Shadow IT has CIO’s caught between a rock and a hard place, pushed to deliver the required infrastructure for the business to function whilst remaining nimble and innovative to stay ahead of competitors.
The truth about Shadow IT...
Shadow IT may sound a tad Hollywood but regardless of the size of your company, you will likely fall victim to it at some point. Maybe you already have, or are, right now. Shadow IT systems are introduced into the company via the back door and are unauthorised and sometimes even unknown about by central IT (Facebook probably being the most famous Shadow system, built on the Harvard network), so how would you know? In every corner of every industry you’ll find people are using the cloud (this is often called the ‘consumeration’ of IT). It now accounts for around 25% of IT spend and has picked up so fast because it allows people to get their jobs done more efficiently, speedily and flexibly than traditional computing solutions. In fact, total SaaS revenue is expected to reach nearly $100 billion in 2016, and Cisco last year reported that IT departments estimate their companies are using an average of 51 cloud services, though in reality this is more likely to be around 730. Perhaps more disturbingly however, was Cisco’s other discovery that most companies now use up to 15 times more cloud services to store critical company data than CIOs were aware of or had authorised.
While your business has ownership or responsibility for some cloud apps, your employees are now empowered more than ever to deploy their own apps. Marketing departments are one of the worst culprits though are not exclusively to blame. From a departmental point of view, it’s not always a bad thing as it fast tracks project delivery. It’s easy to see how it happens; when staff need to access or share data quickly, they no longer need to rely on IT to provide the facility. Why would employees on a deadline want to go through the red tape of IT procurement, provisioning, testing and security, when they can find a solution themselves and be up and running in a matter of seconds?
There are many who consider Shadow IT to be an important source for innovation and indeed, such systems (again, Facebook) may turn out to be prototypes for future IT systems that do gain approval from the business. Empowering departments is great, and who could be opposed to the idea of encouraging employees to research (and maintain, to an extent) their own specialised software and hardware to help them do their job better, but most of the time, Shadow IT systems go behind the back of IT and come with a multitude of risks for your business. One thing is for sure – the days of having total control of your infrastructure are gone and IT has lost the ability to properly protect their assets.
What’s really lurking in the dark...
Despite the fact that most clouds tend to have good security, organisations should not be ignoring the data access risks and threats posed by users and administrators. Because the truth is that armed only just a credit card and a browser, anyone can purchase low-cost subscription licenses and have a new application up and running in practically no time at all. Shadow IT systems creators can import corporate data and integrate with other enterprise applications, all without the knowledge of the IT department. This can be achieved via a USB stick, via popular shadow apps such as Google Docs, DropBox, Instant Messaging services like MSN, online VIOP software like Skype, greynet, content apps, utility tools, or via other less straightforward self-developed Access databases, Excel spreadsheets and macros.
Left unchecked, unsanctioned cloud services purchases hugely increase the risk of sensitive data breaches (whether accidental or malicious) and financial liabilities. “By its very nature, shadow IT exists to circumvent IT governance and security controls by employees believing they’re doing something beneficial for the company," said Rick Orloff, vice president and chief security officer at Code42. "The painful truth is that shadow IT is one of the leading causes of insider data threats across any organisation." Shadow IT solutions are not often in line with the organisation's requirements for control, documentation, security, reliability or compliance. It’s just not possible to consistently manage and secure all of the cloud apps across your organisation, whether sanctioned or unsanctioned, or to enforce data security and compliance controls. So what happens when an employee’s personal DropBox account - used to store sensitive corporate data – gets hacked? That’s sensitive customer data out there for all to see and use to their own ends, and in light of the looming GDPR and a tougher regulatory landscape in general, that’s you and your senior management team in very, very hot water. Liabilities can be huge due to a mix of costs that include notification penalties, auditing processes, loss of customer revenue, brand damage, security remediation and investment and cyber insurance, to name a few. Lack of testing and change control should also be sending CIO’s into a panic: when new Shadow applications or devices are set up within the corporate infrastructure without guidance from corporate IT, the change and release management processes are completely bypassed, which can complicate and have a disastrous effect upon other aspects of the infrastructure (even during something like a simple system upgrade). Technologies that operate without the IT department’s knowledge can also negatively affect the user experience of other employees within the company, by affecting bandwidth and causing situations in which network or software application protocols conflict.
Shining a light on Shadow IT Systems...
And it’s not always easy to fix when something does inevitably go wrong because of a Shadow IT system: at Wallix, we’ve lost count of the number of times a company’s department has deployed or attempted to deploy their own solution either without the consultation or blessing of the IT department, and witnessed the amount of friction caused and deadlines missed because of time-consuming and expensive fixes that have to be scheduled in. Cloud services purchasing should empower a business with improved flexibility, innovation and growth of competitive advantage, but not at the expense of security.
Shadow IT is a quick and dirty process that departments use to get things done, and it’s not going to go away, so awareness is key. After all, it’s your bottom line. CIO’s everywhere, take note: your peace of mind lies with PAM. PAM can be the first step in managing Shadow IT out of a business by making sure that critical systems are locked down. It does not offer the visibility of Shadow systems but what it crucially does do is maintain complete control of your existing system, ensuring that shadow systems cannot infiltrate your infrastructure. Wallix’s WAB suite lets you control, oversee, monitor and record every action of every privileged user across your entire network, instantly alerting you to any suspicious or untoward behaviour. Security vulnerabilities are caused by weaknesses in the control and monitoring of privileged accounts that are made available to administrators, super users and external service providers, and though we’re sure that most of your employees are upstanding members of the team, you need to make sure you’re fully compliant and know what’s going on within your business’s perimeter. There’s enough to worry about when it comes to doing business in today’s market - at least let us take care of the nannying part.