The shadow IT fight — 2023 style

The heart of making strategic IT decisions relies on what is supposed to be an accurate and complete global data map, along with a similarly correct and comprehensive asset map. Sadly, no enterprise has that today and, to be candid, probably never did.

There are always problems gaining full visibility today into anything IT-related, but as the enterprise environment has changed in recent years, the age-old IT nemesis, shadow IT, is still a major factor. 

This problem has gotten a lot worse during the last few years because of several issues. Beyond the growth of IoT and OT devices, and partners and customers gaining network privileges, the biggest change is the avalanche of home offices and the lack of consistency or standards across those remote sites. Routers can be from any vendor and associated with any carrier. Hardware firewalls may or may not exist — and may or not ever get patched if they do exist. Most LANs are wild west, with access granted to anyone (like, perhaps, the boyfriend of the employee’s teen-age daughter). 

Beyond the hardware, software, and device issues, the idea of shadow IT itself no longer means what it did a decade ago. The original definition meant an employee or contractor who did an end run around IT by purchasing technology elsewhere, such as buying a router from Target or getting cloud space from Amazon, Microsoft, or Google. The typical reason was usually a lack of patience for IT to get around to responding to and fulfilling a request. It’s easier for an employee/contractor to just pull out a Visa card and get what they need in a few minutes. 

What should it be called when a supplier adds something into a system and fails to mention it? That happened to a large manufacturer when a very large and expensive piece of assembly line equipment — something that the enterprise had been consistently purchasing from the same vendor for many decades — started to malfunction. While waiting for the vendor’s repair people, workers removed a panel and discovered microphones with tiny antennas attached. It turns out the vendor had added in IoT devices with the last upgrade, and failed to mention the change to any customers. 

That meant there was IoT hardware on the factory floor that corporate IT knew nothing about. Is that shadow IT? What about when the facilities maintenance people start buying IoT lightbulbs or doorlocks without permission from IT or the security folks? 

Here’s my favorite: What about when a strategic business partner mandates certain systems, software, or devices? 

“IT is discovering people using VPNs, cloud storage, and other services required by their partners, but not approved by the organization, as partnerships involve more digital connections,” said Bob Hansmann, senior product marketing manager for security at Infoblox. 

Are an enterprise’s employees supposed to report it to IT? Is that partner supposed to? You guessed it: nobody reports it to IT and yet there it is, accessing and interacting with sensitive corporate intellectual property. Is that particular partner interaction shadow IT?

Even worse, what’s supposed to happen when the enterprise and the partner have polar opposite policies? For example, what if an end user’s employer insists on using Google Drive — and prohibits Microsoft or DropBox? And the partner’s team insists that everyone uses DropBox for a project because their IT prohibits Google? Those rules might be in place for security, compliance needs or even competitive reasons, such as if the partner competes with Google in some other product area or geography.

Those are the kinds of minutiae that are almost never hashed out in contract negotiations. 

There are some ways to try and uncover some shadow IT efforts, but its changing nature makes even those techniques less effective. One approach would be to use DNS tracking to detect network activity going to something that shouldn’t be connected to the enterprise. A less nerdy approach is simply having IT work with accounts payable to regularly audit expense reports — looking for any tech purchases that should have been processed through IT.

“Using technology is tough, as it’s not easy to define what’s personal use vs. business use,” said Dirk Hodgson, the director of cybersecurity for NTT Australia. “OneDrive, for example, can be both. And that problem multiplies out to be enormous when you consider that most shadow IT is SaaS and web application based, and that a lot of it is free open source — so you can’t even find a financial transaction to identify it.

“As an example of scale, one relatively small financial services customer I work with — with fewer than 1,000 seats — has about 4,500 applications showing in the tool they use to scan their environment for applications,” Hodgson said. “Trying to find a ‘shadow IT’ app in that context is definitely needle in haystack work. If someone accesses their personal Google drive at work, is that shadow IT or just a personal app?

“It’s not realistic to ask the user to check every single one of them all of the time,” he said. “But if you don’t, and just block access, it can be painful for user experience and stop them from performing legitimate business functions.”

Hodgson argued that blocking or otherwise trying to defeat shadow IT directly is unlikely to work. The better approach, he argues, is to address the underlying issue. In other words, make IT so responsive, effective, and low-cost that end users have little reason to go their own way.

“I had a customer buy at significant cost a low-code rapid application development platform and the staffing needed for it,” Hodgson said. “Then IT let business areas access both at a very low cost for whatever new app they needed, to save them going elsewhere.”

Hansmann argued that there’s a different reason for end users to gravitate to shadow IT: lack of awareness that a specific tool is needed for a specific task.

“Users are often not aware of the appropriate tool and they are usually more familiar with a similar tool and prefer their own,” Hansmann said. “Or there is a specific unauthorized tool that is required by a business partner, as in ‘Use our VPN or authentication software to access our resources.’”

Another issue, he argued, is that IT tends to get cynical and suspicious — with good cause — and sees all shadow IT efforts as “a user consciously attempting to evade company/agency visibility and controls to do something unethical, illegal, etc. IT can no longer afford to treat every breach as if that is the case. History shows that the majority of shadow IT violations can be easily rectified without making things uncomfortable for valuable employees who were just trying to do the right thing.”

Rex Booth, the CISO at identity vendor SailPoint, said this problem is quite likely to get worse.

“The prevalence of shadow IT has traditionally correlated to how much faster business units can get results by circumventing the CIO,” Booth said. “When SaaS emerged, that speed gap increased, which meant the prevalence of shadow IT jumped as well. The big question now is what impact generative AI is going to have.

“If a business unit can generate a custom app in a few days, do you think they’ll wait around for the official IT process?  This is going to get big fast.”

Another frightening consideration: How serious is your company about enforcing shadow IT rules? At most companies, IT talks a good game and declares shadow IT efforts forbidden. But when those rules are violated, meaningful punishments never happen. What message does that send to end users?

Is a company ready to sanction a senior manager who is of great value to the company for bypassing controls to use a shadow IT service? Will it be ignored or result in an insignificant response?

“You have to consider the need for deterrence in how your company handles unauthorized use of IT services,” said Alan Brill, senior managing director in the Kroll cyber risk practice. “People have to understand that there can be real and substantial penalties for doing so, or whatever you are doing may just motivate people to seek new ways of beating the system because they don’t believe that there will be significant consequences if they are caught.

“I think this is a topic that has to be jointly considered by the IT, HR and legal units of a company,” Brill said. “If you want to be serious about discouraging shadow IT, you have to make it painful to break the rules. If you aren’t willing to do that, your shadow IT interdiction program may be seen as a toothless tiger.”