Ensuring Your Information Security Program Addresses Your Shadow IT Problem
A specter is haunting your business—the specter of shadow IT. It’s circumventing your security policies, compromising your data sovereignty, and costing you money. It lurks on your networks, on your employees’ computers and devices, on your servers, and in the cloud. Ever-present and always out of sight…or, at least, that’s how it sounds.
The reality is that, despite the name, shadow IT isn’t some dark, malicious force bent on destroying your security and data sovereignty. For the most part, shadow IT isn’t a conscious effort at all. It’s neither premeditated nor hidden. On the contrary, shadow IT usually results from a decision made on impulse, and it’s often brazenly apparent to anyone who’s paying attention.
So, What Is Shadow IT?
According to Gartner, Inc.’s IT Glossary, shadow IT refers to “IT devices, software and services outside the ownership or control of IT organizations.” To put it simply, shadow IT is what happens when employees use an application or service—usually cloud-based SaaS or IaaS—without the blessing or oversight of IT or their organization on the whole.
Shadow IT usually occurs when employees or business units want to leverage the power of cloud services to increase productivity and reduce costs. Sounds pretty good right?
Here’s the problem: Your employees are doing this without the knowledge or consent of your IT department. And your IT team can’t properly vet what it doesn’t know about, so that extra productivity could come at the cost of security.
A Note on the Inevitable
Cloud-based business apps are cheap and plentiful and can take just hours to acquire and implement. In comparison, the time it takes IT to properly vet and roll out solutions can seem like eons. To your increasingly tech-savvy employees and business units, this makes IT a bottleneck for both innovation and productivity. Employees see something they want, something that can help them do their job better, and they don’t want to wait to get it. Inevitably, impatience wins, and the bottleneck is bypassed.
Most CIOs are aware of shadow IT issues, but the problem is much more prevalent than most are willing to admit. According to a 2015 report, the number of unauthorized cloud apps being used in the enterprise is 15 to 20 times higher than CIOs predicted. Another report estimates that 40 percent of all IT spending at a company occurs outside of the IT department.
These shadow IT purchases create tremendous downstream issues for any organization. The primary issue is diminished security—when business units make IT purchases, they’re making a decision based on functionality and productivity and generally won’t consider security or compliance concerns. So, they end up setting up shadow IT that exposes your company and data to risks—exactly what your IT department’s policies, regulations, and stringent software-evaluation process sought to avoid.
To hackers, shadow IT is the soft underbelly of your corporate security. Rather than deal with your network defenses to access, hackers simply need to access the Google Docs account of a careless employee. Gartner predicts that by 2020, a third of successful attacks on enterprises will be on shadow IT resources.
But while the issues are obvious, you can’t just send down a decree and stop shadow IT. That ship has sailed, and, in a sense, you’d be punishing your employees for wanting to do their jobs well. So what’s the best way to address the situation?
Bring Shadow IT into the Light with Identity and Access Management (IAM)
A powerful IAM solution will let you tackle shadow IT at the root of the problem: the IT bottleneck.
Business units are using shadow IT to solve real problems, so rather than block them, let your IT team be a business partner and an asset, not a hindrance. Identify the apps your employees are using and enable them to use those apps securely.
With an IAM solution, you can give your IT team the tools needed to implement and enforce clear policies regarding the onboarding and use of new technologies. You may encounter some resistance when first enforcing these policies, but as you institutionalize these policies, you can make the benefits clear to your employees.
These benefits include a better user experience, as your employees can leverage single sign-on to use one set of credentials to access virtually all of their resources. Likewise, self-service password management tools will not only ensure that your defined password policies apply to all apps, but they’ll make your employees’ lives easier when they inevitably forget a password.
Multi-factor authentication capabilities will also let you bolster the security of SaaS apps, whether by requiring step-up authentication based on contextual elements, such as location or time of day, or through one-time passwords delivered via SMS or Google Authenticator.
Eventually, with the right policies in place, your IAM solutions will be able to streamline the onboarding process as well. While it may have once taken weeks or even months to add an app, you will be able to quickly and efficiently onboard in hours, so long as the app has SAML or other compatible standards.
The truth is that you can’t exorcise the “specter” of shadow IT from your network. It’s a product of the modern workplace, and it’s here to stay. But by implementing a modern IAM platform, you can bring shadow IT into the light and make life easier for all concerned.
Share this post: