IT Pros Acknowledge Shadow IT Risks Within Their Organizations
According to a recent Spiceworks survey of 338 IT pros, 80 percent say end users have exposed their organization to shadow IT risks. Cloud storage services (e.g., Dropbox, Google Drive, OneDrive) and web-based email clients (e.g., Gmail, Microsoft Exchange Online) top IT pros’ list of shadow IT concerns, with almost 40 percent reporting shadow IT has made their organization’s data vulnerable.
The danger doesn’t just lie in storing data with consumer software-as-a-service (SaaS) providers and unauthorized cloud services providers. It also lies in transmitting sensitive data over unsecured channels. Additionally, organizations have no guarantee that third parties will keep their data safe, which is a risky proposition for businesses operating in highly regulated industries.
Giving Users What They Want
Often, business users expose companies to shadow IT risks because they find available applications inadequate. They may prefer a familiar consumer email client as opposed to using the company’s email interface, or they may find it easier to collaborate and share files through a consumer cloud storage service.
One way to combat shadow IT involves setting up a list of authorized cloud services and designating a cloud services broker to create a safe marketplace for applications and cloud services. According to Gartner, businesses can start by scanning their networks and uncovering unauthorized applications.
From there, IT can contact the business unit that set up the unauthorized account and ask questions about what needs aren’t being met by authorized applications. Together, business units and IT can develop solutions they can then bring into the authorized marketplace. Instead of being the department of “no,” IT becomes a partner that makes it easier for employees to do their jobs.
Detecting Unauthorized Activity
Unauthorized applications often show up as expenses on departmental financial reports. Web gateway logs can reveal a high volume of traffic pointed at a particular web-based application.
According to Candace Worley, VP of Intel Security Group, writing for CSO, routing authentication through the corporate directory can help IT detect login prompts that point to unauthorized services. Requiring business units to go through corporate billing for IT procurement helps them maintain accurate records, but it also helps IT detect unauthorized purchases.
Limiting Shadow IT Risks
Although IT has to work as a business partner whenever it can, at some point, no means no. Worley recommends practices that prevent data exchanges between enterprise and cloud applications. One example would be to configure a firewall or proxy server to restrict posting, downloading and uploading activities — particularly to high-risk IPs.
Worley also recommends encrypting all data behind a firewall and using data loss prevention software to restrict the flow of sensitive information. Credit card data, personal health information, personally identifiable information and intellectual property data are much more difficult to transfer to cloud applications.
Finally, cloud access service brokers can help organizations extend internal security controls wherever organizational data is stored, shared or accessed. Preventing shadow IT risks requires balancing restriction with empowerment, providing tools for innovation without introducing undue vulnerability to the enterprise.