Shadow IT and Shadow APIs: What are they and why are they a security risk?
What is “Shadow Security,” and why should you care about it?
So you want to know more about shadow security…
It’s no secret that security loves fancy marketing words and concepts. Perhaps security professionals think it helps sell security best practices to end-users and drive engagement. (And maybe it works?)
Security started this trend with military terms and comparisons, but the latest version leans heavily into “shadows.”
It started with “Shadow IT”: a concept to explain when users and employees buy/use software without telling the security team. While creating a quick, free Slack workspace for some temporary communication might seem trivial, it creates more opportunities for sensitive data to come and go as well as another service for targeted credential attacks, all without security oversight.
In fact, a 2019 Everest Group study found that nearly half of the IT budget is spent on software that “lurks in the shadows.” (And that is a pre-pandemic number.) Needless to say, unchecked software causes a huge headache for the security team.
The newest “shadow” term to join the ranks, though, is “Shadow APIs.”
What are Shadow APIs?
Shadow APIs occur when an API endpoint becomes abandoned, outdated, and forgotten (usually in that order). This creates avenues into the application and backend data that are usually not getting the latest patches and not being monitored.
Moreover, there are all kinds of tools and techniques that hackers can use to find these “shadow API” endpoints, such as simple reconnaissance using Google or legacy document searches or active enumeration using dirb or Burp Suite.
How should security teams manage Shadow IT and Shadow APIs?
In fast-paced work environments, it can be very difficult for an overworked security team to manage these shadowy threats. The keys to managing these threats are communication and planning.
When it comes to Shadow IT, ensure that everyone knows the approved tools and software for use. Make it easy to onboard people to these tools and help newcomers learn to use them. In addition, have a clear process for new tool requests that is quick and efficient.
For Shadow APIs, the development team should always maintain a list of active API endpoints and perform regular maintenance to ensure the list is up-to-date and matches available endpoints in the source code. Any changes to endpoints should be clearly communicated and decommissioned endpoints should be removed as quickly as possible.
Removing these shadow resources ultimately requires everyone's involvement, whether it’s security, development, or IT.
But, as Samwise Gamgee says in the Lord of the Rings: “In the end it's only a passing thing, this shadow; even darkness must pass. A new day will come. And when the sun shines it will shine out the clearer.”
So keep at it, security professionals. The sun will shine on those shadows eventually!