Wat hebben complexe IT-policy's, gedateerde software en een gebrek aan door IT ondersteunde diensten met elkaar gemeen? Ze dragen allemaal bij aan schaduw-IT, waarbij werknemers IT-beleid omzeilen en niet goedgekeurde diensten en software gebruiken. Bijvoorbeeld het gebruik van Dropbox, waardoor vertrouwelijke informatie buiten het bereik van de organisatie komt te liggen.
Het laatste wat een werknemer die een project probeert op te starten wil doen, is wijzigingsverzoeken indienen voor een trage en onzekere IT-procedure. Hoe kan IT de nodige resources leveren zodat dit geen issue meer is? We spraken een aantal informatiebeveiligers die hun licht laten schijnen over dit probleem en hopen dat organisaties zo schaduw-IT kunnen voorkomen voordat het de standaardpraktijk wordt.
Computerworld selecteert hier interessante artikelen uit het internationale netwerk van onze uitgever IDG.
1. Enable business owners
Jeff Schilling, CSO, Armor: Follow the money - Set up accounting procedures that require all IT technology and service acquisitions to be approved by the CIO or his/her designated manager.
Don't be the Enemy - Partner with your business owners to plan their IT technology and service requirements so that you are their preferred provider.
Don't try to defy the law of gravity - If gravity is pulling your business owners to the public cloud because it is more agile and able to meet their needs, figure out how you can enable the business owner to "do it right" vs. "do it themselves."
2. Encourage an open door policy
Morey Haber, VP of Technology, BeyondTrust: For any business, the following IT policy adoptions can help manage shadow IT proliferation:
Acknowledge shadow IT is present and provide a grace period for the deployments to be placed under IT management with no repercussions. IT and security staff may be in the field who can contribute positively to the organization if properly empowered.
Support an open door IT policy for new projects, advice and help provide prompt guidance for design and deployment of new projects. Shadow IT occurs because of the roadblocks with traditional IT. If an open door policy is adopted for all aspects, the barriers are removed.
3. Prioritize end-user experience
Kurt Roemer, Chief Security Strategist, Citrix: To prevent shadow IT, businesses need to focus on the end user experience. The reason people go around company policies is because the apps and solutions they're being asked to use are too difficult to use or too time consuming. If the employee's experience is seamless and secure, they'll have no need to go around IT to find solutions that help them be more productive. Here are a few best practices to live by to prevent shadow IT:
- Whenever shadow IT is better than dealing with the IT department and their crazy rules, IT will lose customers.
- When IT adopts a customer-first attitude and serves as a trusted adviser to their customers, both sides win.
- IT-provided services must be just as good or better than what their customers can obtain on their own from consumer-grade services.
- Single sign-on to all applications (especially web and cloud apps) is a secret weapon to winning back customers, as it makes their lives much easier.
- Required policies must be automated and contextual to the specific situation that customers are facing to best protect sensitive data.
Notice the lack of the word "users". That's deliberate and also indicative of a mindset that will restore IT value and reduce shadow IT.
4. Give users what they want with a cloud broker
Travis Greene, Identity Solutions Strategist at Micro Focus: End users turn to shadow IT for a myriad of reasons:
- Because IT doesn't offer a service (such as file sharing)
- Because the IT standard is too difficult to use or doesn't meet their needs (such as the adoption of CRM in the cloud)
- To avoid IT policies
If users are going around IT to acquire a service, either because it isn't offered or doesn't meet their needs, then IT needs to seriously consider either adding it, or enabling access through a cloud broker. Cloud broker software provides single sign-on to SaaS apps, enforces access request and approval policies, provisions access automatically for user convenience, and revokes access when a user changes roles or an access certification indicates a need to revoke the access.
5. Focus on behavior instead of applications
Wade Williamson, Director of Threat Analytics, Vectra Networks: Shadow IT is often framed as an application control problem. But hoping to find and manage every new possible application, including the ones your own IT guys build, is a losing game of herding cats. Instead of chasing the applications, organizations need to get better at recognizing the underlying behavior they all share in common.
Does it really matter whether your employee is replicating your data to a rogue Dropbox account, his personal Google Drive, or an unsecured server he spun up in AWS? The behavior and impact is the same. Focus on the behavior and suddenly a very expansive problem becomes manageable.
6. Learn how apps are being used
Chris Morosco, Director, Data Center & Cloud Strategy, Palo Alto Networks: The pervasiveness of shadow IT is a result of the tremendous value these SaaS applications are providing to end users. Because of data exposure and threat insertion risks, these users can't run unchecked.
A sledgehammer approach of simply blocking applications is not the right approach. Disrupting business critical applications while blocking risky applications will have significant business impact since users have become accustomed to using these applications to do their daily jobs. To properly control SaaS application usage and limit shadow IT's impact, you need to have detailed visibility of the applications that are being used, how these applications are used, and what users use them.
So detailed reporting of how users are currently using applications becomes the first critical step. With that detail you now have the ability to define granular policy control around critical business usage of SaaS allowing you to block risky and unnecessary applications while controlling access and usage of ones that are business critical. Limiting a particular group to an app and only allowing them to download but not upload is a critical step. In the end it comes down to limiting access to prevent data exposure risk and threat insertion while not disrupting business.
7. Provide access to the latest and greatest
Frank Mong, Head of Network, Endpoint and Cloud Security Strategy, Palo Alto Networks:
Shadow IT typically results from the inability of corporate IT to meet the needs of the users in a timely fashion or with the latest modern tool set. There is not a good way to block or stop shadow IT because there will always be the next great new shiny tool that 'solves all problems'. IT should find a way to allow users access to the latest and greatest.
A great example is cloud-based file sharing applications. Whether it is Box.net or Dropbox, there is a real need and use case where users need to share large files. Email just won't work. In this case, IT allowing a corporate version of Box.net solves a big problem while having visibility and security policies apply in Box just as it would if it was hosted by the company.
This example - along with cloud access security brokers or next generation firewall capabilities to identify, track and manage cloud-based applications - make it easier for corporate IT to meet the needs of the users in a timely fashion and support the latest cool tools. If corporate IT could prove its nimbleness, while providing the security necessary, users will stop looking to shadow IT for answers.
8. Practice forgiveness
Mat Gangwer, Security Operations Leader, Rook Security: Ruling an IT organization with an iron fist will yield undesirable outcomes in most cases. If, through content monitoring or network filtering you identify something unapproved being used, it's easy enough to shut it down through network protections.
However, this practice usually makes employees try harder to circumvent the controls you have in place. It's important to have a service catalog readily available to your employees. This catalogue outlines approved services for use. Being able to identify these services, and then discuss with the employee(s) as to why they are using it instead of one of the "approved services" can go a long way. In most cases, the lack of training or awareness leads to the rise of shadow IT in the first place.