Shadow IT

In our industry, you can occasionally come across new buzzwords and they then seem to cluster, so you hear them again in a different context a few days later. One such buzzword is the term “Shadow IT”.

The phrase seems to have first surfaced around 2011 and in essence is that point where users bring in their own IT equipment or source software via anywhere but the IT department. It is the nightmare scenario of any control freak IT manager. Of course, now we have phrases like BYOD – Bring Your Own Device, to describe that point where personal spending on IT gadgets exceeds the budget that the organisation can justify to spend per individual. But Shadow IT also includes the manager going rogue and developing their own systems or plugging in their own wireless router because the corporate one forces them to use a VPN and that isn’t very convenient.

The hardy IT manager then faces that contrast between the keen new owner wanting their shiny kit to be a viable work device and the organisation having to adhere to all the security commitments it has.

I’ve been looking at our security products recently and trying to work out how we as a supplier provide a comprehensive capability but allow the customer to adhere to their security practices. For example, I often get asked if our datacentres are PCI compliant. Which is kind of the wrong question. We can make our co-location product compliant and it will be fine right up until a customer walks in and legitimately accesses their own servers and walks out with a USB stick full of credit card details. I can’t stop them doing that. Security isn’t a tickbox on an order form, instead it is a co-operation between users, the IT manager and the supplier.

One place you can get it right very easily though is by having as few Internet borders as possible. We would much rather sell an MPLS network with a single Internet breakout through a managed firewall than have Internet delivered to every site individually. We call this “minimising the potential attack vectors”. We use a system called “Co-Management” giving the partner access to update the firewall policy but always being there to help when needed, sometimes just to sanity check a proposed change.

Shadow IT reminds us that every device can potentially carry corporate data away. Unauthorised IT solutions are sometimes a rebellion against an overly strict security regime, as much as they can be an exercise in the end user’s vanity. But data dribbling out of the company via lots of unknown devices and systems undermines the principle horribly. Shadow IT will not go away. In fact, it will get worse as consumer devices become more powerful and cheaper to acquire.

So what is the IT manager to do?

Firstly, establish who needs access to what and in contrast, what you are trying to protect and from whom – both inside and outside the business. Then accept that users expect access to everything from any device. Decide who “owns” that data in the business. Then think about the technologies available to you. A Virtual Data Centre is a great way of ring-fencing your data and a centralised firewall with a well-written policy gives that edge security that is so essential. Modern firewalls have a range of UTM – “Unified Threat Management” capabilities, which can be coupled with an identity policy linked to the corporate Active Directory database. Spending time writing that policy and reading the firewall manual is time well spent. No supplier will ever know your company better than you do, so spend time working together with them to help them help you. There is no tick box for that.

There are all sorts of things ready to leap out of the shadows on the unsuspecting IT manager. Security concerns need not be one of them.