What is Shadow IT?

Since Shadow IT is any application used for business processes which hasn’t been approved by a centralized IT or information security department, it’s most likely that IT hasn’t developed it, isn’t aware of it and doesn’t support it. This is a problem because it increases the likelihood of unofficial data flow making it more difficult to comply with the following data compliance regulations.

• Sarbanes-Oxley Act
• Basel II
• GLBA (Gramm Leach Bliley Act)
• COBIT (Control Objectives for Information and Related Technology)
• FISMA (Federal Information Security Management Act of 2002)
• DFARS (Defense Federal Acquisition Regulation Supplement)
• GAAP (Generally Accepted Accounting Principles)
• HIPAA (Health Insurance Portability and Accountability Act)
• IFRS (International Financial Reporting Standards)
• ITIL (Information Technology Infrastructure Library)
• PCI DSS (Payment Card Industry Data Security Standard)
• TQM (Total Quality Management)
• GDPR (General Data Protection Regulation)

Advisory firm CEB estimates that 40% of IT spending at a company occurs outside the IT department. The rapid growth is usually driven by the quality of consumer applications in the cloud such as file sharing apps, social media, and collaboration tools. It’s also increasingly being driven by lines of business deploying enterprise-class SaaS applications. In many ways Shadow IT is helping to make businesses more agile and employees more productive, which is why it’s so prevalent. However IT and the Information Security team are still responsible for ensuring security and compliance of the business data employees upload to customer services.

IT and your Information Security team. While IT isn’t responsible for the physical infrastructure or managing the application, it is responsible for making sure corporate data stays secure when uploaded to the cloud. This puts IT in a difficult position. They might consider saying no to employees using cloud apps to do their jobs, even going as far as blocking access to cloud apps by using the company’s firewall or web proxy. We don’t recommend this. Unfortunately for every blocked app, employees can find other, lesser-known and potentially riskier services to use in place of it.

Check out our eBook Chronicles of Shadow IT on how to best manage this situation.

It’s important to note that feelings towards Shadow IT are mixed. Some IT managers might fear that if Shadow IT is allowed, end users will create data silos and prevent information from flowing freely throughout the organization.

In SoftwareONE our take is you can never grasp the true scope of Shadow IT in a given organization without properly inventorying its environment using scanning tools. However, you can put in place the following actions:

Users want to be productive and sometimes IT must offer more choice and be a “Business Enabler” instead of denying requests that are not part of the approved business applications.

Hence, to avert the Shadow IT risks, meet with users regularly and hear what they have to say regarding their concerns and technologies they believe can address their concerns. IT must encourage a proactive service culture to cut down on the use of Shadow IT and must understand the requirements from departments and users to improve productivity

It is fundamental to be in control at any point in time what technologies are being used and what data is processed. IT must maintain a pre-approved catalog of software that can be selected by the users to avoid waiting for software to be approved. By working collaboratively with users, IT can maintain this catalog with relevant software on a regular basis. The Information Security team must have an automated detection control in place to track and monitor software that are installed, which can be logged and investigated.

Compliance is a major concern within Shadow IT with regulations such as GDPR that require organizations to protect their customers’ data. IT must maintain stringent controls over data access to ensure data is secure and accurate. Managing access and monitoring privileged access is vital. Other aspects including backups, maintaining the latest versions, and addressing vulnerabilities are all critical in protecting data. When users install and use unapproved software, they should be made aware of security best practices and the severity of their actions.

All that being said, Shadow IT isn’t all bad - if managed effectively it could even be a source of innovation. New or younger employees might have preferred software they use that could be beneficial to the company. Rather than blocking out every bit of Shadow IT, the IT team should build a process for managing it through the continuous use of scanning tools and SoftwareONE’s managed services.

These are the top 6 entry points for Shadow IT creeping into your organization.

Users have a free range of cloud based apps they want to use to get their business needs resolved. The IT department rarely has any idea what’s being used, and what can lead to security and compliance issues. IT departments are beginning to realize that the problem isn’t when one user signs up for a single service here or there – it’s when a lot of people sign up for them.

As of 2019, 21% of all files in the cloud contain sensitive data and sharing sensitive data with an open, publicly accessible link by 23% over the past two years according to McAfee’s Cloud Adoption and Risk Report. The report also reveals that 5.5% of AWS S3 buckets have “world read” permissions making them open to the public. The average organization uses 1,935 unique cloud services, up 15% year-over-year. The report states that unfortunately, most think they only use 30.

In an on-premises environment, it might seem easy to block unwanted apps, but that doesn’t count as a complete solution. For example even macros that employees use in FileMaker Pro or Excel can expose a threat to an organization.

Also, think about mobile apps, since they’re even harder to control, especially if BYOD is an option for users.

Activities such as payroll, projects, backups and business planning taking place in the cloud has created a challenging security problem that most organizations struggle to solve: Shadow IT in the cloud. Even though the benefits are huge: cost savings, ease of setup, flexibility and mobility, the IT department rarely has a good idea of what is being used, and this can lead to security and compliance problems.

Just like with SaaS, users can decide themselves to start a cloud subscription, but the risk of vulnerability is much greater and the limited visibility makes it impossible for the IT department to support the user platform.

In an on-premises environment, it is easy to block unwanted apps, but that doesn’t count as a complete solution. What about macros that employees make with Filemaker Pro or Excel?

SoftwareONE’s specialists are well prepared to support customers in their endeavor to eliminate or at least reduce Shadow IT.

We are enabling IT organizations to prevent unauthorized installations and consumption with the right processes and policies as well as help them to detect offenses against it.

Setting up the right processes and governance to prevent Shadow IT always has a component of change management as a crucial part incorporated, since at the end of the day it is about changing employee behavior. Our consultants help you design processes to provide convenient software request experiences for customers. By evaluating your tool landscape and spend data, we are able to design procedures reducing lead-time significantly. With the right communication campaign in place, end users will use those standard processes at last, which ensures a guided discussion on what will be used and ultimately avoids Shadow IT.

Since no process and governance concept works 100% of the time, SoftwareONE enables customers to measure and discover what went wrong. By defining a strategy together with Security, SAM and IT Infrastructure organizations can better determine how Shadow IT impacts their software estate. Taking mobile Apps, on-premises, XaaS(Anything as a Service) and Data Center into consideration there will be no single solution, but rather a set of tools and processes to cover the full software environment. Lastly, once you’ve scanned your environment, we can support you to determine your risk and define mitigation strategies. Our experts will use different data sources to identify threats for your estate, no matter if it is compliance, GDPR or cyber security related.