denisismagilov - Fotolia
CIOs who managed or are currently managing an IT operation have most likely come across situations where they or a member of their team discovered a "rogue" system or application operating outside the department's jurisdiction. In the years before cloud technology became one of the IT norms, users may have decided they needed access to an application or other IT resource and, for whatever reason, were not satisfied with the response from IT. For some users, the IT response may have been considered "business as usual," but for the others, it became an incentive to go outside the IT department and set up their own offerings.
This is an example of shadow IT, which still occurs today in increasing degrees, especially with the advent of easily accessible cloud-based services. It's considered a major risk to an organization's operations and therefore, managing shadow IT must be included in overall risk management activities today.
The impact of shadow IT
Considering how complex IT has become, particularly in the age of the internet, the ability to know about and effectively manage IT resources -- both internal and external -- has become increasingly important. Here, we examine situations to be aware of regarding shadow IT and offer guidance to ensure that CIOs can identify and mitigate rogue activities.
The primary goal for most CIOs is a smooth-running IT organization that is compliant, secure and risk-free. On the issue of security, they pay attention to any situation that threatens the confidentiality, integrity and availability of information. Non-approved installation of systems, whether on site or via cloud technology, presents possible unauthorized access to internal systems. From a risk management perspective, shadow IT presents unique challenges to CIOs and their cybersecurity and operations teams and should be a key element in those activities.
The growth of cloud-based systems using software as a service (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS) represents significant opportunities for shadow IT activities. This is in addition to off-the-shelf hardware and software applications that have been the traditional sources for shadow IT users. So long as an internet connection is available, shadow IT users can access just about any cloud-based resource with minimal difficulty.
Risks from shadow IT activity
It's challenging enough to effectively monitor and manage a large and diverse IT infrastructure with all its inherent risks and vulnerabilities. For example, the following can occur from the use of shadow IT:
- introduction of vulnerabilities that could result in data loss and other threats to data management and data integrity;
- introduction of malignant code to internal networks;
- unauthorized access to data that could prevent data administrators from doing their jobs;
- unauthorized changes to data that should otherwise be prevented;
- inability to properly patch applications that may have errors or other problems;
- potential compliance issues especially for regulated organizations that may be subject to fines and litigation;
- potential negative consequences to the business by using systems that are not checked and validated by the IT department; and
- cybersecurity risks that could facilitate remote access by hackers and other cyber criminals.
Benefits of shadow IT
The most common reason for using and managing shadow IT systems and technology is to obtain and use tools that are better suited to users with unique requirements than those provided by IT. Naturally, users should first ask the IT department if it can assist with the user's requirements. And ideally, IT departments should leverage the software development life cycle (SDLC) to provide a recognized structure for identifying, developing and deploying a suitable option. This can often require a lot of time to address all steps in the SDLC. For whatever reasons, users may be aware of how IT operates when providing business offerings and decide to go around IT and obtain their own, if for no other reason than wanting to get things rolling quickly. On a positive note, rogue systems may provide greater benefits to the company than tools available from IT, and the company could even realize a positive result such as gaining a competitive advantage.
14 tips for managing shadow IT activities
Before you can manage and control shadow IT implementations, it's necessary to identify them. The following are 14 tips for effectively managing shadow IT.
- Regularly run network sniffing programs to detect IP addresses that are not in the known list of IP addresses.
- Maintain an up-to-date inventory of all resources within the IT infrastructure and update it regularly using network inventory technology or other relevant applications.
- Ensure that members of a CIO's senior leadership team keep an eye out for possible shadow installations; include this as a periodic agenda item at staff meetings.
- Review network firewall activity -- both inbound and outbound -- to identify any suspicious traffic for further analysis.
- Review activity on intrusion detection and intrusion prevention systems (IDS/IPS) to identify anomalies for further analysis.
- Send out periodic messages to employees advising of possible shadow IT activities and to report any suspicious activity to IT management.
- Brief senior management on any suspicious IT activity and the measures being taken to remediate it -- ensure they support initiatives to mitigate shadow IT.
- Check with cloud service organizations currently under contract to advise them of any concerns about unauthorized IT and to advise if they become aware of any suspicious activity.
- Determine the shadow IT analysis capabilities of cloud-based and other managed service providers.
- Establish policy and protocols for dealing with shadow IT activities and review them with HR and legal departments.
- Establish penalties for employees identified as conducting shadow IT activities; coordinate this with Human Resources.
- If a BYOD (bring your own device) policy exists, consider updating it to address shadow IT activities.
- In advance of an IT audit, be prepared for potential questions from auditors on the existence of shadow IT activities, as they present potential security risks and access control issues.
- Examine shadow IT detection tools that may be available from cloud access security brokers (CASB).