Difference between revisions of "Shadow IT"
(Shadow IT is a term often used to describe information-technology systems and solutions built and used inside organizations without explicit organizational approval.) |
|||
| Line 1: | Line 1: | ||
| − | Shadow IT is a term often used to describe information-technology systems and solutions built and used inside organizations without explicit organizational approval. It is also used, along with the term "Stealth IT", to describe solutions specified and deployed by departments other than the IT department. Shadow IT is considered by many an important source for innovation and such systems may turn out to be prototypes for future approved IT solutions. On the other hand, shadow IT solutions are not often in line with the organization's requirements for control, documentation, security, reliability, etc., although these issues can apply equally to authorized IT solutions. | + | |
| + | == Definition - What is Shadow IT<ref>Defining Shadow IT [https://en.wikipedia.org/wiki/Shadow_IT Wikipedia]</ref> == | ||
| + | Shadow IT is a term often used to describe information-technology systems and solutions built and used inside organizations without explicit organizational approval. It is also used, along with the term "Stealth IT", to describe solutions specified and deployed by departments other than the IT department. Shadow IT is considered by many an important source for innovation and such systems may turn out to be prototypes for future approved IT solutions. On the other hand, shadow IT solutions are not often in line with the organization's requirements for control, documentation, security, reliability, etc., although these issues can apply equally to authorized IT solutions. | ||
The consequence of stealth IT is that it opens up both security and legal risks for the company. Unfortunately, IT doesn’t discover many of the stealth IT incidences until they have caused significant damage. By then it is a much bigger problem to fix. The IT department loses control on activities and services in the organization and often Sys Admins find themselves solving issues that they originally had nothing to do with. | The consequence of stealth IT is that it opens up both security and legal risks for the company. Unfortunately, IT doesn’t discover many of the stealth IT incidences until they have caused significant damage. By then it is a much bigger problem to fix. The IT department loses control on activities and services in the organization and often Sys Admins find themselves solving issues that they originally had nothing to do with. | ||
| + | |||
| + | == Shadow IT Technologies<ref>Stealth IT - The Flip Side of BYOD [http://www.dameware.com/cmdprompt/stealth-it-the-flip-side-of-byod.aspx Dameware]</ref> == | ||
Here are some common stealth or shadow IT technologies that may already exist in your company. | Here are some common stealth or shadow IT technologies that may already exist in your company. | ||
| + | *Online/Cloud Storage: With the numerous online or cloud-based storage services like Dropbox, SkyDrive, and Google Drive, users have quick and easy methods to store files online. They can sync them between computers, access data from anywhere, and even easily install and use on personal devices. | ||
| + | *Free File Transfer: Company email accounts generally have limits on file attachment sizes. Users frequently need to exceed these limits, and end up finding a work-around by using external file transfer sites that offer a free service. Online services like YouSendIt or DropBox let you upload large files to their servers; you can then send a link to anyone you want so it can be downloaded. | ||
| + | *Personal Email Accounts: Companies require their employees to conduct business using the corporate email system. However, users frequently use their personal email—Hotmail or Gmail accounts either because they want to attach large files, connect using their personal devices, or because they think the company email is too slow. | ||
| + | *Cloud-based IP Telephony services: Employees often use cloud-based IP Telephony services like Skype or Google Voice to communicate with others both inside and outside the organization. The problem here is that the company stands to lose data or valuable customer information once the employee leaves the organization. | ||
| + | *Website Hosting: When an employee goes completely outside IT to put up a project or department Website with a 3rd-party hosting provider, there comes a point where that employee leaves the organization. As a result, there is nobody to maintain the site, the subscription expires and the site goes down. | ||
| + | *Infrastructure/Hardware Purchase: Companies employ hardware standards to help make support manageable throughout the organization. But problems can occur is an executive makes his own hardware purchase and expects IT to support it. For example, application development departments use Amazon Web Services (AWS) to have their production environments ready to go in less time than their own IT processes. | ||
