Shadow IT is undermining your security

Once upon a time, not so long ago, the IT admin chose exactly what hardware and software would be used by employees. Recent trends like the consumerization of IT and BYOD (bring your own device) have shifted the balance of power, but IT still has to maintain some degree of control over the applications used and where sensitive data is stored. Many users just download apps or start using unsanctioned services, though, and introduce unnceccesary security risks through "shadow IT."

McAfee sponsored a study by Frost & Sullivan to investigate the scope and impact of shadow IT--specifically SaaS (software-as-a-service) applications being used by employees without the knowledge or consent of IT--or sometimes in direct contradiction to established IT policies. The study focuses specifically on apps that are used for work functions--not games or personal services.

That distinction is important, because it gets to the crux of the issue. Sure, employees will spend time updating Facebook, shopping on Amazon, or killing time with Angry Birds. Those are all activities that should be governed by IT policies, and monitored in some way by the IT admin. However, when an employee identifies a legitimate need that isn't being met by the approved applications and services, and goes rogue to find his or her own solution, it's in the organization's best interests to try and understand why, and figure out how to meet the need rather than just blocking access or banning the service.

[SaaS vendors, customers finding new ways to secure the cloud]

Shadow IT adds risk and potentially exposes the network or company data to compromise. The worst part is that the IT admin is not even aware that the shadow IT apps are being used, or which ones are being used and by whom, so it's impossible to effectively mitigate the risk and protect the network.

The Frost & Sullivan study found that 80 percent of the respondents admit to using non-approved SaaS applications to get their jobs done. That's four out of five employees using apps the IT admin is not even aware of. Based on feedback from the respondents, it seems that a third or more of the apps that are used are actually acquired and used without the consent or oversight of IT.

These aren't malicious attempts to circumvent policy or subvert the authority of the IT admin. In most cases, users are simply trying to get their jobs done in the most effective and efficient way they can. If they identify a need and find a SaaS tool that helps them get the job done, they just do what they have to do to fill the need.

The shadow IT problem is exacerbated by the fact that there is a blurry line and a lot of confusion over "ownership" now that most users mix business and personal apps and data on their devices, and in many cases the employee owns the laptop, tablet, or smartphone in question. Without a clear understanding, and a clearly-defined policy governing adoption of SaaS apps, users may not even realize they're doing anything "wrong."

There are a few things that organizations can do to minimize shadow IT and address the risks associated with rogue SaaS apps. First, establish a SaaS policy and make sure users are educated and understand what is acceptable and what is not.

Second, monitor network and Web traffic to identify rogue SaaS apps, and find out who is using them. Make sure the apps being used don't expose the network to undue risk, and mitigate any existing security concerns.

Third, work with the users to understand the root of the problem. Find out what the rogue SaaS app does that helps the employees get their jobs done, and how or why those functions aren't addressed by the approved apps. If the shadow IT tool is too big a security risk, work with users to find a suitable replacement that both meets the need to get the job done, and complies with company IT and security policies at the same time.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Amazon Web ServicesFacebookMcAfee Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts