The Changing Face of Shadow IT

Shadow IT first emerged as a serious challenge for IT leaders with the advent of SaaS services. Even with the rise of smartphones and BYOD, of course the lockdowns caused by the pandemic made people work more remotely using their own devices, but that was another big change.

We may hear less about shadow IT post-pandemic, but this is more about changing news cycles than solving the problem. Enabling people to work securely and conveniently from anywhere using a variety of devices remains a challenge, especially for large and complex organizations.

“BYOD is a real challenge for us and it’s not yet solved,” said Amanda Niblet, IT director at the University of East London, during a session at last week’s Cybersecurity Festival.

The university has 3,000 employees and is provided with secure devices that “flexible for everyone.” Then there are the 26,000 students whose needs were met during lockdown by building a cloud-based environment to isolate their activities from the core network. But the real pain point is multiple partners and employees, most of whom are using their own devices and need access to core services.

Sadly, more restrictions on things that universities can’t control seem to be the solution, Niblet said.

“Install something like Windows Defender on your device or don’t allow access so that your antivirus can monitor what applications you are accessing and when. Big Brother is watching, so that’s the conundrum we’re still trying to solve. It’s a challenge.”

Related issue BYOD UX is how you protect your device without overburdening it. The university uses his MDM software so it can track and lock employee devices, but the problem of unauthorized access still remains.

“We have a policy of short screen locks, so when I get up to go to the bathroom my laptop shuts down as quickly as possible, which is really frustrating,” Niblet said.

University-issued notebooks now have biometric sensors that allow for faster unlocking, but the broader subject is why such frustrating measures are necessary, namely, the periodic Educate people about what kind of training is needed. However, she admitted that the training courses were under-attended, “because, frankly, it’s a boring subject for most people.”

changing boundaries

Training courses are also offered online, but this raises another question of what is IT and what is not IT.

“When you buy training from a company, you buy a SaaS product,” says Niblet. “But it looks like training for the procurement department, so it doesn’t come up as IT. Then all of a sudden I started getting single sign-on requests for this product. We didn’t know.99 out of 10 times, the security of that product turns out to be not what we like.It can be a serious problem.”

Another impact of bypassing IT when purchasing services is unnecessary duplication, he added. The university’s procurement rules were recently updated, but before that faculty always bought products that were already available, they just didn’t know it.

Meanwhile, shadow IT can be a source of innovation and discovery, said Nick Ioannou, head of information security at real estate rental platform Goodlord. Users sometimes find something truly novel and useful.

“Managing 100 SaaS solutions is a nightmare,” he said. “But you can learn from it and it doesn’t have to be all negative.”

Nonetheless, the pandemic has brought a whole new shadow IT problem, Ioanou continued.

“There’s a lot of shadow IT in everyone’s home router. If someone has a really old router, it’s a potential security issue.”

Next is bandwidth. Routers can be shared by other people streaming videos or playing games, making it difficult to work with. “And no one knows who they share the facility with.”

Don’t forget compliance. At one stage, certifications such as Cyber ​​Essentials, which required companies to provide hardware firewalls for permanent telecommuters, have been relaxed to allow software firewalls instead. rice field. Such developments are worth watching, Ioanou said. Of course, that’s another thing to do.

Goodbye office IT?

John Stenton, head of IT at Thrive Homes, longed for the day when he could completely eliminate firewalls in his offices and equip his staff with laptops equipped with 5G SIM cards.

“My priorities are productivity, security, and visibility into what is happening on the device,” he said. “They can work from anywhere on our bandwidth and we are not subject to such restrictions.

“We can get rid of APs and much of their infrastructure, allowing us to work with Starbucks on any network without worrying about unsecured open Wi-Fi points.”

However, this will have to wait until 5G becomes more widespread and laptops become more mature. “5G is getting there. At that point, will the office need IT, or will it just become a gathering place?”

Addressing the modern side of shadow IT requires certain things, especially as more IoT devices emerge. zero trust But Ioanow said everyone has bad days, nothing is 100% safe and things can go wrong.

“The key is to cover all the bases, have visibility and take some remedial action.”