Shadow IT - Defining the Standardization
Shadow IT – It is a term that shakes technology departments to the core. Cyber Security teams view it as a curse that haunts their infrastructure daily. Finance departments dislike it, as they wish to know what applications have been paid for by various organizations ProCards. IT individuals hate the term as it brings on board more software for their help desk to support.
The above are all real examples of Shadow IT. Simply put, it is the use of unmanaged applications/software on a corporation’s environment. From an information security (InfoSec) side, professionals always want to have approaches to Shadow IT. If vulnerabilities hit, Cyber teams wish to push patches to all applications that are on the network as soon as possible. If there is a zero-day attack on an unmanaged application within a user’s workstation, it could open a can of worms for a whole corporation’s IT infrastructure.
Most people believe that Shadow IT is a cyber security issue. The problem is often handed over to the organization’s cyber security team. However, other groups hold the responsibility to tackle Shadow IT too. For example, finance teams wish to keep track of all subscriptions, applications, and software that the company is paying for. Having a good budget of IT assets can help an organization budget accordingly for the following fiscal year and determine ways to save money. Furthermore, help desks love to keep a catalog on all applications within an organization. Having documentation on software allows for fast resolutions and allows a user to get back to work faster.
Shadow IT’s origins date back to the late 1980s. With the explosion of the personal computer and Microsoft Office, various departments started utilizing Excel Macros to make their job easier. When something broke, users often requested the IT team to fix the Macros for them. Even worse, departments often would ask the department to create these Macros to make their workday easier.
Since then, it hasn’t changed. The explosion of the internet and the open source market has only made Shadow IT more relevant. Organizations started to utilize application white listing solutions to fix these issues. However, this was only a temporary fix, as the cloud became a reality for organizations to reap. Now more than ever Shadow IT has exploded to new heights in organizations, and the approach to the issues it brings is overwhelming for any business.
As professionals see, Shadow IT touches almost every part of the organization. Due to its vast reach, companies often do not approach Shadow IT due to constraints with resources, knowledge, and budget. Businesses that wish to try tackling Shadow IT will immediately start noticing the headaches, as the moment they start putting restrictions on applications that should be off the network, the end users start pushing back and providing grief. This constant tug of war struggle is seen very commonly between workers and the information security team. The InfoSec team often wishes to keep vulnerabilities off the network, but the end user wishes to utilize applications at their own will.
The starting stages to tackling Shadow IT are the most crucial to the path of solving it. The first thing organizations need to investigate in their journey is a Shadow IT policy/standard. This standard would be the defacto approach for the organization’s Shadow IT solution. It is very similar to standard agreements that the whole organization has accepted. Below is a list of eleven categories that should be kept in mind when making this standard.
#1 - Default applications – Applications that the company designates its end users to use. These often are applications the company has bought licensing for, created themselves by internal development teams (that have gone through proper assessments), or have designated as an approved application. These applications have a purpose, and users on the network shouldn’t use other similar software. Below is a comparison of Shadow IT applications if an organization utilizes the office 365 suite:
This is bound to change based on the structure of the organization. Verify default applications, and make sure users are only utilizing these. This could fall underneath security applications too. As proven by other professionals in the field, having multiple antiviruses/firewalls on the end user’s workstations can cause issues. Asking questions like this can help an organization approach an organization’s default application chart.
#2 - User Agreements – Technical Service Agreements (TSA) are huge for the approach to a Shadow IT policy. If users already agree to certain terms and conditions while utilizing a company workstation or network, it provides a great standardization for a Shadow IT policy.
#3 - Upper Management – Finalizing an action plan for Shadow IT and getting signoff at the C-suite level is a huge level for Security and Risk management teams. Verify what key stakeholders need to sign off approval for the standard to be effective.
#4 - Default Vendors – Another standard to keep in mind is the default vendors that a company does business with. For example, if a company prefers all users be on HP workstations, then the organization will be a lot more lenient on software and applications from HP. Second example, if an organization utilizes Amazon Web Services for its cloud solution, the organization would follow suit and allow users to utilize Amazon’s services.
#5 - Control – Control from a security prospective is nice in so many areas. Having insight to a user’s instance and files can help prevent malicious activity, insider threat, or user error. With the integration of single sign on and API connections to applications such as Azure Active Directory (AAD), security professionals can verify what users are utilizing. Applications that fall under this scope might be better for organizations to introduce and integrate.
#6 - External Parties, and Contractors – One of the biggest approaches to Shadow IT standardization is determining how to approach the third parties that do work for their organization. Contractors can be a huge win in some areas to an organization from a cost prospective. If a company has a task that only needs to be done for a limited time, bringing a third party on-site can be a viable option. However, contractors often bring default workstations, applications, and websites of their own they might need to use. Understanding what third parties, vendors, and contractors need to use can help determine future approach. Arguably, the best approach in the field is to not allow users to bring your own device (BYOD) and stick to corporate owned personally enabled programs (COPE).
#7 - Compliance Standards – Knowing compliance standards and how they relate to the respective organization can be huge to approaching Shadow IT. For example, a hospital will be more interested in its user base utilizing a cloud storage software that keeps HIPPA laws in mind. An eCommerce company will wish for applications to be PCI compliant. Verifying that software is compliant needs to be added to a Shadow IT standard/policy.
#8 - Risk Acceptances – Risk management teams often allow acceptances in a network. While unwanted, having these risk acceptances can be a potential approach to allowing applications on an environment. Until a solution is found, no action needs to be taken on an application. Only documentation.
#9 - User Productivity – Again, the idea of Shadow IT and why the end user loves it is for productivity purposes. If the application has no risk to an organization and increases the end user’s productivity, should they really transfer them to a default application? Depending on the posture of the organization, this might be different. Government based agencies will only allow approved use cases, regardless of productivity. Other companies will be more lenient on this, depending on the situation. Determining posture on this situation will be very beneficial to an organization’s Shadow IT standard.
#10 - User Backlash – User productivity is one thing to keep in mind, but backlash could be another. Blocking an application affecting a user’s productivity could create a lot of backlash, causing an email chain to go up to influential people in the organization. Verifying how many people are using an application and referencing TSAs can be beneficial to approaching Shadow IT. More importantly, as stated, upper management’s sign off can be huge for handling Shadow IT and the backlash it might face.
#11 - Popular Websites – It has been proven that blocking websites and applications such as Facebook and Instagram can cause unhappy users on a corporation’s environment. While most users understand why these applications might be blocked, social media can be crucial to user happiness for breaks. With the introduction of cell phones, the end user can most likely pull their cell phone out and utilize the website anyway. A great approach to this is to not block applications that will see most users pull their cellphone out for. This would include websites such as Instagram, Reddit, Facebook, and other major social media sites. If a company utilizes policies preventing users from bringing their cell phones on site, then this is irrelevant. A company’s stance on social media usually is seen in a Shadow IT standard.
In conclusion, determining standardization is crucial to approaching Shadow IT. While there are other areas that Shadow IT might affect or fall under, I believe the above areas are crucial components to keep in mind when tackling the elephant in the room. A successful Shadow IT standard will reap the benefits, benefits such as reduced costs in the IT space, well documented application support teams, and most importantly, security and compliance standardization across the whole network.