Shadow IT is a somewhat recent and fancy term that has been given to any software, hardware, or technology in general that is used within an organization outside the purview of the IT department. Anything that isn’t sanctioned and centrally controlled by the organization’s IT department or that they don’t know exists would fall into this category. In today’s world of fast-moving business and impatient executives, it shouldn’t surprise you that the use of Shadow IT is growing according to almost any article or IT manager you ask. I could throw in any number of random statistics here, but they are all fairly generic or based on small sample sizes, so suffice to say it’s a problem. In this article, we’re going to go into more detail of what exactly constitutes Shadow IT and discuss some ways you can try to control it within your organization.
Routers, SaaS, and Google Docs, Oh My!
As the prevalence of Shadow IT continues to increase, so does the risk it presents to an organization. But to understand some of these risks, we need to touch on a better definition of Shadow IT and go through some examples. Basically, if Karen in Marketing spins up a Google Doc and puts some credentials in there for “safe keeping” so she can more easily share them with the internal team and external marketing partners, this could be considered Shadow IT if she didn’t the IT teams approval first (which she clearly didn’t if she went ahead with this plan). If an application or piece of hardware was obtained without centralized approval from the IT team or at least acknowledgement from the IT team, these assets can’t be effectively tracked. And if they aren’t being tracked, that likely means they are being forgotten when it comes to asset inventories, data flow tracking, security control implementation, and risk assessments. Sometimes, just as important as the security risk these things can present to an organization is the compliance risk they can present, as if elements of Shadow IT are discovered they could quickly put an organization into a state of non-compliance with standards bodies such as the PCI DSS or Sarbanes-Oxley.
So let’s look at some examples to give you a better idea of what all can be included under the umbrella of Shadow IT:
- Personally procured software installed on organizational assets
- Cloud-based storage solutions (Box.com, Google Drive, Amazon S3, etc.)
- Third-party SaaS applications (data analysis, business intelligence, HR, etc.)
- Wireless access points, Routers, Switches, Printers, Personal Computers – Basically anything that plugs into an organization’s network
- Physical storage devices (External hard drives and USB sticks)
- Chat/Messaging applications (Slack, Skype, WhatsApp, Signal, etc.)
What’s the Big Deal?
There are a ton of security risks and organizational implications when it comes to Shadow IT, some more important than others:
- Increased Risk of Data Loss or Sensitive Information Leaks – If security controls aren’t applied to these unsanctioned assets, they could be at an increased risk of compromise. Alternatively, employees could be using them in unintended ways, exposing sensitive information in the process.
- Inconsistency – Policies, procedures, security controls, and monitoring can’t be applied to assets that aren’t known
- Compliance Risk – Unknown applications and devices aren’t on asset inventories and aren’t being audited for compliance purposes
- Inefficiencies – Could just be duplicating effort if a more centralized product is already in use that employees aren’t aware of, leading to wasted resources
- Loss of Productivity – Sometimes, Shadow IT just means wasted man hours because certain applications are banned in an organization for a reason
What Can You Do?
How can you stop or control something that you don’t know is there? You can’t! That’s why the first step in tackling this problem is understanding how big of a problem it is in your organization. Now this is easier said than done. You can review your firewall logs and look at domain frequency or, if you’re lucky, your firewall might even have application categorization and logging. So by reviewing who is going to what sites most frequently and transferring the most data, you can probably find any big offenders. For hardware, regularly updating your asset inventory either through a manual process or using automated network discovery tools (or Network Access Control if you can) is a good starting place. Combined with visible asset inventory tags and physical walk-arounds, that’s probably your best bet.
When it comes to locally installed software, hopefully your organization is already controlling this somehow, since that’s a big risk on its own. If employees are local administrators and allowed to install anything they want, you are at significantly increased risk when it comes to a data breach or social engineering compromise because malware is the delivery mechanism for attacks many times. But you also don’t have the advantage of controlling the software your users are installing on their corporate assets either. This can range from video games that waste productivity to unsanctioned VPNs that can be used for nefarious activity to simple malware. Taking away local admin rights from users is the first step, but then centrally controlling software installations through tickets with supervisor approvals, for tracking purposes, and then using a centralized software update manager like SCCM is the next best step. The ultimate goal would be application whitelisting in your environment, but this can be difficult and resource intensive for some organizations to implement.
If all this seems overwhelming, don’t worry, we covered a lot of ground here. Recognizing that this may be a problem for you is the first step. If you need help looking into the prevalence of Shadow IT in your organization, we’re always more than happy to help. We can perform a Sensitive Data Mapping assessment to help identify where sensitive information in your organization is going, and that oftentimes leads to a lot of unknown resting locations like hard drives and cloud applications. Or even if you just want to discuss how to tackle this problem on your own, reach out and we’d love to discuss further.