How to prevent shadow IT

Security execs chime in on how to keep users from taking IT into their own hands.

01 shadowit

Stopping the armchair IT folks

What do complex IT policies, outdated software and lack of IT-supported services have in common? They all contribute to shadow IT, which occurs when employees circumvent procedures to use unapproved services and software. The last thing employees want to do when working on a project is check in with the IT department, so how can IT provide employees with necessary resources so shadow IT is no longer an issue? These InfoSec professionals share their suggestions for preventing shadow IT before it becomes the new normal. 

shadow IT

Enable business owners

Jeff Schilling, CSO, Armor: Follow the money - Set up accounting procedures that require all IT technology and service acquisitions to be approved by the CIO or his/her designated manager.

Don’t be the Enemy - Partner with your business owners to plan their IT technology and service requirements so that you are their preferred provider.

Don’t try to defy the law of gravity - If gravity is pulling your business owners to the public cloud because it is more agile and able to meet their needs, figure out how you can enable the business owner to "do it right" vs. “do it themselves.” 

shadow IT
Pixabay

Encourage an open door policy

Morey Haber, VP of Technology, BeyondTrust: For any business, the following IT policy adoptions can help manage shadow IT proliferation:

  • Acknowledge shadow IT is present and provide a grace period for the deployments to be placed under IT management with no repercussions. IT and security staff may be in the field who can contribute positively to the organization if properly empowered.
  • Support an open door IT policy for new projects, advice and help provide prompt guidance for design and deployment of new projects. Shadow IT occurs because of the roadblocks with traditional IT. If an open door policy is adopted for all aspects, the barriers are removed.
shadow IT
Thinkstock

Prioritize end-user experience

Kurt Roemer, Chief Security Strategist, Citrix: To prevent shadow IT, businesses need to focus on the end user experience. The reason people go around company policies is because the apps and solutions they’re being asked to use are too difficult to use or too time consuming. If the employee’s experience is seamless and secure, they’ll have no need to go around IT to find solutions that help them be more productive. Here are a few best practices to live by to prevent shadow IT: 

  • Whenever shadow IT is better than dealing with the IT department and their crazy rules, IT will lose customers.
  • When IT adopts a customer-first attitude and serves as a trusted adviser to their customers, both sides win.
  • IT-provided services must be just as good or better than what their customers can obtain on their own from consumer-grade services.
  • Single sign-on to all applications (especially web and cloud apps) is a secret weapon to winning back customers, as it makes their lives much easier.
  • Required policies must be automated and contextual to the specific situation that customers are facing to best protect sensitive data.

Notice the lack of the word “users”.  That’s deliberate and also indicative of a mindset that will restore IT value and reduce shadow IT.

shadow IT

Give users what they want with a cloud broker

Travis Greene, Identity Solutions Strategist at Micro Focus: End users turn to shadow IT for a myriad of reasons:

  • Because IT doesn’t offer a service (such as file sharing)
  • Because the IT standard is too difficult to use or doesn’t meet their needs (such as the adoption of CRM in the cloud)
  • To avoid IT policies

If users are going around IT to acquire a service, either because it isn’t offered or doesn’t meet their needs, then IT needs to seriously consider either adding it, or enabling access through a cloud broker. Cloud broker software provides single sign-on to SaaS apps, enforces access request and approval policies, provisions access automatically for user convenience, and revokes access when a user changes roles or an access certification indicates a need to revoke the access.

shadow IT

Focus on behavior instead of applications

Wade Williamson, Director of Threat Analytics, Vectra Networks:Shadow IT is often framed as an application control problem. But hoping to find and manage every new possible application, including the ones your own IT guys build, is a losing game of herding cats. Instead of chasing the applications, organizations need to get better at recognizing the underlying behavior they all share in common. Does it really matter whether your employee is replicating your data to a rogue Dropbox account, his personal Google Drive, or an unsecured server he spun up in AWS? The behavior and impact is the same. Focus on the behavior and suddenly a very expansive problem becomes manageable.

shadow IT
Thinkstock

Learn how apps are being used

Chris Morosco, Director, Data Center & Cloud Strategy, Palo Alto Networks: The pervasiveness of shadow IT is a result of the tremendous value these SaaS applications are providing to end users. Because of data exposure and threat insertion risks, these users can’t run unchecked. A sledgehammer approach of simply blocking applications is not the right approach. Disrupting business critical applications while blocking risky applications will have significant business impact since users have become accustomed to using these applications to do their daily jobs. To properly control SaaS application usage and limit shadow IT’s impact, you need to have detailed visibility of the applications that are being used, how these applications are used, and what users use them. So detailed reporting of how users are currently using applications becomes the first critical step. With that detail you now have the ability to define granular policy control around critical business usage of SaaS allowing you to block risky and unnecessary applications while controlling access and usage of ones that are business critical. Limiting a particular group to an app and only allowing them to download but not upload is a critical step. In the end it comes down to limiting access to prevent data exposure risk and threat insertion while not disrupting business. 

08 latest

Provide access to the latest and greatest

Frank Mong, Head of Network, Endpoint and Cloud Security Strategy, Palo Alto Networks: Shadow IT typically results from the inability of corporate IT to meet the needs of the users in a timely fashion or with the latest modern tool set. There is not a good way to block or stop shadow IT because there will always be the next great new shiny tool that ‘solves all problems’. IT should find a way to allow users access to the latest and greatest. A great example is cloud-based file sharing applications. Whether it is Box.net or Dropbox, there is a real need and use case where users need to share large files. Email just won’t work. In this case, IT allowing a corporate version of Box.net solves a big problem while having visibility and security policies apply in Box just as it would if it was hosted by the company. This example – along with cloud access security brokers or next generation firewall capabilities to identify, track and manage cloud-based applications – make it easier for corporate IT to meet the needs of the users in a timely fashion and support the latest cool tools. If corporate IT could prove its nimbleness, while providing the security necessary, users will stop looking to shadow IT for answers.

shadow IT
Pixabay

Practice forgiveness

Mat Gangwer, Security Operations Leader, Rook Security: Ruling an IT organization with an iron fist will yield undesirable outcomes in most cases. If, through content monitoring or network filtering you identify something unapproved being used, it's easy enough to shut it down through network protections. However, this practice usually makes employees try harder to circumvent the controls you have in place. It's important to have a service catalog readily available to your employees. This catalogue outlines approved services for use. Being able to identify these services, and then discuss with the employee(s) as to why they are using it instead of one of the "approved services" can go a long way. In most cases, the lack of training or awareness leads to the rise of shadow IT in the first place.