Shadow IT is a term often used to describe a situation where an enterprise uses IT systems; applications, software, devices, cloud services and similar solutions without the knowledge or approval of the business. This can present security and operational risks to the company, given it bypasses the organisations’ standards, processes and procedures.
This could include the enterprises’ configuration, licensing setup, security controls, documentation and implementation standards. More severe scenarios could jeopardise an organisation’s ability to comply with specific industry regulations such as data protection, PCI or even SOX. Imagine a grave breach relating to software even the IT department wasn’t aware of!
According to Gartner, by 2017 it will be the Chief Marketing Officer who will spend more on IT than the CIO. You can imagine that in many cases, the IT department may not even understand what systems, software or cloud platforms the marketers are using!
This lack of visibility and control can be quite startling. The poorly developed software is a well-publicised route for an attack. Software developed within the business, perhaps inside marketing or HR because someone “knew programming” can present a real security risk to the company. A quickly knocked up web-page could expose the company to SQL injection, authentication bypass or similar conduits for an attack. Perhaps more seriously, these holes could enable lateral movement within the enterprise and subsequently serve as an entrance for APTs.
Outside of software itself, the global challenge of Shadow-IT is common, even in a large enterprise:
- Someone in HR wants to undertake a new form of employee appraisal. Rather than approach IT, they proceed to sign-up for an online HR service (based in the US) and subsequently import all the organisation’s HR data into the cloud. This is in contravention of the organisational security policy, and IT are entirely unaware of this breach.
- A member of staff is going on leave but wants to work while they are away. They bring the proposals, quotes and price-lists with them on a USB stick.
- An executive uses a cloud service such as Dropbox or Box to sync his documents between his workstation, business laptop and home PC. He later leaves the company, along with their business plans, quotes and customer contacts list.
- The head of business development has an Android smartphone with e-mail provided by the company. He installs Instagram, and his 8-year old daughter chooses to invite all his business contacts to follow him.
These are all examples of Shadow-IT.
How to control Shadow IT
Fortunately, there is a range of technical solutions that can limit the scope for Shadow-IT applications in the enterprise. Most of these are best-practice, but many organisations are not aware of the risks.
Staff handbook and Security Policy
These two documents should specifically address the risk of Shadow-IT. Set out the accepted behaviour, the IT usage policies approved software and examples of prohibited activity. Any breach becomes a disciplinary issue, potentially gross misconduct. It is essential these policies are communicated to all staff members, and their acknowledgement sought.
Group policy and policy enforcement
If you do not allow your staff to install custom software, develop group policies that enforce these restrictions on their workstations and laptops. Active Directory has long supported the ability to “lock-down” user access on PCs; there is simply no excuse for allowing the indiscriminate installation of software by average users.
Mobile Device Management (MDM)
MDM does for mobiles what group policy does for workstations; it can enforce a comprehensive range of device policies for your mobile workforce. MDM solutions generally come in two forms. The first locks down the user device, preventing them from installing applications and undertaking certain activities.
The second solution creates a secure sandbox environment on the phone that keeps corporate data and contacts separate to the personal components of the phone. This draws a clear line between work and pleasure. MDM also enables secure wipe, device location and other features such as mobile AV etc.
This is a reasonably self-explanatory solution. Web filtering can control and block access to websites that are potential sources of shadow-IT or data leaks. Cloud platforms such as Dropbox and Box, online CRM systems, accounts systems and similar sites can be blocked.
Network Data Loss Prevention (DLP)
Network DLP attempts to identify data in transit. This could be staff deliberately setting out to steal data, unwittingly sharing corporate data or using unauthorised cloud applications. DLP will identify critical patterns of data (e.g. “confidential”, “account number”, “customer x”) and alert the administrators if this is detect traversing the network.
Many companies will embed watermarks in their confidential documents. Others may create “dummy” customers on their systems; if the DLP device sees a packet containing the “dummy” customer leaving the organisation, something is amiss.
Network DLP can take the form of a dedicated appliance or is often integrated into a firewall such as the Fortinet NGFW devices.
Device DLP also identifies data in transit but rather than moving across the network, device DLP controls and monitors data being copied to or from USB devices. Administrators can choose to disable USB ports, only allow specific devices and allow certain types of files to be copied to or from the device.
This provides an organisation with a birds-eye view of every file copy operation in the whole organisation. Some businesses choose to disable USB outright while others will allow permitted use.
Advanced USB DLP solutions will maintain an audit trail (and copy of the files) that are being copied/pasted across a whole organisation. This provides a vital audit trail in the event of a disciplinary or data leak event.
Shadow IT has been a challenge facing IT departments for many years. The advent of mobile, cloud services and portable computing presents a new problem; the ability to monitor and enforce policy for a workforce that will often sit outside of the enterprise IT environment.
Control and Detect Shadow IT
Fortunately, there is a range of solutions that can help an enterprise monitor, control and safeguard their systems against Shadow-IT, data leaks and similar vulnerabilities. With our IT Support and Managed Security services, we provide a range of methods to safeguard your business against internal threats. The use of a next-generation firewall at the network edge is also invaluable in the fight against internal IT threats.