Shining a light on Shadow IT

Shadow IT can pose a serious risk to security and governance

Tags: African + Eastern ( Your Own Device (BYOD)Cloud computingEmirates Flight Catering CompanyGartner Inc. ( Middle East and AfricaKamal Osman Jamjoom
  • E-Mail
Shining a light on Shadow IT Shadow IT — apps and devices that are in use without IT’s knowledge or consent, is a growing problem.
By Staff Writer Published  August 26, 2014

Lijeesh Rajan, Director of Centralized IT Services, Dubai & Northern Emirates. Rotana Hotel Management Corporation: There is no particular policy stating ‘shadow IT’ as a term, however, unauthorised solutions are something which we emphasize in policies. However, there are [unauthorised] workaround solutions that become productivity tools in operational departments, which tend to overlay the policies. Once the personnel who promoted them, move on, [management of] it falls back to the IT department, to improve it or challenge its use. In most of the cases, these solutions are not productive as they are presumed to be.

Do you have any regular activities to detect unauthorised applications in your environment?

Akhtar: We do control and monitor this regularly. We do not allow any user to install any freeware or unlicensed software. In fact user’s PCs have admin access removed so that they do not install any unwarranted software. On some authorised software we only provide access to selected users, with the strict control not to create any applications to use for business. Of late we observed that some IT savvy staff were developing applications and trying to use them for business.

Rizvon: We use Microsoft System Center Configuration Manager to check for any unauthorised apps and we also check whenever the devices come in for service.

What sort of policies should organisations have to manage the issue?

Kumar: Security policies will cover non-complaint device and application usage. Data sharing policies need to cover the usage of cloud services and the data that can be shared on the cloud. Without proper control, shadow IT can be a nuisance for both IT management and enterprise security. Education and training levels on data sharing and more controls around data sharing and applications downloads needed to be implemented.

Mingay: Clear policies around security, privacy, compliance, vendor engagement. But also supporting services to help users understand and deal with these appropriately. Guidance on which areas are appropriate for end user development/solution acquisition, and which areas are the domain for enterprise IT, and controls to identify when a solution is sliding from one domain into another.

How should organisations best tackle shadow IT?

Mingay: IT organisations must engage! It is no longer practical to take the moral high ground and wag fingers at people, and then when things go wrong take the view ‘we told you so’. The idea that the CIO can be responsible for all things IT in the enterprise has passed, and now there will be many channels of delivery. As such the IT organisation will be responsible for enterprise IT, and needs to engage in actively shepherding and guiding ‘shadow IT’ firstly to bring it out of the shadows into the open and secondly to ensure it is used appropriately to create value. This means adapting the services the IT organisation provides to support ‘shadow IT’.

Kumar: Frequent audits are needed. Also if a cloud service such as Dropbox seems critical for a department, [IT should] upgrade it for an enterprise level option that provides better monitoring and complies with the security policies of the company.

How can you best manage shadow IT?

Rizvon: It is best is to work with the management team on why it is important to have a standard policy against shadow IT. In the last few years, our IT staff size has either remained the same or reduced every year and our budgets are almost flat. This has been possible by following a Standard IT policy for hardware and software.

Tewary: By keeping a ‘safe’ distance between enterprise systems and such shadow systems. The maintenance and upkeep of the shadow systems is done through the vendor who delivered it and by the business segment who went for it. We do not allow any direct data interface/data transfer and data updates between enterprise applications and shadow systems. Based on needs, we shall keep such shadow systems on separate VLANs.

Rajan: We work towards having co-ordination between management divisions whether it is sales, marketing or finance to understand the solutions and their tools in action. This allows us to understand well how to maintain their solutions and also to look for and deliver the right solutions that meet their needs.

Rathi: The best way to manage shadow IT is to listen to the user. His requirements are genuine and in most of the cases, they are ready to use an alternative secure application. We need to explain to them, the security issues and the impact it would have on the enterprise. Simply saying ‘no’, makes them hate IT. Use technology to identify the offender, talk to them, provide an amnesty for breaking the policy and get them on your side. Believe me the end users simply wants to get their work done with ease.

Khan: In our organisation we deal this with by building and sharing IT strategy with the CEO and functional heads; and building capability in the IT team to understand business needs in every area. We have also established information risk management, so that the risk of shadow IT is clearly understood. We give special attention to vulnerable areas like digital media, websites, social media - the typical areas where shadow IT initiates.

Sometimes we play hardball in preventing the proliferation of IT, if it touches the overall IT strategy; while sometimes we allow relatively innocuous initiatives to go by to win friends. IT departments need to take cognizance of this trend, and change their strategy to leverage this — this trend is here to stay.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code