A Game of Shadows with the IT Admin

"Shadow IT” refers to the IT systems, solutions, and services used by employees in an organization without the approval, knowledge, and support of the IT department. It is also referred to as “Stealth IT.” In its widely known usage, Shadow IT is a negative term and is mostly condemned by IT teams as these solutions are NOT in line with the organization's requirements for control, documentation, security, and compliance. Given that this increases the likelihood of unofficial and uncontrolled data flows, it makes it more difficult to comply with SOX, PCI DSS, FISMA, HIPAA, and many other regulatory compliance standards.

hidden-shadow.jpg

  

The growth of shadow IT in recent years can be attributed to the increasing consumerization of technology, cloud computing services, and freeware services online that are easy to acquire and deploy without going through the corporate IT department.

  • Usage of Dropbox and other hosted services for storing and exchanging corporate information can be shadow IT.
  • Installation and usage of non-IT-approved software on company-provided devices is also shadow IT. Whether it is installing a photo editing tool, music player, or a pastime game, if your IT regulations are against them, they can also be shadow IT.
  • BYOD, not in accordance with the IT policy, can contribute to shadow IT as IT teams have no way of finding out and protecting corporate data stored on personal devices.
  • Even usage of USB drives or CDs to copy corporate data from corporate devices can be considered shadow IT, if the company’s IT policy has mandated against it.

CHALLENGES & ADVERSE IMPACT OF SHADOW IT

The foremost challenge is upholding security and data integrity. We can risk exposure of sensitive data to sources outside the network firewall, and also risk letting malicious programs and malware into the network causing security breaches. Some companies take this very seriously and stipulate strict IT regulations which require IT administrator’s access to install new software on employee workstations. Some websites can also be blocked when on the corporate network if there are chances of employees exposing data thereat. These could be social media, hosted online services, personal email, etc.

There have been various instances of compliance violations and financial penalties for companies that have had their customer information hacked due to the presence of intrusive malware in an employee’s system, leading to massive data breaches. Should we even start talking about the data breaches on the cloud? It'll be an endless story.

Additionally, shadow IT sets the stage for asset management and software licensing issues. It becomes an onus on the IT department to constantly scan for non-IT-approved software and services being used by employees, and remove them according to policy.

SHOULD SHADOW IT ALWAYS REMAIN A TABOO?

This is a debatable question because there are instances where shadow IT can be useful to employees. If IT policies and new software procurement procedures are too bureaucratic and time-consuming and employees can get the job done quickly by resorting to use free tools available online, then—from a business perspective—why not? There are also arguments that, when implemented properly, shadow IT can spur innovation. Organizations can find faster and more productive means of doing work with newer and cheaper technologies.

 

What is your take on shadow IT? No doubt it comes with more bane than boon. How does your organization deal it?

Anonymous
  • DEpends on the environment and vertical. But for most part, I see it locked down.

  • I think it depends on the environment. Shadow IT tools can create much worse problems in certain environments, and would be a smart move not to allow them. On the other hand, I know of SysAdmins who have their own hidden collection of shadow tools that help get past the occasional hurdle that requires an "out-thebox" solution.

  • Hard to see what other regions are adding to the network

  • I think one piece to solving this problem is bringing Shadow IT out of the shadows and letting it happen in the open and not necessarily discouraging it completely.

    I think you certainly need to secure your production infrastructure and control what types of activities take place there, this is certainly not the place for shadow IT activities.  However, I think it is important to let IT people have a place where they can have that creative outlet to play with new technologies even if it isn't directly related to any specific company sponsored project.  By doing this IT folks keep their skills sharp, they have the creative outlet they need to enjoy their job and they learn about new technologies that may at some point benefit the company.  The solution is to create a lab for this that is detached from the production infrastructure and allow your IT folks to allocated a certain percentage of their time involved in learning activities which can include working in the lab.

  • shadow IT is odd though, as more and more companies expect their users to personally supply mobile devices etc