Security

5 Steps to Proactively Address Unauthorized IT Among Workers

Agencies can smartly secure shadow IT without impeding productivity.

Tanya Candia is an international management expert, specializing for more than 25 years in information security strategy and communication for public- and private-sector organizations.

The term “shadow IT” has been around for several years — and for years, it has challenged IT departments. The practice of using applications and systems without the explicit approval of IT staff, or sometimes even without their knowledge, poses real risks for a government agency, particularly now that more employees are working from home.

Shadow IT is widespread in government. Several years ago, Skyhigh Networks found that the average agency was using 742 cloud services — about 10 to 20 times more than the IT department was managing. With the pervasive nature of cloud-based services and the popularity of hybrid cloud environments, the Cloud Security Alliance believes the situation is likely much worse today.

The Everest Group reported last year that dismantling shadow IT accounted for 50 percent or more of IT spending in large enterprises.

Shadow IT Can Lead Down a Slippery Slope

Shadow IT grows due to lack of awareness, both on the part of the user and the IT department. A wide variety of tools are brought into the agency under the radar, without explicit IT approval or knowledge.

A user needs something to get the job done and, without thinking, signs up for a web-based application: Need online messaging? Why not the same WhatsApp you employ for your personal life? Want to do a VoIP or videoconference call? If you’re a pro at using Zoom at home, use it at the agency as well. Need to transmit large files? It’s easy to sign up for a Dropbox account, particularly when you’re trying to get the job done remotely. But in each of these scenarios, no thought is given to control, management or security. Self-reliance is often a virtue, but not when it puts the agency at risk.

The IT department may be blind to the issue, with no clue how many unauthorized apps are being used, particularly when those applications are connecting from a home office. It’s not just a question of the apps’ security — frequent reuse of login credentials, weak passwords and phishing attacks leave user accounts on unauthorized services ripe for exploitation; by extension, the agency itself is at risk.

Unauthorized Access Represents a Major Risk

The biggest risk is that unauthorized software may not meet the strict security required by government protocols. There are three main categories of risk that need to be considered:

Data protection issues. Where is the data being stored — perhaps, in a hostile foreign country? How is it protected? Can the user upload sensitive data to the cloud, where it could be leaked? Is data encrypted? Who controls the keys? Can the user download files that contain malware and spread them to other members of the team?
Governance and standards. The agency’s investments to ensure compliance will be squandered if the real state of software is not known. Will use of the service put the agency at risk of losing regulatory compliance? Are controls in place to ensure adequate protection of data subject to the Federal Information Security Management Act, Health Insurance Portability and Accountability Act, International Traffic in Arms Regulations and other regulations?
Software asset management compliance. Licenses procured without IT knowledge expose the organization to risk, with severe sanctions. How do unknown applications and data relationships impact the carefully populated configuration management database?

Leaders Can Take Proactive Prevention Against Shadow IT

Fortunately, the shadow IT sea is not as murky as it may seem. The best approach involves five steps:

Establish a baseline of acceptable applications. Recognize there are probably many instances of shadow IT in your organization, most of which use well-known tools such as mail, messaging, conferencing and large file transfer services. Focus on the most popular ones and determine if you can sanction a subset of them.
Clarify the policy. Establish a clear policy as to which devices, systems and software employees can use. Then communicate that policy to all employees — not just once, but often. Remember that consistent user education strengthens your first line of defense.
Gain visibility. Detect and catalog all software running in the organization by using a software asset management (SAM) solution such as the Ivanti IT Asset Management Suite. This can integrate compliance, license entitlement, discovery and more in one interface.
Triage unacceptable risk. Conduct a detailed analysis of the security and data compliance risks associated with unauthorized applications. A cloud access security broker (CASB), such as McAfee MVISION, ensures real-time data protection. For tighter control with virtual desktop infrastructure (VDI), tools such as Citrix XenDesktop let IT control a secure desktop image with only sanctioned applications.
Create a long-term plan to fill functionality gaps. Run strategic analysis of usage patterns. Recognize that the organization needs a full range of tools and services in order to function properly. Given the long development cycles of most government organizations (with the need for verified security, governance and more), it may take some time to fill in the gaps in a controlled, secure and compliant fashion.

Employees are constantly trying to do their jobs as efficiently as possible, particularly when they are working out of the office. It’s up to IT to provide employees with systems that make their jobs easier, while ensuring security. Shadow IT provides a view of what capabilities employees really need, while SAM, VDI and CASB can help IT exercise control and governance over the entire landscape of applications. As always, user education can play a key role.

Nithid/Getty Images