The challenge of digital debt and shadow IT

Agility and flexibility have become the golden operational principles for many organisations. They certainly help to get the job done, especially in IT, but they also could induce poor decision-making, with teams focusing more on short-term fixes that offer quick results rather than pursuing a cohesive digital strategy.

With time, this could create an inefficient build-up of solutions, often too costly to change or even update, with a hidden, negative impact on the overall business. This is the essence of digital debt, a concept that describes the real cost of shortcuts in software development and infrastructure rollouts.

This could create an inefficient build-up of solutions, often too costly to change or even update

Digital debt is not a new problem. It has been a challenge for some time, but the pandemic has exacerbated it by forcing an overnight move to the cloud and adding complexity. A pre-pandemic report from Deloitte estimated the UAE public sector’s digital debt to be at least $2 billion, citing low virtualisation ratios, a high incidence of end-of-support hardware, and a scarcity of integration options that impacted scalability and reuse.

A similar but distinct trend emerges when looking at the single end-users. Under pressure to deliver results or unable to get timely support from overloaded IT teams, end users may try to find solutions by themselves, for example using cloud solutions to automate tasks, installing smartphone apps to collaborate with colleagues while on the road, or leveraging online platforms to speed up debugging.

This is the essence of digital debt, a concept that describes the real cost of shortcuts in software development

All these solutions create the so-called shadow IT since they are unknown to the company IT teams. Most of these services are provided by reputable companies but there could be incompatibility issues unknown to the users.

And there’s more. Both digital debt and shadow IT can become particularly insidious when the person who implemented a quick fix or autonomously installed a solution moves to another organisation without informing anyone about those tools or leaving any documentation.

Digital debt is not a new problem, but the pandemic has exacerbated it by forcing an overnight move to the cloud

Digital debt and shadow IT on their own are problematic enough, but together they constitute a considerable risk to the business, as ageing legacy stacks – with a lack of transparency, automation, and integration – combined with the absence of IT oversight drastically increase the attack surface.

It is clear, then, that IT departments must think strategically, shifting from point solutions to feature-rich technologies that grow with the business, enhance worker productivity, and add value over time.

Remote and hybrid work

Cloud tools and services are necessary to support daily work in remote and hybrid environments, and some of these will be new to employees. When the pandemic struck, many knowledge workers found themselves working from home for the first time and many were unprepared for the change. To adapt, they used unvetted tools such as SMS messages and they shared data in ways that were not inherently secure. Compromising these users is easy and can lead to significant damage if they have privileged access to sensitive applications and data. Attackers can use such accounts to elevate their privileges or exfiltrate critical information.

Unmanaged browsers

Internet browsers are often used to run apps or gain access to sensitive elements of the environment. Problems arise if these browsers are not managed by the organisation itself. Browsers commonly store login credentials and other sensitive data, and attackers could easily conceal malicious code in a browser extension to gain access to critical information and systems.

Productivity apps

While working from home, users may install third-party productivity apps to supercharge their daily output. Even if they are from a known company, they may not have critical security controls or be updated as frequently as mandated by company policy. Additionally, apps may store company data in unencrypted formats and in repositories that are unknown to users.

End users may try to find solutions by themselves, for example using cloud solutions to automate tasks

Fast production cycles

No matter the industry or business, DevOps teams are in a race to release the next great iterations in digital experiences. Whether for customers or for employees, these updates are rushed to production status and security is traded in for speed. This leads to shortcuts and more shadow IT. Coders may, for example, establish instances in the cloud that are allowed to disappear without due regard for the data they create or copy. This data may live on in the cloud environment, hidden from IT and security teams.

Policy to the rescue

Employees under pressure to make deadlines will find a way to deliver. If they do not have the tools, they believe best fit their purposes, they will go looking for a workaround and it is tempting to provide them with a quick fix. It is therefore incumbent upon IT teams to provide employees with secure tools that allow them to get things done and are also compliant with long-term plans.

All these solutions create the so-called shadow IT since they are unknown to the company IT teams

IT departments should also start using security tools that can reliably detect suspicious applications, both during initial clean-up and during subsequent monitoring. Such tools will also identify, and display passwords stored in browsers.

Policies about installation and use of applications should also provide tools that enable automatic checks on the apps users want to use, comparing them with lists of trusted and suspicious solutions, rather than imposing a long authorisation process. These tools could also quarantine untrusted downloads into sandboxes for further study before they are cleared for use.

Most of these services are provided by reputable companies but there could be incompatibility issues unknown to users

IT leaders can greatly help reduce shadow IT and technical debt, by taking a holistic, long-term approach to security and collaborating with all other business units to identify the best possible balance between protection and productivity. Only then organisations will see shadows fading away.

Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea.
Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea.

A report from Deloitte estimated UAE public sector’s digital debt to be $2 Billion, with low virtualisation, end-of-support hardware, scarcity of integration.