GovCon Expert Aparna Achanta: The Risk of Shadow IT in Federal Agencies

By Aparna Achanta, Principal Security Lead, IBM

Shadow software-as-a-service refers to unauthorized cloud applications used within an organization. Shadow SaaS is a challenge in modern IT governance. IT teams lack oversight and monitoring of unapproved applications making it difficult to effectively govern shadow SaaS.

A recent NextDLP survey of 250 security professionals found that 73 perecent had used unapproved tools.

Shadow generative AI, or genAI, is another major concern for federal organizations now. Employees using GenAI tools without oversight raise serious risks, as they can input sensitive data to these GenAI tools to generate swift responses, increasing exposure to data leaks and regulatory violations. 

Since developers may employ open-source tools, code libraries, or frameworks to meet the particular technical needs or specifications of a project, Shadow Code represents a major security risk. Inheriting or using these libraries in their current coding capabilities can lead to illegal code—also known as shadow coding. Insecure coding patterns or code vulnerabilities brought on by shadow codes could enable SQL injection, CSRF and XSS. 

Application programming interfaces, or APIs, enable interactions between different applications. Shadow APIs are susceptible to data leaks and lack proper authentication and access controls. Large-scale federal applications are often integrated with other applications to meet business requirements. According to the 2024 Checkpoint API Report, API attacks have increased by 20 percent yearly.

Why Do Employees Use Unauthorized Tools?

1. Employees seeking increased productivity

Employees often adopt third-party SaaS solutions without IT approval to improve productivity, share documents, or collaborate with external users.

2. Outdated tools in the federal agency’s tool inventory 

Federal agencies maintain an inventory of approved software tools with Federal Risk Authorization and Management Program approval, but this list might have outdated tools or tools that do not fit all requirements. This makes employees use shadow SaaS applications, which are easy to sign up for with free trials or personal subscriptions and can solve work-related functions.

3. Delays in tool approval and installation

All federal agencies have internal processes for requesting a tool, getting their request approved and getting the tool installed. This approval process sometimes takes several weeks to complete. As a result, if employees require a tool for an immediate need, they tend to use unapproved online tools that can help them with their task at hand. 

Risks of Using Shadow IT

Attackers can use unapproved applications with weak security standards as a backdoor to access federal networks. 

The monetary loss associated with shadow IT is significant. According to a report from IBM, breaches involving shadow data took 26.2% longer to identify and 20.2% longer to contain, averaging 291 days, and resulted in higher breach costs, averaging $5.27 million. 

IT teams struggle to manage support requests for tools they never approved, leading to wasted resources. 

Sensitive PII and PHI remain at risk as shadow SaaS exposes employees to vulnerabilities and shares credentials with insecure platforms, allowing attackers access to crucial systems. 

Here are some security risks associated with shadow IT:

1. Outdated tools

Shadow SaaS applications and shadow APIs are often not regularly updated, leading to susceptible yet known vulnerabilities that attackers can exploit. The State of Ransomware 2024 Report notes that 32 percent of cyberattacks were initiated by exploiting vulnerabilities resulting from software that is not updated.

2. Data breaches

Unauthorized applications often do not meet security standards like those from FedRAMP, FISMA and NIS. Employees may share personally identifiable information, a.k.a. PII, and protected health information, or PHI, data with the unapproved SaaS or GenAI application, exposing sensitive data to security risks and potential breaches. IBM’s Cost of Data Breach Report shows that one in three data breaches involved shadow IT, costing the organization $4.88 million.

Employees frequently reuse passwords across applications, exposing sensitive information if one application is breached. Attackers can use the leaked credentials to infiltrate networks or launch phishing attacks.

3. Regulatory violations

Shadow SaaS increases the risk of compliance violations like the General Data Protection Regulation, the Federal Information Security Management Act and the Health Insurance Portability and Accountability Act, leading to exposed sensitive data. Agencies are unaware they’re noncompliant until an audit shows exposure of sensitive customer data. 

4. Increased attack surface

Using unapproved SaaS applications or shadow code libraries provides entry points for hackers. Shadow IT applications may lack multi-factor authentication encryption and other robust security controls, making them easy targets for attackers.

5. Lack of data retention or backup

Shadow IT applications do not follow the federal agency’s data retention and data backup policies. Federal applications are required to abide by the data retention guidelines set by the National Archives and Records Administration that are mapped to the data’s sensitivity. Critical data is left vulnerable to accidental deletion with no recovery plan, deeming mission-critical applications unavailable.

Mitigation Strategies for Government Agencies

Federal agencies must establish and integrate SaaS usage policies into cybersecurity frameworks. Below are some strategies- 

1. Data encryption – Encrypt all data in Reset and Transit in accordance with Federal Information Processing Standards 140-2 and FIPS 140-3. Send SaaS vendors that have data encryption built into their products. 
2. Implement zero trust – Follow the zero trust principles of least privilege and role-based access to avoid giving employees privileged admin-level permissions on their devices. This will prevent employees from downloading and using unauthorized apps. Enforce MFA at each application layer along with single sign-on.
3. Data loss prevention – DLP policies prevent unauthorized data sharing, help track sensitive data across all SaaS applications and prevent data breaches.
4. Security testing- All applications can be scanned using Static Application Security Testing, or SAST, and Dynamic Application Security Testing, or DAST, tools. These tools identify code vulnerabilities, insecure patterns in the application’s source code and recommend mitigation strategies. SAST and DAST tools can be integrated into the ‘continuous integration and continuous development’ pipeline for applications. This will ensure that developers do not use shadow code as all code is scanned by the SAST and DAST tools. Penetration testing, a kind of simulated cyberattack, can be performed on applications to identify all security flaws that need to be remediated. 
5. Security architecture review – Perform security architecture reviews at the beginning of each application before the software development begins to ensure all applications have integrations, connections, and system components within the federal agency’s network boundaries and their firewall. For secure architecture guidelines, refer to CISA’s TRA. 
6. Incident response plan – Ensure disaster recovery (for on-premises applications) and incident response plans are up to date, data rollback plans are assessed and tested, and tabletop exercises are tested. 
7. Setup application monitoring – Use AI-based monitoring tools to track SaaS app usage and identify suspicious patterns and activities. These tools can also analyze network traffic patterns and detect anomalies indicative of potential unauthorized Shadow SaaS use.  
8. Security training- Federal agencies can run simulated exercises to teach staff members about the dangers of utilizing unauthorized tools. They can also set up frequent review meetings with department heads to understand their tool requirements and identify and address gaps in approved tools. Educate employees about the dangers of Shadow SaaS and the need to use approved platforms. Offer security training to employees as per their role in the organization.