Why ‘Shadow IT’ must be addressed

120316_DDos screen175pxBy Byron Acohido

By-passing the IT department in to order begin utilizing the hottest new technologies is something tech-savvy employees have been doing since the inception of corporate networks. Most often, these workers aren’t maliciously motivated. They are simply intolerant of plodding decision-making and so take it into their own hands to acquire and begin using nifty new tools  they believe will help them become more productive.

This dynamic — variously referred to as ‘Shadow IT’ or ‘Stealth IT’ or ‘Rogue IT’ – is a double edged sword. Over the past decade, it probably has boosted overall corporate productivity. That said, it undoubtedly has created a fistful of profound privacy and security exposures that must be addressed.

The pressure for company decision makers to 1.) acknowledge the existence of Shadow IT and 2.) begin taking steps to mitigate new risks spawned by Shadow IT continues to mount. Gartner recently estimated that some 90 percent of CIOs worldwide are being by-passed by business groups making unilateral decisions about IT purchases.

And a recent study from Cisco found that large enterprises across the United States, Europe, Canada and Australia typically use some 730 cloud services – this is happening in organizations where the CIO believes only 50 or so cloud services are being utilized.

I recently got together with Liviu Arsene, who is Senior E-Threat Analyst at security vendor Bitdefender, to put Shadow IT into a wider context.

Byron: One camp believes Shadow IT should be encouraged, the other believe it should be abolished. Who’s right?

Liviu: CIOs agree that Shadow IT shouldn’t be ignored and must be dealt with. Studies show companies use up to 15 times more cloud services to store critical company data than CIOs were aware of,  or had authorized. So CIOs need to start developing a strategy for managing Shadow IT.

One of the first things they can do is make a list of all authorized and unauthorized devices. This is the first step towards understanding what you need to secure. Figuring out how to manage Shadow IT is a big challenge. You want to reduce costs and mitigate security risks.



Byron: What are some of the ‘hidden costs’ associated with Shadow IT?

Liviu: One recent study shows unmanaged Shadow IT could potentially lead to an average of $1.9 million in financial losses per organization. This includes exposure of sensitive data or files within cloud applications. Some of the data exposed by rogue cloud IT applications includes source code (in 48 percent of cases), personally identifiable information (33 percent), protected health information (14 percent), and payment card industry data.

Byron: So this more than just a policy compliance issue?

Liviu: Besides compliance and security issues directly associated with the usage of IT systems that have not been authorized by the organization, Shadow IT could also raise the risk of data loss or leaks. Unsanctioned software or hardware could potentially lead not only to hidden costs, but it could also open the organization to security-damaging software or threats that affect the overall business logic and data.

Byron: What’s a specific type of threat the bad guys are executing right now, that takes advantage of Shadow IT?

Liviu: One type of possible attack is known as Man-in-the-Cloud. Because cloud-based file synchronizing services use tokens for authenticating a users’ devices, an attacker could theoretically steal a user’s token and add his rogue device as a trusted one. Consequently, when files are synchronized between a user’s devices, they will also be synchronized with the attackers’ systems. If users don’t check how many devices they actually have linked to the same account, the attacker can operate like that for a long time.

Byron: This clearly affects large enterprises; how much of a concern is this for SMBs?

Liviu: Shadow IT is arguably more prevalent in SMBs as smaller organizations don’t have an official IT department. The Man-in-the-Cloud type of attack previously mentioned is particularly difficult to detect by SMBs that don’t have a highly trained IT department. It  usually requires monitoring out-of-band channels via properly configured firewalls or intrusion detection systems. Naturally, not all SMBs are in the habit of implementing these mechanisms.

Byron: Can you share general tips for organizations to begin addressing Shadow IT?

Liviu: Common practices for identifying Shadow IT include  IT risk assessment, penetration tests, and vendor risk management processes. Everything from software inventory reports and pentests on approved and unapproved cloud service providers needs to be performed on a regular basis. This can keep you up to date with the rogue solutions employees are using and the risks these applications pose to the company.

Also, investing in robust security services to identify and protect your organization from Shadow IT is important. Bitdefender GravityZone, for instance, is a tool that can help  organizations secure both physical and virtual environments. GravityZone allows IT departments to enforce policies on local networks, and also gain visibility into how endpoints behave.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone