‘Shadow IT’ is a term often used to describe information technology systems and solutions built and used inside organisations without explicit organisational approval. It is also used, along with the term ‘Stealth IT’, to describe solutions owned, specified and deployed by departments other than the IT department.
One of the most common manifestations of shadow or stealth IT is employees installing their preferred software applications onto corporate devices without making the IT department aware. This obviously puts the organisation at risk from two angles. Firstly, the licensing position of the unapproved software will not be known and recorded within the asset management database which could potentially lead to a breach of the licensing obligations. Secondly, the software will not have been tested for use within the corporate environment and as such the source will not necessarily be known or the compatibility with other business applications ratified leading to a potential risk of introducing virus infection and data breach or corruption of corporate data.
Additionally, greater numbers of employees are making use of their own devices within the workplace, and if adequate controls are not in place they are connecting non-approved equipment to the secure corporate network. As with the installation of non-approved software these personally owned “home user” devices often use relatively lax and ineffective security measures. When introduced into a corporate network, these insecure devices and associated unapproved software create a whole host of new vulnerabilities through which data breaches and attacks can occur. These types of shadow IT introduce security blind spots or parts of the network that are operating outside the knowledge of the IT department and in doing so, prevents effective security monitoring.
Other examples of shadow IT are as follows:
- Transferring corporate information from one device to another via USB stick
- Using instant messaging apps such as WhatsApp on corporate devices rather than a corporate solution such as Skype for Business
- Using cloud based storage services such as Dropbox to transfer corporate data between devices
Embracing the benefits of Shadow IT
Shadow IT is not necessarily a threat to the IT organisation. In fact, it can be an effective way to meet changing business needs and create a greater understanding between IT and the business. Most instances of shadow IT originate from a real business need that isn’t currently being met within the organisation’s IT department. Additionally, it is uncommon for employees to be deliberately trying to compromise the integrity of the organisation’s IT systems, they are simply implementing something that they believe will make their lives easier and don’t have the IT security knowledge to appreciate the risks that their actions are causing.
In order to embrace shadow and reap the benefits that it can bring IT departments must make a conscious decision to do a better job of identifying, assessing and managing these once stealth systems to both manage their risk to the organisation and deliver their benefits.
ISN understand the risks involved with this type of creeping infrastructure and have a comprehensive toolset available to detect and prevent unauthorised devices connecting to the network. Cisco’s Identity Services Engine (ISE) is one such example and is perfectly placed to detect and block unauthorised devices at the network layer before they can cause any damage. Enhanced security detection techniques such as posture control, NAC and Trustsec allow security administrators to set security policy in a central location and be confident that the network itself is enforcing that policy.
Share this story: