Decentralized IT Clouds Security Team’s Ability to Spot Risks

The shadow IT trend has been underway for some time, but if a recent survey from Zoho ManageEngine is any indication, the amount of decentralized IT decision-making has passed an inflection point — and data and system security are being stressed as a result.

According to the IT at Work: 2022 and Beyond survey, 74% of IT decision-makers in the U.S. and Canada reported that their organization has successfully decentralized its IT structure. When it comes to the global average, 64% have decentralized their IT structure. Respondents noted some of the obvious challenges: They expect their organization to face challenges maintaining IT security levels (56%) followed by maintaining quality levels (41%) and the reliability of ongoing support (37%).

When it comes to maintaining effective data and system security, most experts agree it takes a concerted effort of security awareness and policy enforcement through technology.

Greg Young, vice president of cybersecurity and corporate development at Trend Micro, warned of the security risks associated with decentralized IT. “With the most aggressive attacks using lateral movement, decentralized IT means there is usually a weak link to exploit or evade at each step thanks to differing technologies, levels of patching and security operations center (SOC) control and visibility,” he says.

When it comes to maintaining security within increasingly decentralized organizations, Young recommended security teams prioritize visibility, not only for security alerts and indicators of compromise but also to maintain visibility into the actual technology in use throughout the organization. “’Visibility’ sounds boring, but today it means in addition to the attack surface that non-traditional security telemetry is being gathered. In all environments, and especially in decentralized ones, gathering new sources of telemetry is much likelier to give earlier indicators of compromise, or at least to rule out false positives. And that visibility must be supported with technical assistance to connect those dots that live in a larger data lake of telemetry,” Young added.

Rob Price, principal solutions consultant at Snow Software, understands firsthand the risks to security associated with decentralized IT. At a previous employer, business decision-makers turned to a data collaboration vendor that provided a way to share data in a managed, structured and auditable way, but the vendor had a mixed consumer and corporate model, and those employees who signed the consumer licensing had actually agreed to provide ownership of the data shared across the platform to the vendor. The data being shared contained sensitive, critical intellectual property.

“These employees weren’t acting maliciously. In fact, they were using these applications to be nimble and get more work done, but they were putting the company at risk and ended up with some sizable legal bills to regain their own intellectual property. There is a common theme when it comes to decentralized decision making and the rise of shadow IT–decentralized IT leads to good people accidentally putting the company at risk,” said Price.

The best defenses, experts agreed, are increasing security awareness throughout the organization and monitoring for new applications being deployed by users. Ryan Orsi, cloud foundation leader for partners and security at AWS, said decentralized IT and security means making security everyone’s responsibility. “It is important to build a strong culture of security within a company. For example, at AWS, security is the top priority and is part of everyone’s day-to-day responsibilities. Every employee at AWS must think about what information is being accessed, where it’s stored and who else may have access to it,” he said.

Orsi advised security teams to first evaluate whether they have full visibility of their environments’ resources along with a process to centrally monitor for security events. “If a new developer created a test instance somewhere in the company, the security controls in the company should know this and be able to include security events from this resource into their process, preferably without reliance on endpoint agents. Companies cannot protect something that cannot be seen. Therefore, security teams must monitor, evaluate risk and remediate continuously and ensure tools are in place to scan logs, network traffic and devices continuously for unapproved activities,” he said.

Others pointed to potential benefits of decentralized IT and security, such as increased collaboration (something the ManageEngine survey found increasing at 82% of organizations) and increased system diversity, which is more challenging for attackers. “One upside is the heterogeneity of all the technologies in a decentralized organization means a single vulnerability is less likely to hit the whole enterprise, but with multi-step attacks being more common it doesn’t make up for the ‘weakest lateral link’ problem. Decentralized usually means less visibility and control,” concluded Young.

Surprisingly, in a time when the importance of cybersecurity has reached new heights, decentralization will make it more challenging for security teams to remain relevant when it matters: At the time technology decisions are being made. In our next story, we will examine whether decentralization will reduce the relevance of the security team and what teams can do to maintain their day-to-day relevance.