot of the policies and mechanisms you have in place to help security end up hamstringing your organization even more. Take for instance <a href=\"https:\/\/www.thesslstore.com\/blog\/more-websites-breaking-as-certificates-expire-during-government-shutdown\/\" rel=\"noopener\">the US government shutdown that rung in 2019<\/a>, because federal websites are SUPPOSED to be on the <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-hypertext-strict-transport-security-hsts\/\" rel=\"noopener\">HSTS preload list<\/a> \u2013 which requires a secure connection in order to reach a website \u2013 as the shutdown continued and more certificates expired, it made those sites completely unreachable for the duration of the certificate outage.<\/p>\n<p>When an expired digital certificate, be it SSL\/TLS or signing, is acquired outside of the standard channels you are essentially sending your IT team on the PKI equivalent of a goose chase. With management and the C-suite breathing down their back they now have to locate the certificate that\u2019s causing the problems, acquire a replacement and then install it and make any configuration adjustments on the fly.<\/p>\n<p>Would you like being summoned at 3 AM to perform the certificate rotation dance for an audience of executives and stakeholders? That\u2019s probably not a grenade anyone wanted to jump on.<\/p>\n<p>Again, it\u2019s easy to let it happen. The point\u2019s not to criticize anyone when it does \u2013 it\u2019s to point out that it doesn\u2019t need to happen in the first place.<\/p>\n<h2>Preventing Shadow IT certificates<\/h2>\n<p>In ancient Rome, companies used to keep track of digital certificates by carving serial numbers and validity dates into the flesh of an intern. Your internship ended when they ran out of space. Oftentimes, for proprietary reasons, the records needed to be shredded afterward, which proved\u2026 problematic.<\/p>\n<p style=\"text-align: center;\"><img decoding=\"async\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/07\/bigstock-Column-Ancient-Style-Antique-C-295609603-300x300.png\" \/><\/p>\n<p>Today, we have advanced well beyond those primitive certificate management systems, yet many organizations are still sacrificing the unpaid at the X.509 altar of the PKI gods. Certificate management has literally never been easier.<\/p>\n<p>And frankly, Enterprise customers are the biggest winner in all of this. Nowadays, organizations have their choice of certificate management platforms run by the CAs themselves, like you see with Sectigo Certificate Manager or DigiCert\u2019s Cert Central platform. Or you can go with a third-party platform like Venafi or KeyManager Plus, that affords you access to multiple CAs through a single unified interface or module.<\/p>\n<p>Using one of these tools, <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-rogue-certificate\/\" rel=\"noopener\">defending against Shadow IT certificates<\/a> is extremely straightforward.<\/p>\n<h2>Scan and Inventory<\/h2>\n<p>Configuring a certificate management solution varies by platform, some can be set up in just a few clicks while others may require the provider to assist you. Either way, once your Certificate Management solution is up and running, scanning and inventorying your network is quick and easy.<\/p>\n<p>Simply query the domains, IP addresses or networks you want to scan and your management tool will do the rest. It will find every certificate currently residing on your network and document them all. In some cases you can even get the location they\u2019re stored at. You can scan at regular intervals, daily, weekly, monthly \u2013 though it\u2019s not recommended to go any longer between scans than that (even a month between is pushing it).<\/p>\n<p>Once you\u2019ve finished scanning, you should have a listing of all your digital certificate viewable from your dashboard. This is what we\u2019re referring to when we discuss visibility. As the great Yogi Berra once said, If you can\u2019t see it, you can\u2019t renew it on time.<\/p>\n<h2>Automate Everything<\/h2>\n<p>Automation is your friend when it comes to certificate management, after all, it would take a lot of time and work to handle all of those certificates manually. This is true with only a handful of certificates. At scale it\u2019s almost a requirement.<\/p>\n<p>There are multiple ways to automate. Lots of organizations like to use Microsoft CA and active directory, which can be managed via a platform like Sectigo Certificate Manager.<\/p>\n<p>More and more CAs are also beginning to support the ACME protocol, which allows you to install a client\/agent on a server and completely automate all certificate requests, renewals and revocations. DigiCert, Sectigo, Let\u2019s Encrypt and myriad other CAs support ACME, which can be configured to ping their servers at regular intervals. <a href=\"https:\/\/www.thesslstore.com\/blog\/acme-protocol-what-it-is-and-how-it-works\/\" rel=\"noopener\">We went in-depth on ACME a few weeks ago<\/a>. It\u2019s great. Just set it and forget it.<\/p>\n<h2>Escalating Notifications FTW<\/h2>\n<p>Just because you\u2019ve automated things doesn\u2019t mean you shouldn\u2019t still be kept abreast of things. Notifications facilitate this. One of the first things you should do when making certificate management decisions is create a security policy that governs who has permission to do what.<\/p>\n<p>Part of that policy should be a notification structure that continues to loop in other, higher-situated stakeholders as it escalates. 60 days before expiration you may just want to send notifications to your IT admins, but as that expiration date inches ever closer, more and more people need to be made aware of it. All the way up to the C-suite if needed.<\/p>\n<p>If nobody knows, nobody can fix the problem. If everyone knows and nobody fixes it, that\u2019s an organizational culture issue and no amount of expertise from us, nor even the best certificate management tools can help with that.<\/p>\n<p>Usually it\u2019s the former though. The organizations just don\u2019t know. And while we can\u2019t earnestly find fault with making that kind of mistake \u2013 it happens \u2013 the ensuing consequences don\u2019t account for whether it was accidental or not. They hit your bottom line just the same.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Shadow IT + Digital Certificates = Ticking Timebomb When your employees use software or hardware at work that your IT or security team is unaware of \u2013 that\u2019s Shadow IT. Calling the use of these tools \u201cunsanctioned\u201d might be a bit strong, but either way, employees have neglected to go through the proper channels and<\/p>\n","protected":false},"author":603,"featured_media":3420,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[187],"tags":[95],"ppma_author":[3312],"class_list":["post-1843","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bigdata-cloud","tag-big-data-amp-technology"],"authors":[{"term_id":3312,"user_id":603,"is_guest":0,"slug":"patrik-nohe","display_name":"Patrik Nohe","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=mm&r=g","user_url":"","last_name":"Nohe","first_name":"Patrik","job_title":"","description":"Patrick Nohe, Content Manager for The SSL Store&trade; and &nbsp;Hashed Out&#039;s Editor-in-Chief, started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago."}],"_links":{"self":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1843","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/users\/603"}],"replies":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/comments?post=1843"}],"version-history":[{"count":3,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1843\/revisions"}],"predecessor-version":[{"id":30127,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1843\/revisions\/30127"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media\/3420"}],"wp:attachment":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media?parent=1843"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/categories?post=1843"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/tags?post=1843"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=1843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}