momius - Fotolia

Enlightened shadow IT policy collaborates with users

A cloud-era shadow IT policy still needs to manage risk, but the era of "no way" is giving way to allow users quick access to the productivity apps they need.

Most IT departments have spent time rooting out the shadow, or non-IT-sanctioned, applications and systems in use within their organizations. Today, users find that cloud-based services not necessarily approved by IT enable them to quickly subscribe to applications and platforms that improve their collaboration and productivity. That advantage is prompting IT organizations to rethink how to work with users rather than have a shadow IT policy that is in full-out combat against apps that haven't been fully blessed by the enterprise and could introduce security risks.

Shadow IT, also called stealth IT, didn't begin with the advent of cloud services. Long before cloud services existed, users were creative about applications that hadn't been deployed by IT. On-premises stealth IT options included VoIP software, online messaging software, portable data storage devices and content apps, to name only a few.

"We used to have to worry about people buying a server and installing it in the closet, now shadow IT is mostly around cloud services," said Jeffery Schilling, CSO at cloud security service provider Armor.

Schilling, who handles internal security for Armor's 275 employees, said the vulnerabilities of shadow IT in a cloud world are still the same -- including concerns about data leaks, intellectual property theft and malware. But often the dangers of shadow IT cloud services are overlooked because users can easily access them away from IT's purview.

Any IT leader who stands in the way of productivity probably isn't going to hold the job too long.
Jeffery SchillingCSO, Armor Defense

Now, the advantages of cloud services are changing shadow IT policy in many enterprises. The flat-out blocking of cloud services is unacceptable in most organizations today because team collaboration apps, for example, are useful to lines of business and work groups that use them to improve productivity. These apps are quick to deploy and eliminate the need for IT's permission or deployment.

"Any IT leader who stands in the way of productivity probably isn't going to hold the job too long," Schilling said, adding that cloud services typically represent an opportunity, not a hindrance.

Just like on-premises shadow IT efforts, however, Schilling knows that if something goes wrong and business users find themselves in trouble, IT will have to come to the rescue.

"Rather than fighting it, we have to offer users governance and guidelines, he said.

Cloud-based shadow IT detection

Schilling runs a zero-trust environment that assumes every system that connects to the corporate enterprise is potentially compromised. Using network access control tools and network traffic monitoring, his IT team has configuration control over every machine, which allows IT to instantly see if someone downloads and installs an application related to a cloud-based service.

IT also uses traffic analysis tools to look for outbound traffic to potentially dangerous sites, along with security controls within Google Chrome and Mozilla Firefox browsers to make sure infected hosts can't impact the network.

As part of changing shadow IT policy, Schilling is evaluating cloud access security brokers that would establish a proxy for all Port 443 and 80 traffic -- the default ports for secure HTTP and nonsecure HTTP, respectively. "It creates an aggregation point for cloud services to prevent data loss," he said.

But for now, if a cloud service trips an alert on the organization's security tools and involves an infected machine, IT blocks the connection to the service and sends the issue to the incident response team. If a service sets off an alert but is not deemed dangerous, IT will run a risk assessment then put it before the change management team to see if it can be accepted into the standard configuration.

At kCura, an e-discovery software company with 650 employees and offices around the world, Andrew Watts, vice president of IT, has adjusted his approach to shadow IT. "We care about shadow IT -- even as a very cloud-first environment -- and we try to cut down on the number of services that go unvetted and unapproved," he said. The 10-year-old company is in the process of transforming itself into a "fast organization" -- a term that describes software as a service (SaaS)-friendly companies that try to get the right tools to their users as fast as possible. Watts considers cloud services key to that success. Now, kCura's IT department focuses on working collaboratively with users to provide the tools they need for the right reasons.

Above-board chat about shadow IT

To make good on the goal of offering the right tools without sacrificing security, Watts said he first lets users know they can talk openly to IT about the problems they are trying to solve and the services they'd like to use. This open culture, as opposed to the heavy-handedness usually applied under shadow IT policy, helps IT understand why users need certain tools, he said.

If users don't let IT know about the services they're already using, Watts uses Zylo, a SaaS optimization platform, as a failsafe. With Zylo, Watts can discover and manage all SaaS-based applications in use in the enterprise. If Zylo detects a SaaS application in use, the IT team receives an alert with the name of the software, information on when it was purchased, who has access to it and its utilization stats.

You're never going to have a silver bullet to kill shadow IT, so make sure you develop and foster a relationship ... based on enablement and transparency.
Shawn BurkeCSO, Sungard Availability Services

Watts uses this information to talk to users about their intent for using the cloud-based software services and to see if the need can be met by using another application in the IT service portfolio.

"We try to ensure that if users bring in a new service, we understand the gap it's filling," Watts said. "We want to optimize functionality, not duplicate it." Zylo helps categorize applications to avoid redundancies. And because it can link to financial systems, Zylo can also detect a new cloud-based service based on line items in expense reports.

Shadow IT policy follows the money

OneLogin, an identity and access management cloud service, also considers employee expense reports an opportunity to spot SaaS usage and tame shadow IT, according to Al Sargent, OneLogin's senior director of product marketing. OneLogin implemented a category in its expense reporting app for SaaS subscriptions. When selected, it tells the finance department to notify IT so IT can investigate its use.

This provides an opening for IT to approach end users, Sargent said. "IT tells users, 'Rather than the hassle of using your own card and filling out monthly expense reports, we can manage the subscription and save you time.'"

Another way IT can stay informed about shadow IT apps is through the OneLogin browser extensions for Google Chrome, Microsoft Edge and Internet Explorer, Apple Safari and Mozilla Firefox. When users log in to a website or application, the browser offers to save the person's credentials in a secure password vault. IT can get alerts when new credentials are saved for previously unknown apps.

Changes in attitude toward shadow IT

Sargent said he has changed his approach to shadow IT because shadow IT itself has changed. "It's not just a handful of apps like G Suite or Dropbox," he said. "It's a long tail of essential services for keeping a business humming, whether it's ordering new coffee for a coffee machine or paying the company's local taxes. We're not going to tell someone they can't pay taxes because the tax application isn't on the approved app list."

Sargent is less concerned about duplicate services, calling strategies that try to reduce redundancy out of date. "We empower individual teams to use what's right for them," he said, pointing to project management tools as an example. He said engineering, product management and marketing each have their own apps, but the subtle differences matter to each department. "They each have their own tool because they match up to their unique use cases," he said.

"We don't allow people to have free rein, but as long as the service is secure and follows compliance standards, we don't limit application usage," Sargent said.

Sungard Availability Services, a custom IT service provider with nearly 3,000 employees, uses traffic monitoring and analysis, as well as software agents on internal IT assets to study data usage and to spot high concentrations of utilization, according to Shawn Burke, the company's global CSO. Cloud-based chat services like Slack are often big offenders and trigger alarms, he said.

Like Sargent, Burke will use information gleaned from network and security tools to open a discussion with users. Sometimes he'll find that a user was frustrated with the organization's supported application and needed a different option than IT provided. In that case, Burke said he tells the user to move back to the certified application, and they will work to resolve the issue.

 "You're never going to have a silver bullet to kill shadow IT, so make sure you develop and foster a relationship between the business lines and IT that is based on enablement and transparency," Burke said. "After all, most employees aren't deliberately trying to violate policy. They are just trying to get their job done and do it well."

Next Steps

Shadow IT has risks, but it also drives innovation

Joining with users to minimize shadow IT risks is the best approach.

Internal and external users bypass IT to collaborate

This was last published in May 2017

Dig Deeper on Network Security Monitoring and Analysis