| − | |||
| − | |||
| − | |||
| − | + | == Establishing Policies Around Shadow IT<ref>Establishing Policies Around Shadow IT [https://www.bmc.com/blogs/shadow-it/ BMC Blogs]</ref> == | |
| + | A critical first step for dealing with Shadow IT is to clearly map an organization’s global IT landscape per the impact that each family/group or individual resources will potentially have on corporate core business. The CIO needs to list and classify the known market available Shadow IT resources in three categories: Sanctioned; Authorized (not Sanctioned yet irrelevant); Prohibited (not sanctioned and dangerous). This is a corporate matter that does not merely concern a technical perspective and therefore should be dealt with by the CIO. This is something that impacts people and their motivation as well as potentially some business-critical processes or information, so the policy should typically be defined and sponsored at the board level. Some key items need to be leveraged like: | ||
| + | *Since by law some information on a collaborator’s workstation (like emails) may be that collaborator’s property, should the workstation environment also be classified by the company as such? | ||
| + | *Is a collaborator entitled to use any tools that he/she may find suitable to boost his/her productivity if they pose no risk for the corporation? If so what is the registry/ \approval process that needs to be followed? | ||
| + | *What shall be the impact and compliance probability from the collaborators towards prohibitions? Meaning it is pointless to have someone spending hours trying to find a way to break a prohibition in place instead of doing their work. | ||
| − | |||
| − | + | == The Risks of Shadow IT<ref>The Risks of Shadow IT [https://www.oneneck.com/blog/cloud/managing-shadow-it OneNeck]</ref> == | |
| + | According to Cisco, 80% of end users use software not cleared by IT, 83% of IT staff admit to using unsanctioned software or services, and only 8% of all enterprises actually know the scope of shadow IT within their organization! Shadow IT, without a doubt, adds risk into your organization, and your employees are your weak link. Michael Bruemmer, vice president of Experian Data Breach Resolution explained, “As we have seen in our incident response service that we do for clients, about 80% of all the breaches we service have a root cause in some type of employee negligence.” When non-sanctioned applications and devices are in use, vulnerabilities can be introduced into the infrastructure, and without IT oversight, the root-cause is very difficult to find. Some examples of the risk that shadow IT introduces includes: | ||
| + | *Software Asset Management (SAM): Organizations need to track all software applications used and licensing information. Unauthorized software makes this already difficult task nearly impossible, leading to our next risk. | ||
| + | *Compliance: Unauthorized applications once discovered can mandate a complete audit of the infrastructure to ensure you are compliant. Organizations who do not take this seriously risk hefty fines from non-compliance. | ||
| + | *Testing: IT infrastructures are complex organisms that require management. Introducing new applications without proper testing can compromise the entire infrastructure. Shadow IT also adds more complexity to the entire testing process by having to involve a third party. | ||
| + | *Configuration management: Creating a configuration management database (CMDB) and defining relationships between different systems is labor-intensive. When other employees use shadow IT, those systems are not included and can have compatibility issues as a result. | ||
| − | |||
| + | == See Also == | ||
===References=== | ===References=== | ||
<references /> | <references /> | ||
Revision as of 20:05, 27 August 2019
Definition - What is Shadow IT[1]
Shadow IT is a term often used to describe information-technology systems and solutions built and used inside organizations without explicit organizational approval. It is also used, along with the term "Stealth IT", to describe solutions specified and deployed by departments other than the IT department. Shadow IT is considered by many an important source for innovation and such systems may turn out to be prototypes for future approved IT solutions. On the other hand, shadow IT solutions are not often in line with the organization's requirements for control, documentation, security, reliability, etc., although these issues can apply equally to authorized IT solutions.
The consequence of stealth IT is that it opens up both security and legal risks for the company. Unfortunately, IT doesn’t discover many of the stealth IT incidences until they have caused significant damage. By then it is a much bigger problem to fix. The IT department loses control on activities and services in the organization and often Sys Admins find themselves solving issues that they originally had nothing to do with.
Shadow IT Technologies[2]
Here are some common stealth or shadow IT technologies that may already exist in your company.
