Introduction
“Shadow IT” typically refers to staff members’ work-related use of IT-related hardware, software or cloud services without the knowledge of the IT organization. Employees engage in shadow IT mostly to work more efficiently. Employees sometime feel like they need to work around existing security controls of the organization to get their job done. Some common examples of Shadow IT include:
- Slack, Trello, and other productivity tools
- Skype and other VOIP tools
- Google Docs, Gmail, Drive, and other elements of the Google Suite, Microsoft 365 (if not officially licensed or sanctioned by the IT department)
- Dropbox, Megaupload, and other peer-to-peer file-sharing and cloud collaboration tools
- Apple AirDrop and other bluetooth-based sharing tools
- WhatsApp and other messaging apps
- Flash drives and HDDs
- Personal laptops, tablets, and smartphones.
Use of SaaS and Cloud Services is growing at the staggering pace. This rapid growth has increased the adoption of Shadow IT. While organizations consciously embrace cloud applications, others are often introduced by employees in an ad-hoc manner to aid business productivity or for personal applications.
While Shadow IT is not inherently dangerous, certain features like file
sharing/storage and collaboration (e.g., Google Docs) can result in sensitive
data leaks. Beyond security risks, this can also waste money if different
departments are unknowingly purchasing duplicate solutions.
Recommendations:
Below recommendations shall be implemented to control Shadow IT operations within your organization network infrastructure.
· Discover Shadow IT by Monitoring for Unsanctioned Applications
Logs from firewalls, network access controllers, DHCP servers and other network security devices shall be used to detect shadow IT. Further logs from the WiFi access points can also be used to detect unregistered devices that are connected to the Corporate Wi-Fi network.
Organizations need to establish a process to critically analyze these application signatures and identify a list of unsanctioned applications that are being used within the network by employees. This shall be achieved either through automated tools or through a manual process.
Once the unsanctioned applications are detected, organizations need to properly manage them by identifying
o Business needs,
o Risk and compliance issues,
o Frequency and usage patterns of these applications,
o Opportunities for streamlining and cost reduction
· Maintain an Approved List of Software
Once the applications are detected and evaluated as mentioned above, organizations need to create a list of approved and unapproved apps and share with employees to remind them of what is accepted within the company.
Having an approved list of software will certainly help the IT team to regulate the type of software that can be installed on computers.
· Regulate access to approved software through perimeter security controls.
organizations shall implement necessary controls at the perimeter firewalls to regulate and control the access to allowed SaaS offerings and websites by configuring URL filtering and application signature filtering in the firewall. This shall be decided after conducting a comprehensive survey of business requirements and with the approval of senior management on the new strategy to regulate shadow IT.
· Registering allowed devices that can be connected to Corporate network:
There are several technical controls that can be implemented within organization's existing network infrastructure to control access to the office network. For example WiFi enterprise Authentication, Switch port security, Network access controllers etc can be used.
· Conduct Awareness sessions to educate end users.
Lack of awareness of authorized solutions may drive employees to select unauthorized solutions.
· Establish a Procedure for New Technology Purchases
Organizations need to establish a procedure to ensure the security and the business requirement of new purchases of SaaS and any other applications and IT technologies. Employees require prior approval for any new purchases rather than they make their own purchase decisions with company given credit cards.
· Response Quickly to Purchase Requests
IT team also need to speed up the response time and reduce the evaluation period for tech requests. By fast-tracking the decision-making process.
· Vendor Management
Essential tasks, such as vendor management, needs to be handled by the IT departments as they have a better understanding of the process rather than allowing employees to do so.
· Establish a Collaborative Culture
Collaborative culture needs to be grown within the organization IT team and business units/employees that need to procure SaaS applications for the growth of the business. It is imperative build relationships with these SaaS buyers. That helps IT Team to know their needs, remove communication barriers, and empower them.
· Embrace Shadow IT—Securely
No matter how hard organization trying to mitigate Shadow IT within organizations, shadow SaaS will continue to grow. With the growth of SaaS, employees no longer need IT’s assistance or permission to purchase the most powerful applications in the world. They just need an email address and credit card, oftentimes using free accounts that can be upgraded later. Organization shall acknowledge the benefits and create a framework that lets employees use the right tool for the job while maintaining governance and control over the technologies and data of the organization.