With the increase in cloud computing and BYOD in the workplace, it's become increasingly difficult for IT departments to keep track of and manage software and hardware -- and maintain a secure environment.
So what can CIOs and other IT leaders do to identify and manage Shadow IT -- software and hardware not directly under the control of IT -- and mitigate the potential risks? CIO.com asked dozens of IT, mobile and cybersecurity professionals to find out. Here are their top six tips for managing Shadow IT in the enterprise.
1. Monitor your network -- to find out if or where you have a Shadow IT problem. "Regardless of whether employees use company-issued or personal (i.e., BYOD) hardware, organizations need to identify where all their data resides -- [in house], in the data center, at the edge or in the cloud," says Greg White, senior manager, product marketing, CommVault, a provider of data and information management software.
Then, "to quickly identify Shadow IT, you need to continuously monitor your network for new and unknown devices, comparing the list between scans to determine when new devices appear," says Dwayne Melancon, CTO, Tripwire, a network security firm.
"This can be incorporated into routine enterprise vulnerability scanning, a widely adopted security best practice," Melancon says. "This approach will enable you to gather information about where new devices are on your network and detailed information on what kind of device they are."
Similarly, "you can process the log data from your current firewalls, proxies, SIEMS and MDM products to identify the cloud services being used outside of IT's purview," notes Rajiv Gupta, CEO of Skyhigh Networks, a cloud access security company. "This data can tell you which services are being used, who uses them, how often and how much data is uploaded and downloaded."
2. Prioritize risk. "Not all software/services used outside of IT control is bad," says Gupta. "Leverage an objective and comprehensive registry of cloud services to identify the highest risk services in use and address those first," he suggests. "Prevent access to these high-risk services by blocking them via your existing infrastructure (i.e., firewalls, proxies, MDM solutions) or by identifying users and requesting they cease using the services."
3. Establish guidelines around BYOD and apps/cloud services. "To accommodate the needs of business units, IT can create and share a list of approved software/applications beyond the standard issue software," says Chris Smith, CMO, Zenoss, a provider of IT monitoring and management solutions.
"This would enable business units making their own purchase decisions to be assured that the introduction would not cause compatibility or security issues," Smith says. In addition, "IT should put processes in place that allows it to quickly approve/disapprove new applications actively sought by business units."
"At BT, we have made a point of sharing the details of our BYOD strategy with our workforce so it's clear what we can support and what areas we have to tread carefully due to business risk," says Jason Cook, chief architect & CTO, U.S. & Canada and CPG, BT Global Services. This allows workers to know upfront what is permitted and mitigates the risk of unapproved apps and devices being used, as well as security risks.
4. Offer alternatives. "Today's workers expect to be able to find, view and use their data across locations and devices," says White. "If enterprises don't provide a secure solution for access to corporate data remotely, employees will find their own ways to manage information to work efficiently by using consumer products that can put the organization at risk," he says.
"By providing employees with secure, IT-controlled anywhere, anytime access to information on-the-go, they can reduce the risk of employees deploying outside products that are beyond the awareness, discovery and control of IT," White says.
"Your employees are using iOS and Android-based devices to access their work content remotely," says Jeetu Patel, general manager, EMC Syncplicity. "So make sure that you give users mobile alternatives that either work with your existing mobile management platform or provide extensive security and policy controls to protect data on lost or stolen devices."
"IT organizations shouldn't ignore BYOD, but should address this up-front with a solution that enables these employees to do all of their work securely on personal devices," says Tyler Lessard, chief marketing and product officer, Fixmo, a mobile device software company.
"If they don't, they expose themselves to the risk of users working around policy and finding other ways to forward corporate documents, etc. to their mobile devices," Lessard warns. "Address [Shadow IT] head-on, in a strategic way, saying 'yes' to BYOD and giving employees a proper way to securely do work, rather than forcing them to find workarounds."
5. Restrict access to third-party apps. "Restrict your users' access to applications such as Dropbox, SharePoint and SkyDrive among others," says Christophe Boudet, managing director, Akita IT Services. "Most IT policies will prevent individual users from choosing the applications they are able to install anyway," he says. "Further, clearly state in your IT policy that these services are not permitted, and provide your staff sufficient training so that the message is clear to them."
However, "blocking is not always the best approach," argues Gupta. "Sometimes it can be more effective to identify the users, help them understand the risks and suggest a low-risk alternative with equivalent functionality. People tend to find ways to get to sites and services they feel unjustly blocked from."
6. Offer amnesty on Shadow IT. "When identifying the threats of Shadow IT, you have two choices: First, your IT department can identify the traffic to and from third-party cloud solutions that deliver Shadow IT, like Skype, Box and Dropbox," says Orlando Scott-Cowley, Messaging, Security and Compliance Evangelist at Mimecast, which provides email management, compliance and archiving solutions.
"However, this process is time-consuming, inaccurate and blocking entirely is almost impossible," Scott-Cowley says. The better option: "Hold an amnesty on Shadow IT. A no-consequences, 'stand up, own up and be counted' strategy, without fear of retribution works -- especially if you give users an opportunity to explain why they needed a third-party app and why your corporate platforms weren't up to the job."
Should You Embrace Shadow IT? 4 Questions to Ask Yourself
Before embracing or restricting shadow IT, Akita IT Services' Boudet suggests CIOs ask themselves the following four questions:
- Is there a reason why a particular solution is inappropriate for the company?
- If users clearly feel they need a solution for rapid document sharing/online services/hardware, can this be included into the company's IT policy?
- Is there a Shadow IT option currently in use in the organization that satisfy's compliance needs?
- Can you integrate Shadow IT (certain apps or services or devices) into your IT assets and install the proper security measures around them?
Jennifer Lonoff Schiff is a contributor to CIO.com and runs a marketing communications firm focused on helping organizations better interact with their customers, employees, and partners.