The origin of rogue information technology – technology selected and paid for by employees for business use – may be the assumption on the part of business people – the money making arm of a company — that the cost of acting as a supplicant to bureaucratic IT — a service arm of a business — is too high. That or the fact that it’s sometimes difficult to convince business people that IT has their best interest at heart. But regardless of the rational for the adoption of a bring-your-own-device (BYOD) policy, employee use of third-party apps and services, and personal mobile devices in a corporate facility places a company and its assets and operations at risk.
IT, security and mobile experts alike are concerned about risks that arise due to the difficulty of tracking and managing authorized software and hardware. Those concerns triple when the introduction of rogue software and hardware ensures that IT is not completely sure of where its formal or informal technical perimeters begin and end. In that case, it’s difficult for IT to know what factors affect the “good or bad behavior” of the technology that operates within its borders.
So how does a CIO or another IT leader and his department establish and maintain a secure environment and identify and manage both the authorized and Shadow IT that resides therein to best mitigate associated risks? Here are seven steps that are helpful in this regard.
- Determine why business people take steps to circumvent IT policies.
Rather than form a “storm detachment” to “storm” into business departments and confiscate non-IT-authorized equipment, a CIO should determine the business goals the shadow IT is intended to support. Chances are that an authorized technical alternative might already exist of which business people are unaware.
During this process, it’s important to evaluate IT policies for current relevance in regards to the Shadow IT. If a motive behind a policy is no longer pertinent or if the policy can be revised to better support business objectives, it’s an opportunity to create a new policy that business and IT personnel can better “live with.”
- Monitor the organization’s network to identify Shadow IT nooks and crannies.
Examine the network to pinpoint where the organization’s data is located, whether it’s stashed on company-issued or an employee-owned device (BYOD). For instance, the data might dwell at the edge of the cloud, in-house or in the company’s data center. Next, monitor the network to identify Shadow IT. Over time, you can use your findings to create and compare lists of hardware to identify new devices, their types and their locations. This process can be made part of routine vulnerability scanning. Alternatively, you can review firewall, proxie, SIEM and MDM product log data to identify any cloud service being accessed by an unauthorized asset, the employee using the Shadow IT asset, the frequency of the asset’s use and the quantity of data that’s uploaded or downloaded with the asset.
- Review the trust registry of cloud services to identify and block access to high-risk services.
A software or service outside the scope of services under your company’s IT organizational control may or may not put your organization at risk. By reviewing a registry of cloud services, you can identify high-risk services that employees currently use. Those risks should be addressed using the organization’s existing infrastructure, such as firewalls or proxies, to block access to the services. Other options are to ask the employee to stop accessing the service or provide him an authorized service alternative.
- Create BYOD policies and procedures, and standards and guidelines.
Your company’s IT staff can create a list of approved “rogue” applications that accommodate the processing requirements of business units. In turn, the business units can select an application from the list, confident that the integration of the selected software to the company’s network will not lead to a security or compatibility issue. To support this process, IT should design and implement a BYOD strategy and supporting policies and processes. By doing so, the staff will be aware of the software that IT will support and, by default, which software and apps are unapproved for organizational use due to the risks they pose.
- Provide the workers alternative software with which to find and use data across platforms.
The origin of Shadow IT policies is the employee desire to access and use data with different devices in multiple locations. Consequently, IT must offer employees a secure solution that grants users data access in house and remotely to ensure an organization is not placed at risk by rogue devices and software.
By providing employees secure and IT-controlled access to data using authorized solutions, the organization decreases the appeal of products that may not be discovered and, therefore, controlled by an organization’s IT staff. For instance, if BYOD products include Android-based devices, IT must provide security controls to protect data transmitted on these devices or offer a mobile alternative.
6. Limit user access to unauthorized applications and circulate a relevant policy.
An organization can restrict user access to particular applications and deny the user the ability to install certain applications, such as Dropbox. The IT department can write and distribute a policy to users and staff that lists the services that the organization will not allow to operate on its network. As an alternative to blocking access to an application and limiting the user’s access to a particular form of technical support, IT can suggest a low-risk alternative.
- Identify traffic to a third-party cloud solution that delivers Shadow IT or offer users amnesty when reporting Shadow IT use.
Your company can identify and monitor traffic to or from third-party cloud-delivered Shadow IT solutions and attempt to block them. As an alternative, IT can offer a no-consequences pardon to employees who report the rogue applications they are using. In the latter case, users can also provide the business justification for the application’s use so IT might suggest an authorized alternative or support the application’s use by implementing the appropriate security measures.
Technology experts warn of the many risks associated with the hardware and software an organization elects to implement, let alone those risks of Shadow IT that employees independently integrate in their employer’s IT environment without authorization. But as the instances of employee reliance on a personal device increase, so do the associated risks due to the difficulty of tracking and managing these devices. Such risks can be managed using these seven steps that support CIO efforts to maintain a secure environment in the instance that IT is unsure of where the organization’s technical perimeter begins and ends.