The security and risk management of shadow IT

The devil you know is better than the devil you don't know

shadow it

Most would agree that we in the information security industry are fighting an uphill battle. Many have even taken the extreme position that we cannot keep intruders out of our networks, so we should give up and focus on containment, an argument I strongly objected to in an earlier post, "Are we surrendering the cyberwar?" Regardless of your position on how best to control the threat, I think you will agree that it is a difficult problem to address.

In the world of corporate IT, I have seen a definite shift toward better focus on network security, vulnerability management and governance. We are having success in locking networks and data down, even as more improvement is needed. Even as we succeed in deploying better security controls for the assets we know about, we are facing a growing threat from within — the challenge of shadow IT.

According to Techopedia, the term "shadow IT" "is used to describe IT solutions and systems created and applied inside companies and organizations without their authorization." The phenomenon usually begins with an enterprise department or team getting frustrated with the IT department's  perceived inability to deliver what they think they need, when they think they need it. As a result, they go off and do their own thing, usually without the knowledge of IT. The problem usually continues with IT unaware, until technical problems develop, or until integration with other corporate applications is needed. When IT  is brought into the loop by users now needing help, it is not usually viewed as a pleasant surprise by the CIO or IT director.

According to a recent study by Cisco, surveyed CIOs reported that, on average, there are 51 cloud services running in their organizations. Cisco determined however, based on data analysis, that the number is closer to 730. They found that those services typically fell into the software-as-a-service and infrastructure-as-a-service categories. The reasons for this could fill a small book, but the fact is they are out there, and must be considered from the perspective of security controls.

I am a fan of the old saying "ignorance is bliss," but it certainly does not apply in the case of shadow IT. Ultimately, IT is responsible for the technology within the organization, even that which it doesn't know about. That may seem unfair, but it is reality. If there is a security breach or audit failure, the IT head will be summoned to the CEO's office, regardless of the source.

The challenge for corporate IT, therefore, is to find and secure such applications. I perceive that many IT heads are reluctant to apply the necessary controls, because they want to avoid the conflict, especially when faced with the fact that they don't have the resources to handle all of the requests that such controls would generate. I would suggest, however, that the risks posed by such systems are far greater than the probable backlash resulting from their control. Perhaps it is just me, but I would rather be fired for doing my job than to work in a conflict-free company, just waiting for that call from the CEO.

If you have read this far looking for a solution to the problem of shadow IT risk, you may be somewhat disappointed. I don't have the solution. I do, however, have some practical suggestions to help:

Monitor outbound traffic

One of the best ways to know what is going on within your network is to monitor outbound traffic. Firewalls are used most often to control inbound traffic, with inbound data often being ignored. If you set your firewall to keep a detailed outbound log and look at where the traffic is going, you will quickly be able to identify some of the applications you did not know about. If for example, Box is not an authorized corporate application, and the log shows traffic to that site, you may have a problem. With a little detective work, you will be able to identify the guilty users. A brief chat with the these folks can produce positive results.

Control outbound traffic

In my opinion, the control of outbound traffic is one of the most valuable and overlooked approaches to security management. I contend that it is just as important to control outbound traffic as it is to control the traffic that is coming in. I was reminded of the importance of outbound control a few weeks ago, when I discovered a malware infection in a customer network by looking at the outbound traffic I had blocked on the firewall.

Admittedly, outbound control is a challenge, given that so many of the popular Web applications require only the basic Web ports to function. A Google search will often provide a means of doing this for popular applications, this article on blocking Dropbox being a good example.

As I said, blocking traffic will bring some user backlash, but it will at least prompt a discussion that will allow IT to have input into the risk management aspects of these applications.

Firewall Thinkstock

User awareness

All of us in corporate IT have had to deal with the user who knows the risks and is willing to ignore them. There are others, however, who simply don't understand the exposures. The issue of shadow IT should be a part of any security awareness program.

Enlist executive help

It has been my experience that a corporate executive who fully understands the risks of shadow IT will, in most cases, be willing to help with its control. A corporate edict from the CEO with a comment about sanctions will go a long way toward controlling the problem. You may just leave the meeting with a commitment to additional resources as a bonus.

Bottom line: Work to control the issue of shadow IT before it controls the fate of your job.

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)