Most IT professionals are familiar with the concept of shadow IT. It describes a situation at an organization where employees use unsanctioned software and hardware to do their work. The use of shadow IT causes an organization to lose visibility and control over its technology and data, resulting in security vulnerabilities and compliance issues. Despite efforts to tackle this problem, shadow IT persists in the corporate world.
However, a larger problem today for many companies is shadow identity, which results from a fragmented approach to identity management within an organization. Shadow identities can happen in various ways, such as when an employee sets up an application or cloud instance and creates separate user identities outside of the corporate account. The relationships that organizations may have with third-party contractors and suppliers further complicate this issue. In many ways, companies are at the mercy of the identity management practices of those third parties.
If shadow identity issues are left unchecked, they grow increasingly complex and pose cybersecurity, privacy, and compliance risks. Unfortunately, there’s no easy fix.
“Let’s say the research department of a company wants to set up an application that can simulate what could happen if a change is made to a product, but the IT department can’t get to it for a month,” explained Jeff Reich, executive director of the nonprofit Identity Defined Security Alliance (IDSA). “If they don’t want to wait, they may decide to do it themselves, so now everyone involved with that project has an identity within that new application.”
No organization can claim to have a complete handle on identity management, said Dustin Sachs, director of research and content strategy at the Institute for Critical Infrastructure Technology and a senior manager for information security risk management at a large energy company.
The shadow identity problem is even more significant than shadow IT because individuals can sign up for so many services using different identities, Sachs added.
Why Shadow Identity Has Become a Crisis
Recent studies have shed light on the severity of the shadow identity problem. According to an IDSA-sponsored report from Dimensional Research, 90% of companies have experienced an identity-related breach in the past year. Forty-four percent consider addressing shadow identity a top priority.
The problem has evolved due to several factors. Within large corporations, different departments often operate independently, which can result in multiple directories. Additionally, as many companies shifted workloads to the cloud during the COVID-19 pandemic, employees frequently resorted to using personal email addresses for registering work-related services. Consequently, this led to the creation of multiple digital identities for a single employee.
All this can easily cause security, privacy, and compliance concerns. For instance, if an employee creates a separate identity (outside a corporate account) to access a specific application, and if that application gets compromised by hackers, the hackers may gain unauthorized access to the employee’s private information.
Additionally, the proliferation of shadow identities also increases the risk of non-compliance with regulations such as HIPAA (Health Insurance Portability and Accountability Act) and GDPR (General Data Protection Regulation), potentially resulting in fines and reputational damage for companies.
And that’s just on the corporate side. The problem of shadow identity can also affect both companies and their customers on the consumer side of the equation. The problem not only leads to missed revenue and opportunities to improve customer service, but it also exposes consumers to privacy violations and identity theft.
Surprisingly, creating different identities for online sites is a common practice among consumers. However, consider what happens if two of those sites merge: There are now two identities, but the consumer no longer has control over both of those identities. Additionally, a bank might require customers to create separate logins for each of its services, with customer identity data stored in different silos across various departments within the bank.
“If you get identity management right, it can be a force multiplier for your business, but if you get it wrong, it can impact your ability to grow business with your customers,” said Peter Barker, chief product officer at ForgeRock, an identity and access management software firm.
The Dual Nature of Federated Identity
The use of federated identity, a method that links users’ identities across multiple, separate identity management systems, can make the problem of shadow identity worse.
“Federation relies on trust, and if the trust is compromised or even just unwarranted, users from outside the relying party domain can wind up with much greater access than needed,” explained John Tolbert, director of cybersecurity research at KuppingerCole, a security analyst firm.
At the same time, federation can mitigate shadow identity risks by eliminating the need for shadow accounts. For example, simply implementing just-in-time access with short-lived access management allows for the creation of time-limited accounts upon receipt of a properly authenticated token. These accounts are then purged after a window of time. Tolbert said that when used intelligently federation can be a good way to overcome identity silos.
