The security and risk management of shadow IT

The devil you know is better than the devil you don't know

Most would agree that we in the information security industry are fighting an uphill battle. Many have even taken the extreme position that we cannot keep intruders out of our networks, so we should give up and focus on containment, an argument I strongly objected to in an earlier post, "Are we surrendering the cyberwar?" Regardless of your position on how best to control the threat, I think you will agree that it is a difficult problem to address.

In the world of corporate IT, I have seen a definite shift toward better focus on network security, vulnerability management and governance. We are having success in locking networks and data down, even as more improvement is needed. Even as we succeed in deploying better security controls for the assets we know about, we are facing a growing threat from within — the challenge of shadow IT.

According to Techopedia, the term "shadow IT" "is used to describe IT solutions and systems created and applied inside companies and organizations without their authorization." The phenomenon usually begins with an enterprise department or team getting frustrated with the IT department's  perceived inability to deliver what they think they need, when they think they need it. As a result, they go off and do their own thing, usually without the knowledge of IT. The problem usually continues with IT unaware, until technical problems develop, or until integration with other corporate applications is needed. When IT  is brought into the loop by users now needing help, it is not usually viewed as a pleasant surprise by the CIO or IT director.

According to a recent study by Cisco, surveyed CIOs reported that, on average, there are 51 cloud services running in their organizations. Cisco determined however, based on data analysis, that the number is closer to 730. They found that those services typically fell into the software-as-a-service and infrastructure-as-a-service categories. The reasons for this could fill a small book, but the fact is they are out there, and must be considered from the perspective of security controls.

I am a fan of the old saying "ignorance is bliss," but it certainly does not apply in the case of shadow IT. Ultimately, IT is responsible for the technology within the organization, even that which it doesn't know about. That may seem unfair, but it is reality. If there is a security breach or audit failure, the IT head will be summoned to the CEO's office, regardless of the source.

The challenge for corporate IT, therefore, is to find and secure such applications. I perceive that many IT heads are reluctant to apply the necessary controls, because they want to avoid the conflict, especially when faced with the fact that they don't have the resources to handle all of the requests that such controls would generate. I would suggest, however, that the risks posed by such systems are far greater than the probable backlash resulting from their control. Perhaps it is just me, but I would rather be fired for doing my job than to work in a conflict-free company, just waiting for that call from the CEO.

If you have read this far looking for a solution to the problem of shadow IT risk, you may be somewhat disappointed. I don't have the solution. I do, however, have some practical suggestions to help:

Monitor outbound traffic

One of the best ways to know what is going on within your network is to monitor outbound traffic. Firewalls are used most often to control inbound traffic, with inbound data often being ignored. If you set your firewall to keep a detailed outbound log and look at where the traffic is going, you will quickly be able to identify some of the applications you did not know about. If for example, Box is not an authorized corporate application, and the log shows traffic to that site, you may have a problem. With a little detective work, you will be able to identify the guilty users. A brief chat with the these folks can produce positive results.

Control outbound traffic

In my opinion, the control of outbound traffic is one of the most valuable and overlooked approaches to security management. I contend that it is just as important to control outbound traffic as it is to control the traffic that is coming in. I was reminded of the importance of outbound control a few weeks ago, when I discovered a malware infection in a customer network by looking at the outbound traffic I had blocked on the firewall.

Admittedly, outbound control is a challenge, given that so many of the popular Web applications require only the basic Web ports to function. A Google search will often provide a means of doing this for popular applications, this article on blocking Dropbox being a good example.

As I said, blocking traffic will bring some user backlash, but it will at least prompt a discussion that will allow IT to have input into the risk management aspects of these applications.

Firewall Thinkstock

User awareness

All of us in corporate IT have had to deal with the user who knows the risks and is willing to ignore them. There are others, however, who simply don't understand the exposures. The issue of shadow IT should be a part of any security awareness program.

Enlist executive help

It has been my experience that a corporate executive who fully understands the risks of shadow IT will, in most cases, be willing to help with its control. A corporate edict from the CEO with a comment about sanctions will go a long way toward controlling the problem. You may just leave the meeting with a commitment to additional resources as a bonus.

Bottom line: Work to control the issue of shadow IT before it controls the fate of your job.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CiscoDropboxGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert C. Covington

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place