Field Notes: Shadow IT
The Cloud is everywhere we turn these days. If you haven’t seen or read an article in the last year about what it is, why you should move to it, why you shouldn’t move to it, how everyone else is moving to it, or other key, critical advice about it, then you haven’t been paying attention. I’m even guilty of it myself, having co-written with my colleague, Brandon Leatha, a piece about what to consider when migrating to the Cloud (Legal Considerations when Adopting Cloud Technologies.)
That’s all important, and your IT and Legal groups ignore it at their peril, but I’m here to talk about a something entirely different that has existed for decades, yet is now becoming much more prevalent, and significantly more dangerous, thanks to the Cloud – Shadow IT. Shadow IT is the name we give to employee-created, non-company authorized, technology solutions.
Historically, it was the employee who brought a personal WiFi router into the office, or perhaps the manager who downloaded and installed applications onto machines in their department to solve a business need, but does so without corporate IT’s knowledge or blessing. Hence the term Shadow IT, because it hides in the shadows of the organization and isn’t readily apparent or visible.
Why do we care? These employees are solving important business needs that IT is failing to provide for, how is that a bad thing? Well, that WiFi router is likely to be consumer grade, misconfigured and a large security hole which attackers can exploit to gain a network foothold. That application the manager installed is likely unlicensed and may include undesirable functionality (e.g. malware or viruses.) Technologies and software are being added to the environment unbeknownst to the individuals responsible for security, thereby introducing both unknown and unaddressed risk. Employees are now combining Shadow IT with Cloud solutions and inadvertantly creating a very real risk to organizations.
Employees can easily setup entire financial or customer relationship management systems (e.g. Salesforce), or configure their own cloud based backups and file sharing (e.g. DropBox, OneDrive, Google Drive), or use collaborative cloud based documents (e.g. Google G-Suite). They have now introduced a huge amount of risk to an organization with a few simple clicks and an email address. Especially when IT or Legal doesn’t know those technologies are in use. Imagine collecting documents for discovery without knowing employees are using Google Docs extensively. Or that there is a Shadow IT system containing historical copies of documents directly contradicting document retention policies. Not to mention that employees may be storing important, and possibly sensitive, company information in a location they know little, if anything, about and with a company they likely only have a click-aware agreement with.
We can work with you to help identify Shadow IT, define how it exists within an organization, and, more importantly, assist in finding ways to bring it in-house while still being sensitive to the business needs that drove employees to it in the first place. This last point is critical, if we don’t consider the underlying business need, the problem will simply manifest itself again in a new form as employees do what’s necessary to get their jobs done. When Shadow IT is resolved properly, everyone comes away winning, but you first have to know it’s there and the business need it’s solving.
Shadow IT is difficult to identify, it’s quickly becoming Cloud based, and more importantly it can represent a real and present risk to your organization. Do you know what’s lurking in your shadows?
First appeared in The iDS Forensicators Blog as "THE FORENSICATORS PRESENT ... DANGER LURKING IN THE IT SHADOWS"