What are shadow IDs and how are they crucial in 2022?


Just before Christmas, in a unique case, JPMorgan was fined $200 million for employees who used unsanctioned applications to communicate about financial strategy. No mention of insider trading, naked shorting or malicious intent. Only employees circumventing regulations with, well, shadow IT. Not because they were trying to cover up or hide anything, just because it was a useful tool that they preferred over other sanctioned products (JPMorgan certainly has quite a few).

Visibility of unknown and unapproved applications is required by regulators and has long been recommended by the Center for Internet Security community. Yet it seems that there is still a demand for new and better approaches. Gartner has identified External Attack Surface Management, Digital Supply Chain Risk and Identity Threat Detection as the top three trends to focus on in 2022, all of which are closely intertwined with Shadow IT.

“Shadow IDs”, or in other words, unmanaged employee identities and accounts in third-party services are often created with a simple email and password registration. CASBs and enterprise SSO solutions are limited to a few sanctioned applications, nor are they widely adopted across most websites and services. This means that much of an organization’s external surface – as well as user identities – can be completely invisible.

Most importantly, these shadow IDs remain unattended even after employees leave the organization. This could lead to unauthorized access to sensitive customer data or other cloud-based services. Employee-created but business-related identities are also invisible to most IDM/IAM tools. The graveyard of forgotten ex-employees accounts or abandoned applications is growing every day, ad infinitum.

And sometimes the dead rise from their graves, as with the Joint Commission On Public Ethics, whose legacy system was breached this year, even though it has been out of service since 2015. They have rightly informed their legacy users because they understand that password reuse can stretch over several years, and according to Verizon, stolen credentials are still the largest contributor to breaches and attacks of all kinds. So when Shadow IDs are left behind, they create a perpetual risk that is not seen and controlled by anyone.

How to report on Shadow IT and Shadow IDs?

Unfortunately, network monitoring misses the mark, as these tools are designed to filter malicious traffic, protect against data breaches, and create category-based rules for browsing. However, they are completely blind to actual logins and thus cannot distinguish between browsing, private accounts, and corporate application (or phishing site for that matter) logins. To discover and manage shadow IDs and shadow IT, there must be application and account level monitoring that can create a trusted, global source of truth across the organization.

Discovering these assets by checking the use of business-related credentials on each website will give you a unified view of unapproved or unwanted applications. App and account inventory provides insight into the true extent of external services and identities used across the organization. They also make it possible to assess third-party providers on their policies, security and authentication measures, and how they manage and maintain your data.

It’s impossible to correctly categorize all the quarter million new domains that are registered around the world every day, so monitoring the domains that appear on our endpoints is the right approach. As a side effect, it will reveal logins to suspicious or new apps provide insight into successful phishing attacks that were not prevented at a gateway or on the customer side, and where employees gave away important references.

Scirge is a browser based tool that provides complete visibility into shadow IDs and shadow IT, password hygiene for third-party corporate and corporate web accounts, and even real-time employee education and awareness. And it also has a completely free version to monitor your cloud footprint, giving you instant insight into the extent of Shadow IT among your employees.