The processes that govern IT systems are in place for a number of important reasons. First, they ensure that time and money are allocated. Having duplicate systems to handle the same thing is a waste. Second, they keep systems safe. IT verifies that the programs are secure and used in a proper way.
Finally, they provide a backbone for business growth. Leveraging new technology can be a big competitive advantage.
What is Shadow IT?
The average employee is under pressure to get their job done. Tools and applications provide the framework, tracking and execution to make all this happen. When the process to get this software takes too long or is inefficient, shortcuts pop up. Shadow IT is the unofficial technology work-around and system that members of a company use to get things done. Shadow IT could even consist of temporary or unapproved items that some members of IT unofficially allowed.
Cloud applications gives the average worker a massive amount of power at their fingertips. Oftentimes, these tools are even free. This provides a bounty of capabilities, but also more risk for the company with regards to data security and malware.
Sometimes the worker will even use something built on their own to get the job done. This might satisfy the need, but future headaches will arrive. The upkeep and maintenance for these tools to keep functional can be immense. A home-grown system is less likely to be tested and secure.
The threats associated with Shadow IT include:
- Security: The systems being used have not been vetted by the right people.
- Regular Maintenance: If a system is cloud-based, updates are likely to occur automatically. IT staff have a regular cadence of updates and policies.
- Compliance: If personal data or other information exists in a system that is not secure or regularly maintained, it could be breached. Breaches and lack of data control have ramifications for compliance.
Dealing with Shadow IT Systems
A Security Information Event Management (SIEM) system managed either internally or with a Managed Security Services Provider (MSSP), can point to the sources of traffic. Creating alerts for certain applications can bring awareness to their existence. Other software can be used to manage access and control for employees like Cloud Access Security Brokers (CASB).
More importantly than detecting is addressing the root cause of Shadow IT. If the software and tools officially available are not being adopted, then those options need to be reevaluated. If employees are seeking their own solutions, rather than waiting for IT then the time to respond should be addressed.