Companies should secure shadow IT, not ban it

This is a contributed piece from Nigel Hawthorn, EMEA director of strategy at Skyhigh Networks, a company that analyses and ranks cloud security risks

According to Johann Wolfgang von Goethe, there is “strong shadow where there is much light.”  Although Germany’s greatest writer died over 180 years ago, he could have been talking about Shadow IT – as it can indeed shine a light on other areas that IT should investigate.

Shadow IT is technology deployed by users or departments without explicit organisational approval. Today, it is often a result of employees finding and downloading cloud applications without the knowledge of the IT department.  This has been traditionally seen as a huge threat to corporate security, as not only could it provide an entry point for hackers, but sensitive information can cross the corporate boundary via potentially insecure applications and without visibility to IT.

IT needs to find, understand and control these cloud services, but Shadow IT is not necessarily all bad. It can reveal which services are being used to get jobs done more effectively, and as a result, it has become essential that companies take steps to secure Shadow IT, rather than ban it entirely.

Embrace your shadow

With more than 10,000 cloud applications available and an average of 700 in each organisation, users are constantly finding new ways to achieve their goals, and Shadow IT is often far bigger than first expected. Companies should first establish the extent of Shadow IT, to identify which services employees need to get their jobs done effectively.  Only then can it formalise this in a cloud usage policy, which guides users to trusted cloud services which keep them safe and secure.

With such a collaborative relationship between IT and users – and given that cloud services can often be deployed more quickly and with greater flexibility than old-style in-house applications – it can actually ease relations and provide huge productivity gains.

What’s more, once the business understands the type of cloud services being used, it can often negotiate beneficial licensing deals and make use of economies of scale. For example, a typical enterprise finds it has more than 25 different cloud storage services in use. Reviewing and assessing these until it has just one, means that employees can collaborate better and IT can manage the service centrally – for example deleting accounts of employees as they leave. Those services that have fallen out of favour can also be eliminated and savings can be made as licences are cancelled.

Secure your shadow

Every organisation has different security requirements and each cloud service can be rated in as many as 50 different ways. The first port of call is, therefore, to review these credentials to ensure data isn’t at risk of leaking to competitors or falling foul of ever-increasing protection regulations. 

Once the preferred services are identified, the current infrastructure and policies that are enforced by proxies and firewalls should be used to direct users to these and away from those that are higher risk. In addition, firms need to continually monitor networks for signs of malicious activity that could indicate a disgruntled employee or compromised account breaching security protocols – consider encryption or tokenisation, or extending DLP policies to cloud services, for example.

With better management of cloud services, companies can avoid blanket bans, which are in fact one of the most detrimental ways of dealing with shadow IT.  As you block one cloud service that you know is being used, you’re pushing employees toward potentially riskier alternatives that you don’t know.  This can put sensitive corporate data at much greater risk and, worse still, you can’t even analyse this risk because you don’t know it exists. It would be foolish to assume that you know every cloud service available and this makes such ‘whack-a-mole’ cloud policies do more harm than good. In a nutshell, they need to become a thing of the past.

Don’t be afraid of your shadow

Employees need to be empowered to do their job in the most efficient way possible. If this means using a notepad from the stationery cupboard, they should be able to take it – and similarly, if this means using a file sharing tool to collaborate, they should be able to download it. It is only in very rare instances that an employee downloads a cloud service for a malicious end and the demand for these cloud services is coming directly from a need to get the job done. That’s a work ethic most enterprises would strive to achieve in their employees, not to mention an exceptionally agile way for IT to be procured.

Shadow IT – which is often perceived negatively – can drive business efficiency and a competitive edge. Monitoring cloud usage, with appropriate follow-up activity to sanction the use of safe applications, can actually make working life easier for employees and deliver a sure-fire way to establish effective policies going forward.


« Shock work porn stats from Blue Coat


Rant: Twitter will drive us far from the madding crowd »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?