• United States




The security and risk management of shadow IT

Aug 24, 20155 mins
Data and Information SecurityNetwork SecuritySecurity

The devil you know is better than the devil you don't know

shadow it
Credit: Thinkstock

Most would agree that we in the information security industry are fighting an uphill battle. Many have even taken the extreme position that we cannot keep intruders out of our networks, so we should give up and focus on containment, an argument I strongly objected to in an earlier post, “Are we surrendering the cyberwar?” Regardless of your position on how best to control the threat, I think you will agree that it is a difficult problem to address.

In the world of corporate IT, I have seen a definite shift toward better focus on network security, vulnerability management and governance. We are having success in locking networks and data down, even as more improvement is needed. Even as we succeed in deploying better security controls for the assets we know about, we are facing a growing threat from within — the challenge of shadow IT.

According to Techopedia, the term “shadow IT” “is used to describe IT solutions and systems created and applied inside companies and organizations without their authorization.” The phenomenon usually begins with an enterprise department or team getting frustrated with the IT department’s  perceived inability to deliver what they think they need, when they think they need it. As a result, they go off and do their own thing, usually without the knowledge of IT. The problem usually continues with IT unaware, until technical problems develop, or until integration with other corporate applications is needed. When IT  is brought into the loop by users now needing help, it is not usually viewed as a pleasant surprise by the CIO or IT director.

According to a recent study by Cisco, surveyed CIOs reported that, on average, there are 51 cloud services running in their organizations. Cisco determined however, based on data analysis, that the number is closer to 730. They found that those services typically fell into the software-as-a-service and infrastructure-as-a-service categories. The reasons for this could fill a small book, but the fact is they are out there, and must be considered from the perspective of security controls.

I am a fan of the old saying “ignorance is bliss,” but it certainly does not apply in the case of shadow IT. Ultimately, IT is responsible for the technology within the organization, even that which it doesn’t know about. That may seem unfair, but it is reality. If there is a security breach or audit failure, the IT head will be summoned to the CEO’s office, regardless of the source.

The challenge for corporate IT, therefore, is to find and secure such applications. I perceive that many IT heads are reluctant to apply the necessary controls, because they want to avoid the conflict, especially when faced with the fact that they don’t have the resources to handle all of the requests that such controls would generate. I would suggest, however, that the risks posed by such systems are far greater than the probable backlash resulting from their control. Perhaps it is just me, but I would rather be fired for doing my job than to work in a conflict-free company, just waiting for that call from the CEO.

If you have read this far looking for a solution to the problem of shadow IT risk, you may be somewhat disappointed. I don’t have the solution. I do, however, have some practical suggestions to help:

Monitor outbound traffic

One of the best ways to know what is going on within your network is to monitor outbound traffic. Firewalls are used most often to control inbound traffic, with inbound data often being ignored. If you set your firewall to keep a detailed outbound log and look at where the traffic is going, you will quickly be able to identify some of the applications you did not know about. If for example, Box is not an authorized corporate application, and the log shows traffic to that site, you may have a problem. With a little detective work, you will be able to identify the guilty users. A brief chat with the these folks can produce positive results.

Control outbound traffic

In my opinion, the control of outbound traffic is one of the most valuable and overlooked approaches to security management. I contend that it is just as important to control outbound traffic as it is to control the traffic that is coming in. I was reminded of the importance of outbound control a few weeks ago, when I discovered a malware infection in a customer network by looking at the outbound traffic I had blocked on the firewall.

Admittedly, outbound control is a challenge, given that so many of the popular Web applications require only the basic Web ports to function. A Google search will often provide a means of doing this for popular applications, this article on blocking Dropbox being a good example.

As I said, blocking traffic will bring some user backlash, but it will at least prompt a discussion that will allow IT to have input into the risk management aspects of these applications.

Firewall Thinkstock

User awareness

All of us in corporate IT have had to deal with the user who knows the risks and is willing to ignore them. There are others, however, who simply don’t understand the exposures. The issue of shadow IT should be a part of any security awareness program.

Enlist executive help

It has been my experience that a corporate executive who fully understands the risks of shadow IT will, in most cases, be willing to help with its control. A corporate edict from the CEO with a comment about sanctions will go a long way toward controlling the problem. You may just leave the meeting with a commitment to additional resources as a bonus.

Bottom line: Work to control the issue of shadow IT before it controls the fate of your job.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author