It may sound like a clandestine mission or something out of crime drama, but Shadow IT is actually a very common, everyday occurrence. And it has been happening in organizations (yours included) for decades.
What is Shadow IT?
What Shadow IT means is when an IT or security department is kept in the dark when an employee or department makes a change to their hardware or software. It could mean departments are installing their own software, or it could mean a user is making unauthorized changes to the desktop. Even when employees use any cloud services that aren’t company standard or install shareware — these are also examples of Shadow IT.
More Than Just Hardware and Software
As mentioned above, Shadow IT usually involves hardware and software. But it goes beyond that: your company’s BYOD policy is part of the problem as well. When those endpoints are used to connect to your network they could pose as much of a risk as installing software or hardware on a corporate desktop without permission.
Basically, any hardware, even old laptops that have been decommissioned or servers in a test environment, that finds its way onto your production network can be considered Shadow IT.
Shadow IT Risks
While there may be the odd employee who follows through on some of the actions described here in a malicious manner, most instances of Shadow IT are non-malicious in nature. As such, it’s vital for an organization to treat these situations like they would a non-malicious threat.
When assessing the risks associated with Shadow IT, we can probably break it down into three groups of costs: financial, human resource, and security. First, if your employees are installing expensive software on their machines and it’s not accounted for, there could be severe and costly repercussions. Remember, large software vendors conduct regular licensing audits, and if your company isn’t up to date, it could put a strain on the business relationship.
The next issue is support. From a software perspective, the best way an IT organization can be successful is by standardizing its toolset. If the IT department were to approve every piece of software or cloud solution that everybody asks for and not standardize on a particular toolset, it becomes almost impossible to support. There are far too many applications, tools and solutions out there — each with its own set of idiosyncrasies — for even the biggest IT departments to keep up on.
Then, of course, there’s the security aspect: those unknown apps, tools or solutions may come with software vulnerabilities. What if installing the software leads to a corruption of the machine? Or worse, what if it corrupts your network?
Having a software/hardware vetting process is crucial for any organization.
Managing (Not Embracing) Shadow IT
The focus of this article is to get companies to embrace the Shadow IT mindset and not the shadow. What does this mean? You’ll never be able to ban it altogether. Shadow IT happens and will always happen. You don’t have to embrace it, but it’s critical that organizations accept that employees sometimes do what they need to do to stay productive, even if it means flying in the face of IT policy.
The question that needs to be answered is: How can we minimize it and make it safe? If options are provided, standards are set, and the message is clear and not too restrictive, a feasible balance can often be achieved.
Take Dropbox, for example. You could set the security settings to prevent users from sharing documents outside of the company. While this stops users signed in to the corporate account, what about the people that are using a free or personal Dropbox account? It can’t be locked down.
Addressing issues like this are like the low-hanging fruit.
Generally speaking, however, managing Shadow IT boils down to maintaining visibility of all these endpoints. I love the fact that even if you don’t have policies in place, you can deploy software today to do all the monitoring of your environment.
Embrace Creativity, Not Shadow IT
Look, every organization has people coming in from all different cultures, companies and countries who have great ideas they can bring to the table. Maybe they start from a garage in San Jose or from the unauthorized laptop of a user that ends up being a project or product that the company eventually puts into production. I’ve seen it over and over again.
What we don’t want to do is squelch peoples’ creativity and thinking.
The problem becomes: how do you turn that energy into something positive? It’s tough, because unless you’re going to create a totally sandboxed environment that’s safe for people to play around in (and we do recommend this), there’s not much you can do to stop Shadow IT from happening.
Try embracing the creativity while having the right discussions with people —no matter who you are or where you fit in your organization, with the right toolset you can have visibility and understand the risks.
Learn how Absolute Application Persistence helps organizations address pressing security concerns regarding application visibility and vulnerability by downloading our Application Persistence Whitepaper.