And, in the Darkest Corner of Shadow IT: Privacy.
When it comes to shadow IT and security, we have blogged about the oversight and challenges of password protection and employee-created accounts many times before. With the release of Scirge 3.1, we have taken this to the next level, improving the efficiency of our detection capabilities while simultaneously protecting employee privacy.
We have built Scirge with privacy in mind from the beginning, with a policy design that only collects data that customers specifically choose. In addition, it is already one of the principle features to allow the anonymization of personal data for auditors or administrators – even for logging and alerting.
Now, we have updated our policy design to allow for an additional use-case: detecting the private reuse of corporate passwords without collecting any PII data from our employees.
Why is this important in the first place? We have already been able to uncover the use of weak, shared, reused, or breached passwords, but our policies required the collection of the complete account information, including the email address and the URL that was used, along with the passwords. This works great for corporate emails, as these are owned by the organization and regulated by internal policies. We have been able to create never-before-seen inventories of shadow IT usage and accounts, as well as helping to elevate password hygiene.
In all honesty though, we had a bit of an issue with personal accounts. It goes without saying that reusing a corporate password (even an Active Directory password) in a personal account – whether for entertainment, personal finances, or any other purpose – is a properly scary topic for security. With billions of breached records available out in the wild, the correlation of different emails belonging to the same person becomes a likely threat for high-profile employees and executives.
When such correlations are made by attackers, private passwords become much more valuable, as it is likely that the same password has been used for your corporate accounts. After all, we are human and, when we are forced to create and remember strong business passwords, it only makes sense to reuse them for our private accounts, since their strength and complexity was confirmed by corporate policies.
This is one of the darkest corners of shadow IT, as the personal nature of such accounts are not even relevant for the organization. The passwords reused in them, however, can introduce invisible backdoors to our kingdom. Monitoring personal activity has always been a controversial topic, but we believe that the only way to go is to provide 100% privacy and 100% security at the same time.
Simply put, the challenge of these accounts is to discover the private reuse of corporate passwords without breaching the privacy of the individuals.
And this is exactly what we did. Starting with Version 3.1, it is possible to collect password hashes without collecting the account information – i.e., without collecting email addresses or the URLs where they were used. This means that policies may be set up to monitor personal activity, but with the sole intention of pinpointing if someone is reusing a corporate password in a private application. Of course, this only requires us to collect the secure hashes of private passwords and compare them to other corporate passwords’ hashes. A one-way secure hash is not personally identifiable; thus, it falls out of range for privacy concerns. By the way, we also never store the cleartext version of corporate passwords to avoid introducing a new source of weakness into the organization.
Password hashes can be stored in our local environment without ever being sent anywhere, just so that we are able to compare and correlate them for reuse and sharing detection. This new setup allows us to shed light on even the darkest corners of shadow IT, while respecting our employees and without compromising privacy.
Scirge provides a unique approach to unveil and gain control over unmanaged third-party web accounts. Scirge tracks the websites employees use corporate email addresses to register on and log in to. Having a central dashboard of discovered accounts helps to reduce the risk of credential-related threats such as password reuse or account takeover (ATO). Scirge gives a level of control over SaaS usage to overcome Shadow IT. It also helps to ensure that your company complies with GDPR, CCPA, and other audit requirements.