In Research & Education, scientists and educators get a certain freedom in arranging their IT environment. We strive to adopt innovations quickly, while the decentrally operating faculties and departments have a lot of autonomy. Besides IT managed by the institution, this context gives rise to shadow IT: “hardware, software, or services built, introduced, and/or used for the job without explicit approval or even knowledge of the organisation” . Research groups might set up a Google Workspace while, at the same time, the University officially uses Office 365. Tools like Miro and Mentimeter are used by teaching staff as experiments before they are procured. Researchers spin up AWS instances or host web apps for their research without the IT department knowing what’s happening.
Although there is evidence that this bottom-up adoption boosts innovation, institution IT departments might be worried about the loss of control and especially consequences for cybersecurity. The relatively open IT environment and diversity of R&E user groups make shadow IT more prominent and a more significant risk than in ‘ordinary’ companies.
SURF, the Dutch NREN, conducted research on this topic, with the primary goals of figuring out what can go wrong, whether this phenomenon calls for a different approach to cybersecurity governance, and what institutions might need to address the risks of shadow IT. In this blog, I’ll share early findings on occurrences, threats, and thoughts on what we could do about them.
What kind of shadow IT emerges in R&E?
Our initial results show that in most institutions, all official IT can have a shadow version, mainly deployed by individual researchers or IT admins at the department level. It can be divided into four categories: unapproved cloud services, self-made solutions, self-installed applications and self-acquired devices. Besides desktop PCs used as servers or the occasional IoT device, common culprits are locally installed applications and Excel -or even SQL- exports of official administrative systems.
For research universities, specially developed or sourced software embedded in research equipment might also be a concern. Research and the data it processes are often governed at a low level in the organisation, where software upkeep and appropriate data storage can be an afterthought. A special case of shadow IT arises when staff does not have a choice because they work with -or for- multiple institutions. You cannot keep all your researchers in the same cloud suite and on the same network drives when they co-author with researchers from other institutions using different systems.
What can go wrong?
We interviewed multiple experts (mainly CISOs and security officers in R&E) to learn about potential threats enabled or worsened by shadow IT. The main concern for unapproved cloud services can be grouped as a ‘lack of control’ of data. You can’t control the backup strategy, authorisation procedures, encryption, or access controls of systems and data you don’t manage. Besides: what will happen if the supplier suddenly decides to change its revenue model? There is no exit plan nor safeguards against student or staff data misuse. This can lead to disruptions of education processes, unauthorised access, or data breaches. Another big problem might be the re-usage of passwords. When a professor asks their students to register for a new teaching tool, chances are they will use their @student.institution address and the corresponding password.
When talking about self-acquired hardware and self-installed applications, the main concern is outdated software and the installation of malware. A lack of updates can allow all kinds of vulnerabilities in the software and unmanaged devices. Unknown software can therefore be the first step for an attacker to gain access to a network or the last step if they are simply after the data on that device. That data could be sensitive or provide valuable intelligence to craft better spear-phishing campaigns.
And what to do about it?
The good news is many of the risks caused by shadow IT can be mitigated in the same way we would protect against cyber threats that target devices and software that don’t shadow our official IT. Awareness of risks, a well-thought-out password policy with MFA, and encouraging the usage of password managers can prevent re-use and limit consequences if it happens. Endpoint management or extended detection and response tools can identify vulnerabilities and incidents, and security monitoring can be applied at the network, authorisation, or server level, even if the devices are unmanaged. Adopting zero-trust principles and segmentation in the network architecture can make organisations more resilient to the classic ‘initial access, lateral movement, domain admin’-type attack that a vulnerable device or installed malware would enable.
Guidance in using innovative educational tools can prevent teaching staff from having to figure it out independently. For the latter, cooperation between organisations is essential. Suppose we don’t organise means to quickly judge whether a tool is safe to use or not. In that case, the choice is between outlawing experimental tools’ usage in education and research or starting a procurement process of several months. We can imagine what the result will be.
However, the best solutions you can’t buy are in prevention. Realise that software focused on cooperation within an organisation is insufficient. R&E IT user needs will always be complex, but we can prevent users from needing permanent admin rights if you accept that a researcher desires some autonomy and will appreciate a way to install a music streaming app on their device. By ensuring there is a safe and easy way for staff or students to get the IT functionality they need, we can prevent them from going the unmanaged route. If installing just an EDR tool and leaving the screensaver settings alone on your managed devices can prevent a user from disliking the device, that is a win.
About the author
Joost Gadellaa is a student of Business Informatics at Utrecht University and a research intern at SURF, the Dutch NREN. Together with the SecureSECO research group, he is currently conducting research into shadow IT at SURF’s member institutions. Before getting into cybersecurity, he graduated with a Bachelor’s in Economics and worked in several positions at a university’s IT department.
 S. Haag and A. Eckhardt, ‘Shadow IT’, Bus. Inf. Syst. Eng., vol. 59, no. 6, pp. 469–473, Dec. 2017, doi: 10.1007/s12599-017-0497-x.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on dev.connect.geant.org/csm2022