Shadow IT is a term often used to describe a situation where IT systems; applications, software, devices, cloud services and similar solutions are used by an enterprise without the knowledge or approval of the business. This can present a security and operational risk to the business given it bypasses the organisations’ standards, processes and procedures. This could include the enterprises’s configuration, licensing setup, security controls, documentation and implementation standards. More serious scenarios could actually jeapordise an organisation’s ability to comply with certain industry regulations such as data protection, PCI or even SOX. Imagine a serious breach relating to software even the IT department wasn’t aware of!
According to Gartner by 2017 the Chief Marketing Officer will spend more on IT than the CIO. You can imagine many cases where the IT department may not even understand what the marketeers are using.
This lack of visibility and control can be quite startling. Poorly developed software is a well publicised route for attack. Software developed within the business, perhaps inside marketing or HR because someone “knew programming” can present a real security risk to the business. A quickly knocked up web-page could expose the business to SQL injection, authentication bypass or similar conduits for attack. Perhaps more seriously, these holes could enable lateral movement within the enterprise and subsequently serve as an entrance for APTs.
Outside of software itself, the general challenge of Shadow-IT is common, even in large enterprise:
- Someone in HR wants to undertake a new form of employee appraisal. Rather than approach IT, they proceed to sign-up for an online HR service (based in the US) and subsequently import all the organisation’s HR data into the cloud. This is in contravention of the organisational security policy and IT are completely unaware of this breach.
- A member of staff is going on leave but wants to work whilst they are away. They bring the proposals, quotes and price-lists with them on a USB stick.
- An executive uses a cloud service such as Dropbox or Box to sync his documents between his workstation, business laptop and home PC. He later leaves the company, along with their business plans, quotes and customer contacts list.
- The head of business development has an Android smartphone with e-mail, provided by the company. He installs Instagram and his 8-year old daughter chooses to invite all his business contacts to follow him.
These are all examples of Shadow-IT.
How to control it.
Fortunately there are a range of technical solutions that can limit the scope for Shadow-IT applications in the enterprise. Most of these are best-practice but many organisations are not aware of the risks.
Staff handbook and Security Policy
These two documents should specifically address the risk of Shadow-IT. Set out the accepted behavior, the IT usage policies, approved software and examples of prohibited activity. Any breach becomes a disciplinary issue, potentially gross misconduct. It is important these policies are clearly communicated to all staff members, and their acknowledgement sought.
Group policy and policy enforcement
If you do not allow your staff to install custom software, develop group policies that enforce these restrictions on their workstations and laptops. Active Directory has long supported the ability to “lock-down” user access on PCs, there is simply no excuse for allowing the indiscriminate installation of software by average users.
Mobile Device Management (MDM)
MDM does for mobiles what group policy does for workstations, it can enforce a comprehensive range of device policies for your mobile workforce. MDM solutions generally come in two forms. The first locks down the user device, preventing them from installing applications and undertaking certain activities. The second solution creates a secure sandbox environment on the phone that keeps corporate data and contacts separate to the personal components of the phone. This draws a clear line between work and pleasure. MDM also enables secure wipe, device location and other features such as mobile AV etc.
This is fairly self explanatory solution. Web filtering can control and block access to websites that are potential sources of shadow-IT or data leaks. Cloud platforms such as Dropbox and Box, online CRM systems, accounts systems and similar websites can be blocked.
Network Data Loss Prevention (DLP)
Network DLP attempts to identify data in transit. This could be staff deliberately setting out to steal data, unwittingly sharing corporate data or using unauthorised cloud applications. DLP will identify key patterns of data (e.g. “confidential”, “account-number”, “customer x”) and alert the adminstrators if this is detect traversing the network.
Many companies will embed watermarks in their confidential documents. Others may create “dummy” customers on their systems, if the DLP device sees a packet containing the “dummy” customer leaving the organisation, something is amiss.
Network DLP can take the form of a dedicated appliance or is often integrated into a firewall such as the Fortinet NGFW devices.
Device DLP also identifies data in transit but rather than moving across the network, device DLP controls and monitors data being copied to or from USB devices. Administrators can choose to disable USB ports, only allow certain devices and allow permit certain types of files to be copied to or from the device. This provides an organisation with a birds-eye view of every file copy operation in the whole organisation. Some businesses choose to disable USB outright whilst others will allow permitted use.
Advanced USB DLP solutions will maintain an audit trail (and copy of the files) that are being copied/pasted across a whole organisation. This provides a vital audit trail in the event of a disciplinary or data leak event.
Shadow IT has been a challenge facing IT departments for many years. The advent of mobile, cloud services and portable computing presents a new challenge; the ability to monitor and enforce policy for a workforce that will often sit outside of the enterprise IT environment. Fortunately there are a range of solutions that can help an enterprise monitor, control and safeguard their systems against Shadow-IT, data leaks and similar vulnerabilities.