Shadow IT is one of the most worrying problems for any organization, from small businesses to large enterprises. It creates additional challenges for IT departments and often puts an organization’s entire network at risk. According to Gartner, by 2020, around 30 percent of successful attacks on enterprises will be on their unsanctioned shadow IT resources.
This article explains the main risks of shadow IT and what can be done to detect and mitigate this problem.
Hiding in the shadows
What is shadow IT? Basically it’s any IT system, technology, or application that’s deployed and used without the approval of the corporate IT department. In some cases, personal devices including cell phones and USB devices may also be considered part of shadow IT.
The most common examples of shadow IT are popular cloud services like Dropbox and Salesforce and commonly used messengers like Viber and WhatsApp. However, what’s considered part of shadow IT mostly depends on a particular company’s corporate policy.
People turn to shadow IT for different reasons. The most common reasons for using shadow IT are:
- Efficiency – Approved software and solutions can be (or at least seem to be) slower, less effective, and less productive than unsanctioned alternatives.
- Compatibility – Corporate solutions may be incompatible with users’ personal devices.
- Comfort – People tend to use software and solutions they’re used to.
Even though shadow IT often seems to be helpful to end users, it poses a serious threat to enterprises.
But why is shadow IT so dangerous? The main threat posed by unsanctioned software and applications hides in its unaccountability — you can’t effectively manage something that you don’t even know exists. As a result, both security and performance of the entire network are put at risk.
Let’s take a closer look at the most common risks of shadow IT:
- Lack of security – Lack of visibility and control over network elements are the main cybersecurity risks of using shadow IT. They create numerous weak spots that hackers may use for compromising a system and collecting or stealing sensitive business information. Plus, since unsanctioned software and applications aren’t managed by the IT department, they usually have lots of unpatched errors and vulnerabilities.
- Performance issues – Certain products and solutions can be incompatible with the main components of the IT infrastructure, leading to serious performance issues.
- Data loss – An IT department can’t create backups for software they don’t know is present in the network, while shadow IT users usually don’t think (or know) that backups are necessary. As a result, there’s always a significant risk of losing important, valuable, and sensitive data.
- Compliance issues – Most businesses have several regulations, laws, and industry standards they need to comply with. The presence of unmanaged software makes it much harder for a company to meet these standards.
As you can see, shadow IT solutions can pose a serious threat to any company. Therefore, systems, technologies, and applications in use have to be managed effectively in order to mitigate shadow IT risks. In the next section, we talk about popular solutions for detecting and managing shadow IT.
Throwing light upon shadow IT
Currently, there are two common ways to deal with unapproved software and cloud applications: deploy shadow IT discovery and management solutions or turn to DevOps. Let’s take a closer look at each of these options.
Shadow IT discovery and management solutions
IT asset inventory systems are one tool that can be used to detect shadow IT. These systems gather detailed inventory information on hardware and software running in the network. Based on this information, you can analyze how different assets are used.
There are two types of IT asset management (ITAM) solutions: agent-based and agentless. Agent-based ITAM solutions work well when you need to gather inventory information from remote endpoints or devices that aren’t constantly connected to the network, such as laptops. The agentless approach, on the other hand, works best for performing non-intrusive monitoring and analysis of critical assets.
Since more and more people are turning to SaaS, IaaS, and PaaS solutions, the market also offers cloud-based IT asset inventory systems for monitoring and auditing the use of cloud solutions. In order to ensure efficient detection of unsanctioned cloud applications, the following four features are needed:
- Visibility – An IT asset inventory system should provide full visibility of the monitored IT environment and all IT assets present in it.
- Automatic updates – All received data should be accurate and up-to-date so you can see what’s happening and react immediately when needed.
- Asset categorization – Not all IT assets have the same importance and criticality, so it’s crucial to rank assets according to their importance.
- Compatibility with the configuration management database – An IT asset inventory solution should be fully compatible with the configuration management database (CMDB) so it can perform constant information updates to the database.
Cloud Access Security Brokers (CASBs) are another option for detecting and managing shadow IT in the cloud. CASBs can identify cloud services and applications in use by analyzing logs from firewalls, proxies, and endpoints. These solutions give a better level of visibility over what devices are connected to the network as well as who can access sensitive data and store it in the cloud.
Some CASBs also provide the opportunity to put SaaS applications into a read-only mode so that users can still view the contents of these applications but can’t publish any data to them.
Large cloud service vendors also offer additional solutions for detecting and managing shadow IT in the cloud. For instance, Dropbox Business uses the Microsoft Cloud App Security service for monitoring and auditing use of cloud services. Microsoft Cloud App Security is able to discover applications, files, and users in a company’s cloud environment, including third-party applications connected to it.
Microsoft Azure has an agent-based Azure Active Directory Cloud App Discovery tool in its Premium edition. The agent captures such data as headers, URLs, and metadata for HTTP/HTTPS connections to discover cloud applications used within an organization, identify people who use them, and provide detailed information for further analysis.
While you can easily choose one of these services, it would be more effective to build one that meets your particular requirements. At Apriorit, we have an impressive amount of experience creating advanced network monitoring solutions and cloud computing protection technologies and would be glad to assist you in solving this challenging task.
Next, we’ll talk about the alternative solution — DevOps — and how it can help you prevent shadow IT from appearing in your network.
Moving to DevOps
DevOps is a new philosophy of software development that allows enterprises to boost productivity, reduce the time needed for incorporating new solutions, and break down the silos between development, testing, and operations.
DevOps has two major benefits:
- Improved efficiency
- Fast reaction to user requests
Since DevOps allows faster response to requests from end users and helps companies implement new solutions easily and effectively, this approach can be viewed as one of the most effective ways to solve the problem of shadow IT.
DevOps eliminates the need for using shadow IT by making it easier for end users to officially implement new software and technologies needed to do their jobs better and faster. Organizations that embrace DevOps can turn shadow IT into part of their IT infrastructure without compromising performance or security.
Do you even need to fight it?
There’s no denying that shadow IT is dangerous and can pose a serious threat to any company. However, that doesn’t mean there are zero benefits to using unsanctioned software in the corporate network.
What are the benefits of shadow IT? First and foremost, the mere fact that unapproved software is running on a company’s systems shows that approved solutions don’t meet the requirements of employees: they’re either inefficient or uncomfortable or both.
Secondly, there’s always a chance of shadow IT turning out to be more productive and cost-effective than already deployed solutions. The main task here is to recognize the solutions that can be more beneficial to the company and find a way to implement them effectively into the current infrastructure.
The use of unmonitored and unmanaged software or cloud applications can pose a serious threat to any company by compromising the security of its network and creating additional performance and compliance issues. There are at least two ways of solving this problem: by implementing an effective IT asset inventory and management system or by moving to DevOps.
At Apriorit, we have teams of professionals experienced in both building effective network management solutions and establishing DevOps processes for cloud solution vendors. We would be glad to help you solve the problem of shadow IT in the most efficient and affordable way.