There’s no arguing that shadow IT has created a multitude of security risks and, regardless of whether they recognize the risks, employees will continue to use unauthorized applications. To date, the tactical response has been to tighten IT controls and implement new policies around applications in an effort to lessen the potential damage. In other words, discover unauthorized activity, block it, repeat.
I’ve yet to meet anyone who follows every corporate IT policy, including IT professionals themselves. In fact, a recent survey showed that IT professionals are among the worst offenders of shadow IT. We’ve all been guilty of breaking the rules every once in a while. We may use an unsecure SaaS application, log-in through an unapproved device, or share passwords for commercial and corporate services. We bend the rules to do our job productively. So, while some may say it’s time to look shadow IT in the eye and tighten control, I believe that’s the wrong approach. Most IT professionals looking shadow IT in the eye would realize they are staring at their own reflection in a mirror.
Enterprises today are still plagued with relatively slow IT cycle times, leaving employees to take measures into their own hands. Not to mention, cloud applications and BYOD has boosted shadow IT usage in the last few years. So, with this knowledge, why does IT still view tighter controls and limited user freedom as the solution?
Despite the risk, let’s assume that there will always be outliers who break IT rules. If we make that assumption up front and digest its implications, we can begin focusing on the fix. Why do users feel the need to bypass IT security controls? The majority of them are not doing so with malicious intent. They are simply chasing productivity not provided by corporate IT. The only way to convince users to abandon shadow IT and adopt corporate sanctioned applications is to provide them with better services than what they can get for free on the open web. Give users what they want and move the demarcation line to SaaS.
For example, if employees are using a multitude of storage solutions that are not supported by an IT infrastructure, provide them with exactly what they need. If they are using a personal Dropbox account but the company has standardized on Box, IT should provide the employees with unrestricted Box accounts for both corporate and personal usage. Yes, that would inherently make any IT professional nervous, but the alternative is… Shadow IT.
Let’s start building IT architectures with the assumption that data exfiltration will happen. Employees will continue to mix corporate and personal usage on company devices and applications. Less than 5% of corporate data is sensitive and some security risks, such as data loss, remain equally if not less likely to happen in enterprise SaaS applications, but the opportunity cost for not moving to SaaS can be measured through agility. IT should focus security efforts on protecting the data it can’t afford to lose, rather than some arbitrary fear of data living in the cloud.
It’s time to stop punishing users for shadow IT usage and start thinking about what IT can do better to keep users productive and secure the enterprise.
Tal Klein | Vice President of Marketing | Adallom | @VirtualTal
Area of Expertise: Security, SaaS, cloud security, virtualization
Professional Biography: Tal Klein is Vice President of marketing at Adallom. Previously, Tal was senior director of products at Bromium where he led product marketing and strategy from stealth mode to a multi-million dollar business, disrupting the enterprise information security landscape. Prior to Bromium, Tal managed integrated product strategy at Citrix, where he developed cross-platform technologies. Tal has also spent over a decade in the webhosting industry developing managed infrastructure services.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.