How can IT teams better manage shadow IT?

Since the pandemic hit and more workers went remote, managing shadow IT has become even more difficult.

As a CIO or IT leader, you want a smooth-running IT organization that is compliant, secure and risk-free. But so long as an internet connection is available, shadow IT users can access just about any cloud-based resource with minimal difficulty. And with the rise of hybrid workplaces, users have more reason to do so.

In addition, the growth of cloud-based systems using SaaS, IaaS and PaaS represent significant opportunities for shadow IT activities. This is in addition to off-the-shelf hardware and software applications that have been the traditional sources for shadow IT users.

With that in mind, here are some suggestions for addressing these issues and for effectively managing shadow IT.

1. Regularly run network sniffing programs to detect IP addresses that are not in the known list of IP addresses.
2. Maintain an up-to-date inventory of all resources within the IT infrastructure and update it regularly using network inventory technology or other relevant applications.
3. Ensure that the CIO's senior leadership team keeps an eye out for possible shadow installations. Include this as a periodic agenda item at staff meetings.
4. Review network firewall activity -- both inbound and outbound -- to identify any suspicious traffic for further analysis.
5. Review activity on intrusion detection and intrusion prevention systems to identify anomalies for further analysis.
6. Send out periodic messages to employees advising of possible shadow IT activities and asking them to report any suspicious activity to IT management.
7. Brief senior management on any suspicious IT activity and the measures being taken to remediate it. Ensure they support initiatives to mitigate shadow IT.
8. Advise cloud service organizations currently under contract on any concerns about unauthorized IT and advise them how to respond to any suspicious activity.
9. Determine the shadow IT analysis capabilities of cloud-based and other managed service providers.
10. Establish policies and protocols for dealing with shadow IT activities and review them with HR and legal departments.
11. Establish penalties for employees identified as conducting shadow IT activities. Be sure to coordinate this with HR.
12. If a BYOD policy exists, consider updating it to address shadow IT activities.
13. In advance of an IT audit, be prepared for potential questions from auditors on the existence of shadow IT activities, as they present potential security risks and access control issues.
14. Examine shadow IT detection tools that may be available from cloud access security brokers.