4 ways to shine a light on shadow IT
- By Joel Dolisy
- Aug 21, 2015
At some point we have set something up without the knowledge of our IT department. Maybe it was using Dropbox to share a large file or setting up our own wireless router. Or maybe we went all in: signing up for a new software-as-a-service marketing product, or using a personal email server for agency communication.
Each of these examples are part of what’s become known as shadow IT – the practice of employees using tools and solutions that are not purchased or supported by their agencies' official IT department. It’s a creeping trend within agency walls and virtual clouds. After all, if the application makes your job easier and more efficient, why shouldn’t you implement it?
It’s also a growing challenge. In a recent survey of 200 federal IT professionals conducted by SolarWinds and Market Connections, more than half of the respondents said they believed shadow IT will increase in the next two years – and that it will open their networks to potential threats.
Clearly, shadow IT must be managed -- but according to the survey, administrators are divided on how to do so. Roughly 25 percent of survey respondents want to eliminate shadow IT entirely; 23 percent believe that workers implementing shadow IT in workplaces is inevitable; and the remaining 52 percent are somewhere in the middle. What is telling is that only 13 percent of respondents reported feeling "very confident" in their abilities to protect against the negative consequences of shadow IT.
With this in mind, here are a few steps to help build up that confidence level:
Track all devices attached to the network. As an IT manager, it's your network. You know which devices can connect to it and which cannot. Develop a watch list of unapproved or suspicious devices. Think about setting up automatic scans for such devices to bring your own internal alert system up a notch. Both IP address management and user device tracking software can help you figure out who and what are infiltrating your network and possibly affecting its security.
Monitor networks and log files for unexpected ports and protocols. The IT pros who reported having little to no shadow IT in their organizations have mostly all implemented automated network monitoring tools that use a single-pane-of-glass view into their networks, systems, applications and security. Security information and event management software and monitoring tools can show system anomalies, track bandwidth usage, log files and look for patterns – all of which can indicate shadow IT and potential security issues.
Implement policies and procedures for using non-sanctioned IT solutions. Make sure that your employees are aware of the options available to them through your department – if they don't know about existing devices and solutions, they certainly can't be expected to use them. And once you educate employees about the options available, provide documentation about creating and using unsanctioned solutions. Remind employees that you are a partner in problem-solving, not just a network cop intent on policing unsanctioned solutions. You can only help when they let you know what their IT needs are.
Block access to shadow IT conduits. Hosted services for sharing corporate information, email platforms and apps installed on company devices are all potential security risks. You might not win any popularity contests for locking down access to these applications and services, but if combating shadow IT is your top priority, so be it.
Finally, the best way to combat security breaches as a result of shadow IT is to combine all four of the strategies listed above. Seventy-seven percent of respondents who use multiple management, monitoring and security tools indicate having "little to no shadow IT in their organizations." When shining a light on the shadows, it's best to follow the lead of those who are having the most success.
Joel Dolisy is the CIO at SolarWinds.