Facing Up To The IT Shadow
Ignore at your own, and your network’s, peril.
Certain psychological schools of thought posit the existence of “the shadow,” a scary figure which lurks in the darkness of the psyche affecting everything we do.
The decentralized, virtualized environment which now characterizes business IT architecture has also given rise to a shadow. And just like its psychological counterpart, so-called shadow IT operates out of sight of business management and can sometimes appear dangerously out of control. It can be painful to look at but if IT professionals fail to deal with shadow IT, it has the potential to do severe damage in terms of data loss and non-compliance fines.
Facing Up to the Shadow
Shadow IT can be thought of as the sum of all the network assets not directly authorized and controlled within your current business IT policies. It includes but is not limited to devices such as unauthorised smartphones and tablets; cloud services like DropBox and Google Docs and third-party applications. As a responsible IT professional, ignoring shadow IT is not a viable long-term strategy.
First, ignoring shadow IT allows it to continue and grow in secret, increasing its ability to undermine security and utilize network resources.
Second, the difference between your authorized IT and shadow IT may not be appreciated by those higher up in the corporate food chain. To the leadership team, if something breaks and it is due to IT, the buck stops with the IT department. Ignorance may turn out to be no defense should your company lose data or are financially impacted by untamed shadow IT.
Third, by actively getting a grip on shadow IT, turning it into numbers and bringing the issue up to the board you are more likely to secure both the respect of the leadership team and even procure additional resources to help you to do your job.
Finally, anything that harms the business as a whole will harm you as a department and as individual employees. There is no valid case to be made for ignoring shadow IT.
How to Detect Shadow IT
Once you have decided to face the nightmare of shadow IT, the first step is to incorporate it into your existing network monitoring system.
You will undoubtedly already have network management software set up which can monitor the assets used by users who are logged in to their company accounts. By analysing each user's assets, it can be determined if non-authorized devices or services are being accessed.
Nevertheless, you should still set alerts for the appearance of new and unknown devices on the network and carefully compare scans to pinpoint when and how they are making a connection. Regularly checking process logs from firewalls and proxies for evidence of shadow IT is also advisable.
As with all IT monitoring and troubleshooting processes, the frequency and granularity of scans will need to be weighed with the resource cost but if extensive shadow IT is suspected, creating a dedicated shadow IT project is well worth considering, particularly when factoring in the potential privacy, security, and compliance issues involved.
Using Specific Shadow IT Detection Software
There are now countless apps, virtual services, and cloud providers in Los Angeles, Miami, New York, and further afield. It can be almost impossible to identify and trace their signatures from a firewall log.
As part of your shadow IT clean-up drive, it is worth considering the shadow IT-specific software that is increasingly available to IT professionals.
Some software can monitor the network for thousands of different applications and cloud services not yet categorized by firewalls and proxies, simplifying and speeding up the shadow IT detection process. Access count, traffic patterns, and usage trends can add more information to build up a fuller picture of the extent of shadow IT exposure.
Some services can assist pressurized IT professionals even further by analysing and categorizing cloud services in terms of risk, helping them to prioritize those services and platforms that are posing the greatest security risk. As would be expected, data can be modified and customized to suit individual company risk profiles and reports can be filtered and converted into various formats (csv, Excel, pdf, etc.) to help present the data in a meaningful way.
Some services include policy enforcement capability, restricting access rights and, when integrated with firewalls and proxies, helping to identify new and insecure configurations.
Embracing the Shadow
Recognising and facing up to the shadow — and shadow IT — is the easiest part. The road to healing comes from embracing it, no matter how much it worries and disturbs you.
This is not something that the IT department can or should be wholly responsible for. Shadow IT is a signal that the business is either not providing a critical service or tool or that the tools it does provide are not fast or smart enough. After all, if the head of finance is logging on to his/her smartphone to access company accounts out of hours, is it because they don’t have the option of a company-owned device? If the business is asking the marketing team to deliver multi-gigabyte files to third-parties with nothing but an email account to work with, is it any wonder they are using DropBox or WeTransfer?
Rather than blaming employees for using shadow IT and banning it (which is unlikely to work anyway), a more productive stance is to ask them what they need to do their job and to look for in-house solutions. Some companies call a shadow IT amnesty whereby employees are called to safely disclose any non-authorized IT they are using with a view to finding alternative workarounds rather than punishing them.
The business can then follow this “no questions asked” policy with a deep security audit whereby existing policies are refined and redrafted and automated policy controls installed with any future changes requiring approval from the leadership team. Policy actions might include blocking access to the highest risk services altogether and restricting access to others (e.g., setting permissions to “read-only” either across the board or depending on user role).
Shadow IT is a fact of the modern workplace, arising from the increasing availability of enterprise-grade technology in the public sphere. Although facing and sizing up the shadow is a necessary first step, only by truly embracing its existence can a business draw the necessary lessons and use these to neutralize the very real danger it poses.
This article was originally posted “Facing Up To The IT Shadow” from Cloud Strategy Magazine.