Shadow IT is undermining your security

A new study from McAfee illustrates the ways shadow IT–employees going rogue and using unauthorized devices or apps–is affecting security


Once upon a time, not so long ago, the IT admin chose exactly what hardware and software would be used by employees. Recent trends like the consumerization of IT and BYOD (bring your own device) have shifted the balance of power, but IT still has to maintain some degree of control over the applications used and where sensitive data is stored. Many users just download apps or start using unsanctioned services, though, and introduce unnceccesary security risks through "shadow IT."

McAfee sponsored a study by Frost & Sullivan to investigate the scope and impact of shadow IT–specifically SaaS (software-as-a-service) applications being used by employees without the knowledge or consent of IT–or sometimes in direct contradiction to established IT policies. The study focuses specifically on apps that are used for work functions—not games or personal services.

That distinction is important, because it gets to the crux of the issue. Sure, employees will spend time updating Facebook, shopping on Amazon, or killing time with Angry Birds. Those are all activities that should be governed by IT policies, and monitored in some way by the IT admin. However, when an employee identifies a legitimate need that isn't being met by the approved applications and services, and goes rogue to find his or her own solution, it's in the organization's best interests to try and understand why, and figure out how to meet the need rather than just blocking access or banning the service.

[SaaS vendors, customers finding new ways to secure the cloud]

Shadow IT adds risk and potentially exposes the network or company data to compromise. The worst part is that the IT admin is not even aware that the shadow IT apps are being used, or which ones are being used and by whom, so it's impossible to effectively mitigate the risk and protect the network.

The Frost & Sullivan study found that 80 percent of the respondents admit to using non-approved SaaS applications to get their jobs done. That's four out of five employees using apps the IT admin is not even aware of. Based on feedback from the respondents, it seems that a third or more of the apps that are used are actually acquired and used without the consent or oversight of IT.

These aren't malicious attempts to circumvent policy or subvert the authority of the IT admin. In most cases, users are simply trying to get their jobs done in the most effective and efficient way they can. If they identify a need and find a SaaS tool that helps them get the job done, they just do what they have to do to fill the need.

The shadow IT problem is exacerbated by the fact that there is a blurry line and a lot of confusion over "ownership" now that most users mix business and personal apps and data on their devices, and in many cases the employee owns the laptop, tablet, or smartphone in question. Without a clear understanding, and a clearly-defined policy governing adoption of SaaS apps, users may not even realize they're doing anything "wrong."

There are a few things that organizations can do to minimize shadow IT and address the risks associated with rogue SaaS apps. First, establish a SaaS policy and make sure users are educated and understand what is acceptable and what is not.

Second, monitor network and Web traffic to identify rogue SaaS apps, and find out who is using them. Make sure the apps being used don't expose the network to undue risk, and mitigate any existing security concerns.

Third, work with the users to understand the root of the problem. Find out what the rogue SaaS app does that helps the employees get their jobs done, and how or why those functions aren't addressed by the approved apps. If the shadow IT tool is too big a security risk, work with users to find a suitable replacement that both meets the need to get the job done, and complies with company IT and security policies at the same time.

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)