- Online/Cloud Storage: With the numerous online or cloud-based storage services like Dropbox, SkyDrive, and Google Drive, users have quick and easy methods to store files online. They can sync them between computers, access data from anywhere, and even easily install and use on personal devices.
- Free File Transfer: Company email accounts generally have limits on file attachment sizes. Users frequently need to exceed these limits, and end up finding a work-around by using external file transfer sites that offer a free service. Online services like YouSendIt or DropBox let you upload large files to their servers; you can then send a link to anyone you want so it can be downloaded.
- Personal Email Accounts: Companies require their employees to conduct business using the corporate email system. However, users frequently use their personal email—Hotmail or Gmail accounts either because they want to attach large files, connect using their personal devices, or because they think the company email is too slow.
- Cloud-based IP Telephony services: Employees often use cloud-based IP Telephony services like Skype or Google Voice to communicate with others both inside and outside the organization. The problem here is that the company stands to lose data or valuable customer information once the employee leaves the organization.
- Website Hosting: When an employee goes completely outside IT to put up a project or department Website with a 3rd-party hosting provider, there comes a point where that employee leaves the organization. As a result, there is nobody to maintain the site, the subscription expires and the site goes down.
- Infrastructure/Hardware Purchase: Companies employ hardware standards to help make support manageable throughout the organization. But problems can occur is an executive makes his own hardware purchase and expects IT to support it. For example, application development departments use Amazon Web Services (AWS) to have their production environments ready to go in less time than their own IT processes.
Establishing Policies Around Shadow IT[3]
A critical first step for dealing with Shadow IT is to clearly map an organization’s global IT landscape per the impact that each family/group or individual resources will potentially have on corporate core business. The CIO needs to list and classify the known market available Shadow IT resources in three categories: Sanctioned; Authorized (not Sanctioned yet irrelevant); Prohibited (not sanctioned and dangerous). This is a corporate matter that does not merely concern a technical perspective and therefore should be dealt with by the CIO. This is something that impacts people and their motivation as well as potentially some business-critical processes or information, so the policy should typically be defined and sponsored at the board level. Some key items need to be leveraged like:
- Since by law some information on a collaborator’s workstation (like emails) may be that collaborator’s property, should the workstation environment also be classified by the company as such?
- Is a collaborator entitled to use any tools that he/she may find suitable to boost his/her productivity if they pose no risk for the corporation? If so what is the registry/ \approval process that needs to be followed?
- What shall be the impact and compliance probability from the collaborators towards prohibitions? Meaning it is pointless to have someone spending hours trying to find a way to break a prohibition in place instead of doing their work.
The Risks of Shadow IT[4]
According to Cisco, 80% of end users use software not cleared by IT, 83% of IT staff admit to using unsanctioned software or services, and only 8% of all enterprises actually know the scope of shadow IT within their organization! Shadow IT, without a doubt, adds risk into your organization, and your employees are your weak link. Michael Bruemmer, vice president of Experian Data Breach Resolution explained, “As we have seen in our incident response service that we do for clients, about 80% of all the breaches we service have a root cause in some type of employee negligence.” When non-sanctioned applications and devices are in use, vulnerabilities can be introduced into the infrastructure, and without IT oversight, the root-cause is very difficult to find. Some examples of the risk that shadow IT introduces includes:
- Software Asset Management (SAM): Organizations need to track all software applications used and licensing information. Unauthorized software makes this already difficult task nearly impossible, leading to our next risk.
- Compliance: Unauthorized applications once discovered can mandate a complete audit of the infrastructure to ensure you are compliant. Organizations who do not take this seriously risk hefty fines from non-compliance.
- Testing: IT infrastructures are complex organisms that require management. Introducing new applications without proper testing can compromise the entire infrastructure. Shadow IT also adds more complexity to the entire testing process by having to involve a third party.
- Configuration management: Creating a configuration management database (CMDB) and defining relationships between different systems is labor-intensive. When other employees use shadow IT, those systems are not included and can have compatibility issues as a result.