How To Address the Shadow Identity Problem
To curb the problem of shadow identities, experts recommended organizations follow these steps.
Step #1: Gather information from users
First, organizations must communicate directly with users.
“Just ask if anyone is doing this, and make sure to say that nobody is in trouble, that you just want to see where the company is in terms of risk exposure,” Reich suggested. Doing so typically yields a positive response rate of about 80%, providing valuable insights for the next steps.
Step #2: Deploy tools to combat shadow identity
After gathering information from users, the next step is to deploy technology that can address the issue. Reich recommended implementing a network sniffer, such as Wireshark, Kismet, SmartSniff, EtherApe, and Ettercap. The sniffer enables IT staff to examine all network traffic for specific content.
Other useful tools incoude cloud access security brokers (CASBs), especially when used in conjunction with identity governance and administration and data loss prevention (DLP) tools. These tools enable the identification of duplicate accounts, allowing companies to merge or eliminate them effectively. By using DLP tools, IT staff can detect activities that resemble an identity traversing the network. More specifically, these tools can help organizations understand where identities are being used in platforms like Office 365. They can also point to where there are callbacks for federated identity.
Step #3: Communicate critical issues with the organization
After using these tools, IT staff will then have reports that highlight the most critical issues related to shadow identity. At this stage, it often makes sense to make a companywide announcement about the problem. “You can say, ‘We want to make sure your identity is secure and our security can be maintained, so if you get a notification from us, please follow the directions,’ ” Reich said.
Step #4.: Adopt a centralized approach to identity and governance
Once the problem is effectively managed, the next step is to prevent it from spiraling out of control again. That means adopting a centralized approach to identity and governance. Without centralized control, individual solutions may emerge or proliferate, leading to the creation of isolated copies or versions of identities. Implementing an identity governance system can help maintain control.
Step #5: Don’t shy away from decisive action
According to Sachs, companies shouldn’t be afraid to take actions that seem harsh if that’s what’s needed to succeed.
“The harder you make it, the fewer phishing-related issues will occur,” Sachs said. “For example, if your company uses [Microsoft] OneDrive, do you need to have Dropbox available? The company could prevent access from other data storage repositories from corporate devices, which would make users more likely to use the company-approved applications.”
While building these barriers takes time and effort, and may even slow down business operations, there really is no other choice.
“In business, we want to make it as easy as possible for employees to do their work, but it’s often at the expense of security,” Sachs said. “There has to be a trade-off. … If that means that employees have to upload files to a secure website instead of sending an attachment, they have to accept that.”
Step #6. Educate users
With the implementation of these safeguards, there is one essential element that still needs attention: user education.
Sachs noted that employees are often focused on achieving business objectives and meeting financial targets, without much thought for the security risks involved. “People are thinking about how they need to close another client and make another dollar,” Sachs said. “They don’t care how they do it as long as they can do it, because that is how they are being judged.”
However, organizations must educate users about the reasons behind certain precautions, such as not clicking on supicious links. Once employees understand the rationale, they are more likely to comply with security measures. Based on his experience, Sachs said education efforts make a different in mitigating risks.
The Promise of Decentralized Identity
While there may never be a way to completely prevent people from creating shadow identities, companies owe it to themselves, their customers, and their bottom line to mitigate the issue. The goal is to shrink the associated risks to an acceptable level.
Changing user behavior is a complex endeavor, but certain strategies may gradually help address the shadow identity problem. One of the most talked-about is the concept of decentralized identity, where users have a “wallet” containing verifiable proof and attributes that can identify and authenticate them without a centralized authority.
Although still a work in progress, Tolbert sees promise in decentralized identity. “It may be helpful when people move toward consolidating their personal accounts so they can just expose bits and pieces of information they want to disclose per service provider,” Tolbert explained. “That might allow people to reduce the number of accounts they use if they feel like they have control over the personal information they share.”
About the authorKaren D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek and Government Executive.