The Battle of Shadow IT — 2023 Style

The core of strategic IT decision-making relies on an accurate and complete global data map and an equally accurate and comprehensive asset map. Sadly, no company does that today and, frankly, probably never did.

Complete visibility into everything IT-related is always a problem today, but as the corporate landscape has changed in recent years, IT’s old nemesis, shadow IT, remains a major factor.

This problem has gotten worse over the last few years due to several issues. Beyond the growth of IoT and OT devices, and partners and customers gaining network privileges, the biggest change is the avalanche of home offices and lack of consistency and standards across those remote sites. Routers can be from any vendor and associated with any carrier. Hardware firewalls may or may not exist, and even if they do, they may or may not be patched. Most LANs are in the west, and everyone (perhaps the employee’s girlfriend’s 10-year-old daughter’s boyfriend, etc.) is allowed access.

Beyond hardware, software, and device issues, the very concept of Shadow IT is no longer relevant a decade ago. The original definition was an employee who bought technology elsewhere to do his final work around IT, such as buying a router from Target or getting his space in the cloud from Amazon, Microsoft, or Google. It meant an employee or contractor. A typical reason was usually IT’s lack of patience to respond and act on the request. It’s easier for employees and contractors to get what they need in minutes by simply pulling out a Visa card.

If a supplier added something to the system and didn’t mention it, what should we call it? It happened to a large manufacturer when line equipment started to fail. While waiting for the vendor’s repairman, workers removed a panel and found a microphone with a small antenna attached. It turns out that the vendor had added his IoT devices in a previous upgrade, but hadn’t mentioned the change to the customer at all.

In other words, there was IoT hardware on the factory floor that corporate IT departments were completely unaware of. Is it shadow IT? What if a facility maintenance person starts buying her IoT light bulbs and door locks without permission from her IT and security people?

Here are my favorites: What if a strategic business partner mandates a particular system, software or device?

“Because partnerships involve more digital connectivity, IT departments need to ensure that VPNs, cloud storage, and anything else that partners need but are not approved by the organization,” said Bob Hansman, senior product marketing manager for security at Infoblox. We are discovering people using our services.”

Should corporate employees report it to the IT department? Should their partners? As you can imagine, there is access and interaction with the company’s sensitive intellectual property, even though no one has reported it to her IT department. Is the interaction with that particular partner Shadow IT?

Worse, what happens when the company and partner have diametrically opposed policies? What will happen? And do partner teams insist that everyone use DropBox for their projects because IT bans Google? They may be in place for competitive reasons, such as when partners compete with Google in other product areas or geographies.

are those kinds details Contract negotiations rarely make that clear.

There are ways to uncover shadow IT efforts, but their changing nature makes such techniques less effective. One approach is to use DNS tracking to detect network activity to locations that should not connect to your enterprise. A less geeky approach is to simply have IT work with accounts payable to audit expense reports on a regular basis, looking for technology purchases that should be processed through IT.

Dirk Hodgson, director of cybersecurity at NTT Australia, said: “It’s hard to use technology because it’s not easy to define personal and business use. OneDrive, for example, could be both. ‘ said. And considering that most Shadow IT is based on his SaaS and web applications, many of which are free and open source, the problem becomes even more enormous. So we can’t even find a financial deal to identify shadow IT.

“As an example of scale, one relatively small financial services customer I work with (less than 1,000 seats) shows about 4,500 applications in the tool they use to scan their environment for applications. We are doing it,” Hodgson said. The “Shadow IT” app in that context is definitely a haystack job. If someone accesses his personal Google Drive at work, is it shadow IT or just a personal app?

“It’s not practical to ask users to check everything all the time,” he said. “However, failing to do so and simply blocking access can result in a painful user experience and an inability to perform legitimate business functions.”

Hodgson argued that trying to block or directly defeat shadow IT is unlikely to work. A better approach, he argues, is to address the underlying problem. In other words, IT becomes more responsive, efficient, and cost-effective, leaving little reason for end-users to choose their own methods.

“We had customers spend a lot of money to buy a low-code, rapid application development platform and the people they needed,” says Hodgson. “The IT department then had access to both for new applications that needed a business domain at a very low cost, saving them the hassle of migrating to other applications.”

Hansmann argued that another reason end users are attracted to shadow IT is the lack of awareness that certain tasks require certain tools.

“Users often don’t know the right tool, they are usually more familiar with similar tools and prefer theirs,” says Hansmann. “Alternatively, there are certain unauthorized tools requested by the business his partner, such as ‘using our girlfriend’s VPN or authentication software to access our resources.'”

Another problem is that IT has a tendency to be cynical and paranoid, and for good reason, and all Shadow IT efforts have been characterized as “users consciously gaining visibility and control over their company/government. Trying to avoid doing something unethical, illegal, etc.,” he argued. We can no longer afford to treat every violation as if it were a fact. History has shown that the majority of Shadow IT violations are easy to fix without causing discomfort to valuable employees who were trying to do the right thing. ”

Rex Booth, CISO of identity vendor SailPoint, said the problem could very well get worse.

“The prevalence of shadow IT has traditionally been correlated with how quickly business units can deliver results by avoiding the CIO,” Booth said. “When SaaS came along, the speed gap widened and the prevalence of shadow IT skyrocketed. The big question now is what impact generative AI will have.

“If business units can generate custom apps in days, do you think they’ll wait for a formal IT process? This is going to get big fast.”

Another scary consideration: How serious is your company about enforcing Shadow IT rules? In most companies, IT people talk good and shadow IT efforts are banned I declare. However, no meaningful punishment is ever given if these rules are violated.what messages are displayed or Send to end user?

Is the company ready to sanction a senior manager who is of great value to the company for circumventing controls using shadow IT services? do you want?

Alain Brill, Senior Managing Director of Kroll Cyber ​​Risk Practice, said: “How companies deal with misuse of their IT services should consider the need for deterrence. These actions include: “People need to understand that there can be substantial and substantial penalties.” Or maybe it just motivates you to look for new ways to break the system because you don’t believe that whatever you’re doing will have serious consequences if people get caught.

“I think this is a topic that corporate IT, HR, and legal departments should discuss together,” Brill said. “If you want to get serious about stopping Shadow IT, you have to make breaking the rules painful.