Shadow IT risks are on the rise as GenAI tools gain popularity with employees


Presented by Dashlane


Enterprises have always faced the risk of a data breach, but today the threat has expanded by many magnitudes, in part due to the boom of generative AI tools. Gartner recently found that the number of SaaS applications used per employee has doubled since 2019, and a good chunk of those applications are AI tools that employees are using without IT oversight.

Unmanaged apps aren’t protected by controls like single sign-on (SSO) or multifactor authentication (MFA), so there’s no visibility into whether these apps, which potentially contain sensitive data, are being accessed with secure credentials, or what type of data or intellectual property is being leaked out into the greater internet, thanks to ChatGPT, Gemini and other tools. 

“The explosion of SaaS apps in the cloud has created a lot of gray areas for IT,” says Fred Rivain, CTO of Dashlane. “The effectiveness of credential and password security has been largely dependent on participation from the user, but today that’s not enough. It’s not enough to just have the classic password manager, or just MFA or single sign-on. You need all of that, plus you need to improve your credential hygiene over the whole scope of the organization.”

The challenges of SSO, MFA and securing credentials

Of course, IT leaders can control what they know about – all their critical systems, and can deploy SSO and MFA on top. But the challenge today isn’t just shadow IT, but the huge number of tools that aren’t compatible with SSO. There’s also what security professionals call “SSO tax,” or the fees vendors charge to add SSO integration. Identifying the tools that need to be secured and adding SSO integration becomes an expensive operation, in both time and money.

Many enterprises opt out of those costs – understandable when enterprises face an average of 53 credentials not automatically covered by SSO (and the likelihood is high that many of those passwords are duplicates), and doing an app inventory across the organization is a major undertaking, requiring C-suite buy-in. In the meantime, small and medium-sized businesses are locked out entirely because they just don’t have the resources to pay for SSO integration. 

Enterprises of every size usually turn to individual, manual passwords, as the initial adoption cost is far lower. Unfortunately, there’s also major hidden administrative costs – as well as profound implications for security posture, because every one of those credentials is a point of risk, and many of those risks are not visible.

“That’s why encouraging employees to use a credential manager to generate a unique and complex password for those systems is critical,” Rivain says. “It helps them develop the right authentication habits and best practices. The hope is that employees are also adding that protection to the unauthorized apps they’re using, which is at least better than the alternative.”

However, employees regularly use and share their credentials, both the strong generated passwords and the weak or compromised credentials they devise themselves. Getting them to understand the risk and stay aware of phishing attempts is often an uphill battle. 

Adding passkeys as a layer of security

Passkeys can add another level of security and help mitigate credential risks in some areas of the organization, Rivain says. They’re a form of passwordless authentication developed by the FIDO Alliance and backed by major technology companies. Passkeys are always unique and strong, and don’t require storing private information on servers. A user is asked to prove their identity when they log in to a website or app. They could use biometric identification like a fingerprint or facial recognition to confirm their identity, or conversely, they could meet a challenge from a credential manager. Once the user is confirmed, they’re logged in automatically, no password necessary. 

Passkeys are far more secure than any password, are phishing-resistant and can’t be stolen or guessed. From a liability perspective, since exposing customer data can land an organization into major legal trouble, asking employees to use passkeys where possible measurably improves security. IT leaders can explicitly encourage teams to use passkeys wherever they’re available in the tools they’re using – for instance, the marketing group can switch to passkeys for most social media platforms. 

However, passkeys as an enterprise solution are not quite ready for prime time, Rivain says. They’re not available for every tool or platform, for one. Plus, it’s still a nascent technology, with some accessibility concerns, like a somewhat clunky UX in Chrome and Apple, as well as issues around proper attestation for passkeys origins, difficult account recovery if a passkey is lost, and no control over where the passkey is stored. 

“Of course, IT admins want that control. They want to know where they’re storing the keys to the kingdom,” Rivain says. “There are a lot of use cases for the enterprise that are not resolved yet around passkeys. That’s part of the work from the FIDO Alliance that’s going to take time as well.”

As more consumers adopt passkeys, which are supported by many larger websites, apps and technology companies, passkeys will become a bigger part of the enterprise security conversation. Rivain predicts that we’ll see entire passwordless solutions for the enterprise in the future, but the situation is still playing out. 

“They’re not perfect, but they’re also a way to put guardrails around employees so they can’t accidentally expose a password, and they’re going to use the technology because it’s more convenient and secure,” he says. “That’s why it is important for industry to keep working on this and keep promoting it. It’s going to be a very long adoption journey, but it’s better than what we used to have.”

Where does that leave the enterprise security-wise? Unsecured credentials like passwords continue to pose a persistent and evolving threat to organizations, even with other protections in place. Enterprises need a whole new approach to security and credentials.

Changing the credential security game

As the number and sophistication of attacks continues to rise, along with the number of invisible, unauthorized apps employees are using, even the best layered security strategy isn’t foolproof.

“We need to find a new approach, one that ensures that even the employees who don’t give much thought to security are still protected, and we need to move to active protection, rather than passive defense,” Rivain explains. “That means going beyond traditional password management to provide credential security for every employee in context and in real time.” 

To that end, Dashlane has integrated detection, intelligence and response capabilities into tools that offer maximum visibility into credential risks. 

Dashlane’s Credential Risk tool continuously monitors company-wide credential data to detect risk in real time. When an employee enters a weak, reused or compromised credential, or is about to enter their information into a suspicious website, the tool automatically sends an alert to IT. Dashlane Nudges automates the credential risk response by sending personalized, automated messages to employees, to alert them to the risk and request them to update their credentials. 

With app login methods continuously scanned, IT gains far greater visibility into credential risk across all the tools and systems that employees use, authorized and not. Meanwhile, employees are encouraged to develop good security habits along the course of their day. 

“There’s a lot of potential in this new approach,” he adds. “We’re trying to tackle the credential problem and security across the organization from a whole new angle, adding one more crucial layer of protection to a robust security strategy.”

Dig deeper: Click here for more on Credential Risk Detection, Dashlane Nudges and other powerful security tools for enterprise. 

To discuss purchasing, visit Dashlane here.


Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact sales@venturebeat.com.



Source link

About The Author