What is Shadow IT?
Shadow IT, a wonderfully ominous term, but what does it really mean? Essentially, Shadow IT is considered to be any IT system, service, mechanism, or methodology that has been adopted within your organisation outside of the view, control, oversight, or sanction of the organisation and IT Administration. Classic examples are file sharing services such as (the now retired) docs.com, or dropbox. However, the issue is much wider than this, as evidenced by Cloud App Security identifying over 15000 different Apps and services which would constitute Shadow IT.
How did we get into this pickle?
The problem of Shadow IT stems not from nefarious intent by users to cause problems, leak information, obstinately not comply with data protection rules and protections. Instead it comes from a desire to be productive, and avoid the restrictions and limitations (real, imagined, or misunderstood) of the organisations approach and delivery of IT systems and services.
An attempt to continue to work on resources from home, to share and collaborate on something with colleagues and partner organisations, to perform a task legitimately ‘just on this occasion’ and so on. Which is all well and good, almost commendable. However, as more and more data moves outside of the view of the management systems implemented by IT, the risk of private, confidential, or Personally Identifiable Information (PII) or other GDPR and legislatively protected data types leaking increases.
Is this really a risk?
As noted in previous Silversands Blogs, and those of trusted industry commentators, we cannot rely on third party services. Or more to the point, user created identities and accounts on such services, remaining safe and secure in the long term.
With the prevalence of password re-use, unsecured personal/domestic devices, unmanaged device access, and the ease of identity breach through processes such as credential stuffing, almost all organisations will have active users who have one or more compromised sets of credentials, and are blissfully unaware of this status.
It is one thing for a corporate identity to be breached, an intruder accessing known and monitored Apps and services, as this can be audited, logged, countered, and prevented ongoing. It’s quite another thing if a personal account or external service (Shadow IT) is breached using the same methodology. This could go unidentified indefinitely, along with the loss of control of all information stored or transited through the service.
Many services, being aware of these security risks, actually provide enhanced security functionality such as multifactor authentication. However, users are unaware of these systems, their importance, and rely on standard email address and password authentication methods.
How can we even get a view of what’s in use?
Microsoft has produced a very useful tool, Cloud App Discovery, which can be used to analyse the traffic moving across your corporate firewalls, and identify over 15000 different Apps and services that may be accessed and used by your users.
Cloud App Discovery provides the discovery and information element of Cloud App Security, and whilst Cloud App Security is an element of the EM+S E5 suite (or licensed independently), your organisation can make use of Cloud App Discovery with just Azure AD Premium P1 or above! In order to get a handle on whether (or how much) of an issue there is with Shadow IT, this could even be performed through an Azure AD Premium trial.
Microsoft has provided an IT Showcase which gives a good outline of the capabilities of the full Cloud App Security implementation, along with a concise 5 minute long YouTube video which also gives a view of the consoles and information presented by discovery and security.
Carrot or Stick?
Cloud App Discovery provides your organisation with information on the Shadow IT situation. Then with that information you need to choose how to address the situation. Cloud App Discover and Cloud App Security can provide controls and further intelligence around the data in use with Shadow IT, the users making use of these systems, and the amount of data being sent. Some organisations may then simply contact the users and discuss business practices with them. They may consult users on whether these external Apps and services should be sanctioned for usage due to the service they offer which is not available through existing services. And they may educate users on data protection requirements and the reasons for the restrictions they have been trying to circumvent.
Cloud App Security offers the further ability to ‘sanction’ a growing list of third-party services, extending Data Loss Prevention and Information Protection policies into these services. If this is not practical, possible, or the chosen path, then Cloud App Security can also export configuration scripts for supported firewall devices to block user access to these services.
As with many of Microsoft’s offerings in the Identity and protection areas, this is just the beginning of the information, capabilities, and every growing feature set of these services.
How can Silversands help?
If you would like to learn more about Shadow IT, Cloud App Security, or investigate implementing some of these services to improve your organisations understanding of the way users interact with IT, please get in touch. We are happy to help. Shadow IT doesn’t have to remain in the shadows, and it doesn’t have to be feared. There are many ways to bring it into the light and control the risks associated with it.
If you have an immediate need for help please complete the contact form. We also post regular blogs about topical IT issues so please do follow us.