What is Shadow IT—and How Can I Control It?

Shadow IT security issue

The rapid adoption of cloud computing, and the rise in Bring Your Own Device (BYOD) technology within the workplace has increased employee engagement in shadow IT, which is also known as “the consumerization of IT”.

While shadow IT may sound like some covert technology conspiracy, it simply describes the usage of IT-related hardware or software by a department or individual, without the knowledge or consent of an organization’s internal IT team. Whereas downloading and using apps and services was once under strict control by IT departments, the cloud has made it easier for users to get whatever they need online. While it provides some benefits to users, IT departments are facing major challenges managing software and hardware. It can also compromise the security of the organization’s network, and jeopardize compliance regulations.

Download: 7 Key Business Drivers for Assessing Your IT Environment

4 Ways to Control Shadow IT

While controlling shadow IT in a cloud-based environment can be difficult, there are steps IT departments can take to curb this practice among employees.


1. Continuous Network Monitoring

It’s imperative that organizations know where their data resides, regardless of whether an employee uses a company-provided device, or their own equipment. Continuous system monitoring enables IT personnel to find new and unknown devices within their network. (Companies such as Impulse Point can help with this.) Lists of devices should be recorded and compared regularly to easily spot when something new appears. IT teams can also capture log data from firewalls, proxies, security information and event management (SIEMS) products, and mobile device management (MDM) products to identify services being used without the consent of IT. The data also helps identify who is using unapproved services, how often, and what sort of data is being downloaded or uploaded


2. Risk Prioritization and Dissemination of Information

Software, and the services used without the permission of the IT department aren’t inherently bad. While the IT team should investigate which services pose the highest risk and block them through existing infrastructure (firewalls, proxies, SIEMS, and MDMs), this exercise can also uncover more secure services employees use regularly, possibly making them more productive, and can be put on an “approved” list. This allows organizations to make purchase decisions that ensure a software or service is not going to cause security or compatibility challenges. This approved list should be disseminated regularly so employees know what tools are permitted (similarly, a “banned” list can also be developed and the penalties for using these services should be included).


3. Offer Alternatives

Employees want to find the best and easiest ways to accomplish their tasks—and today, they expect to do it across multiple devices. Simply saying “no” isn’t always going to be effective. So, organizations need to investigate alternatives that are secure and allow the “anytime, anywhere access” that employees want. By providing alternative solutions, organizations can reduce the risk of employees engaging in shadow IT behaviors and downloading risky software and services that could threaten company security. Without proper tools to get their work done efficiently, you can bet that many employees will find a workaround.


4. Open the Lines of Communication

A lot of employees have little contact with IT (until their computer crashes). So, they may love Skype or Dropbox but not understand why these services might be restricted (and simply blocking them or threatening them can create animosity). It’s important that IT teams be open with employees, explain policies, and give employees the chance to give reasons why they use certain software or services (and why they think they need it). Opening lines of communication between employees and IT can go a long way toward gaining compliance with policies.


An End to Shadow IT?

Shadow IT will probably never be completely controlled, and the benefits of the cloud are sure to outweigh the negatives shadow IT can bring. But by closely monitoring systems, prioritizing risk (maybe making exceptions for less risky add-ons), and being transparent with employees about the dangers of using unauthorized software and services, shadow IT can be greatly reduced, while building better rapport amongst IT and all other teams.

7 Key Business Drivers for Assessing the Security of Your IT Environment

Related posts