Naming the Shadows within Shadow IT
August 21, 2020
Post by Jeremiah Grossman
When managing the inventory of internet-connected assets for an organization, the term Shadow IT is often used. The more accurate an Asset Inventory is, the less Shadow IT exists. Generally, Shadow IT refers to IT assets that an organization doesn’t know about or doesn’t have control over. Obviously, you can’t secure what’s unknown. So, Shadow IT represents an inherent risk to an organization and must be minimized wherever possible. And when discussing “Asset Inventory,” we often find the term Shadow IT is too broad to describe specific areas of change and risk.
For example, simply because the existence of an asset (hostname/IP-address) is known, this doesn’t necessarily mean all the listening services (HTTP, TLS, SSH, VPN, FTP, RDP, MySQL, etc.) are known, whose ports may open and close without warning. Similarly, just because the listening services of an asset are known, it doesn’t mean the software stack is also known. It is then important to know if a website is running Apache or NGINX and what versions. It’d also be important to know if Jenkins is installed, and if so, what version. Or, if WordPress is running, what plugins and versions are installed.
Our experience at Bit Discovery suggests that the overall Asset Inventory of many enterprises change constantly, day-by-day or even hour-by-hour, especially considering inventories with tens of thousands in total assets and often far more than that. Collectively, a 1-5% monthly drift in Asset Inventory change per month is not uncommon. Each change at any layer of the Asset Inventory potentially adds to the list of overall Shadow IT and represents new security risks.
As we can see, using “Shadow IT” on its own doesn’t always allow us to narrow down to the exact area where unknowns (the shadow) exist. Moving forward to be more precise with our language, we’ll be using a few new descriptive terms that fall underneath Shadow IT:
Shadow Asset: The specific asset, as defined by a hostname/IP-address, that’s unknown or uncontrolled by the organization.
Shadow Service: Unknown or uncontrolled services (i.e., open ports) that are actively listening on an asset.
Shadow Software: Unknown or uncontrolled software stack information (i.e., list of installed software and versions) of a listening service on an asset.