How to Address Shadow IT in Higher Ed



Does your university have a shadow IT problem? The answer is most likely yes. Higher education institutions across the country are struggling with shadow IT challenges resulting from devices, services, and software residing outside of IT’s control and/or ownership.

Not only does shadow IT cause serious security issues for colleges and universities, but it can also lead to regulatory compliance issues and major headaches for your IT department.

Why Is Shadow IT Such a Problem at Universities and Colleges?

Shadow IT runs rampant within the field of higher education. Why?

It has to do with the culture prevalent at colleges and universities. In academia, you must have open learning environments in order to pursue ideas. Professors and administrators emphasize the importance of open networks that encourage the exchange of ideas. They prioritize usability and the ability to collaborate, and any constraints are seen as an obstacle.

Many legacy and commercial enterprise IAM systems just aren’t up to the task of  addressing higher ed’s unique identity challenges. Learn more »

The cloud doesn’t help matters. Digital services available through the cloud (such as email and applications) fill needs quickly and cheaply, making them attractive to non-IT departments at schools.

Moreover, there are many devices connected to networks at universities and colleges. Users download apps of questionable origin on a daily basis in order to help users become more productive.

Why Is Shadow IT a Threat?

There are three main problems shadow IT causes: security threats, compliance issues, and complications for the IT department.

Let’s address the security threats first. Shadow IT opens a path into your school’s network. An enterprising hacker can easily access that path, wreaking havoc. Shadow IT simply can’t be secured in the same way that supported, authorized apps are protected, because shadow IT is outside of IT’s control.

The IT department might not even know that shadow IT resources are in use. That’s quite problematic—Gartner predicts that by 2020, a third of all successful attacks on organizations will be on their shadow IT resources.

Another problem shadow IT creates is compliance issues. Colleges and universities must comply with a number of legal requirements in order to receive funding, research contracts, and access to government data. However, shadow IT resources typically don’t meet regulatory requirements because they don’t have proper security measures in place.

We’ll illustrate with an example of what could happen when shadow IT isn’t controlled: Let’s say a professor creates a database that’s outside of the school’s IT infrastructure. If that IT database doesn’t meet data regulation standards, the school could end up in legal jeopardy.

A third issue that shadow IT presents for schools is complications for IT departments. Even though shadow IT resources are outside of the IT department’s control, the IT team is still called in when they don’t work. This hassle is only exacerbated by the fact that shadow IT resources don’t follow application protocols and eat up network bandwidth. And many times, shadow IT resources are duplicates of applications or software already in place at the school.

When the IT department must clean up the mess that shadow IT leaves behind, it ultimately costs the school more money, because the IT department isn’t allocating its resources efficiently.

How Can Schools Tame Their Shadow IT Problem?

Here are three steps to bring shadow IT under control:.

The first step involves creating and enforcing strong policies. Executive Vice President, COO, and CIO of Missouri’s Drury University, David Hinson says, “Strong governance can prevent a lot of this. Policies can say things like: You shall not do this with student data.” Penn State’s CISO, Donald Welch, adds that enforcement of those policies needs to come from faculty and staff. “Authority might get you 20 percent of the way, but really you have to lead people because they want to follow,” he comments. “You have to build trust; you have to influence them to understand why this is in their best interest.”

Your next step is to encourage faculty and staff to view IT as a partner, rather than an obstacle. IT teams have to keep communication pathways open—meet with faculty and other staff members to discuss the feasibility and security issues of using SaaS applications to ensure that neither safety nor efficiency are compromised.

The third step is choosing a modern Identity and Access Management (IAM) system. You see, the right IAM solution enables the first two steps. Here’s how:

First, modern IAM solutions let your IT team be a partner and an asset, not a hindrance, because they allow you to identify the apps that your faculty, staff, and students are using and quickly and securely bring them under IT control.

Unlike legacy IAM systems, which simply do not offer an easy path for adding new applications, let alone cloud-based services served by third parties, modern IAM solutions make it easy to add new apps. Integration takes place in a matter of hours, not weeks. These solutions offer pre-built connectors to most major cloud applications, and some also come with connector platforms to streamline the creation of new connectors, so there’s no need for custom coding or costly consultants.

Modern IAM solutions also give your IT team the tools needed to implement and enforce clear policies regarding the onboarding and use of new technologies. They also keep your school more secure—today’s IAM solutions offer multi-factor authentication, which makes SaaS applications more secure.

The user experience won’t suffer, either. Modern IAM solutions offer single sign-on, which allows for one-click access to applications. This streamlined, more convenient experience drives user adoption of university-sanctioned applications.

Identity Automation can help you find the right IAM solution for you. To learn more, contact us.

Higher Education Identity Access Management


Subscribe Here!