Living with Shadow IT: how can we protect our data?
05 October 2017
What we do in the shadows: how do you protect your data and network in a world where shadow IT usage is inevitable?
The uptake of cloud technologies by businesses over the last ten years has revolutionised the way organisations and their employees can operate. It’s thanks to the cloud that the modern workplace is possible; employees are now empowered by technology so that they can work how they want, where they want, and when they want to great effect.
Despite the cloud industry enjoying rapid growth over the last decade, this expansion has been tarnished by concerns around security and compliance, and how cloud usage can be managed and monitored effectively. Cloud users have access to a large variety of productivity applications that can help them to work more efficiently. The problem here is that many of these third-party cloud apps aren't sanctioned by IT, and are thus classified as “shadow IT”. The majority of shadow IT is utilised without IT even being aware of its use, a thought which should create alarm bells for anybody whose job it is to protect data.
Shadow IT is a part of office life
The reality of Shadow IT is that it’s ingrained as part of every-day operations for the majority of office workers. According to CipherCloud, 81% of LoB employees admitted to using SaaS applications that aren’t sanctioned by IT. Shadow IT is huge, difficult to tackle, and part of normal office life.
It’s worth noting at this point that users of shadow IT aren’t using it maliciously – they’re simply utilising cloud applications to make their work life easier and more productive. This is the Catch 22 that surrounds shadow IT usage: While enforcing anti-shadow IT policies and cutting down on non-compliant application usage is great for security and data management, it could very easily slash productivity across a business by reducing employee outputs and slowing down processes.
Do you choose data compliance and security, or improved productivity?
Unfortunately for the CIO, Shadow IT completely undercuts data protection policies and IT security strategies because by definition it operates completely separately from the IT department. Any shadow applications that have access to data or company information may not be compliant with data procedures that an organisation has put in place.
If an application has access to data, it has access to that data based on the terms and conditions of the application, not the owner of the data. This may mean the data is stored abroad, could be stored on a public cloud, or may not be encrypted.
Ignoring data compliance in favour of productivity gains could be just as damaging as restricting shadow IT usage. As data laws tighten across Europe as the GDPR becomes a directive, it’s going to be vital that shadow IT is reigned in, and employees are aware of the damage it could potentially cause to the business and even their job security.
How to enable secure shadow IT usage in the workplace
Understanding your current cloud usage across an organisation and making sure your users are aware they’re being monitored is a great first step for getting to grips with the problem of shadow IT. By implementing log-based visibility into all users, services and data transfers, you can effectively monitor which applications are being utilised, which files are being transferred, and where data is being sent to and stored. A key element of the GDPR is monitoring and being able to provide audit trails. Ensuring you're aware of where your data is is vital to being able to say you can protect it.
Similarly to email security awareness training, part of the problem of shadow IT is employee ignorance about the problems using unsanctioned applications could create. By implementing company policies on acceptable cloud usage, as well as cloud/data security awareness training, users will be aware of the threats of shadow IT. Most will also be receptive to understanding more about how the cloud operates, and how it affects them on a business level as well as on a personal level.
Conducting risk assessments and creating procedures around the use of SaaS applications commonly used within an organisation is an excellent approach when it comes to tackling Shadow IT. By whitelisting a number of popular third-party applications following a security review, users will have approved access to a variety of IT-sanctioned applications that can enhance productivity. If multiple applications with a similar objective are used across an organisation, IT can suggest or enforce a preferred application that should be used, resulting in reduced IT spend across a business as well as consolidation of software.
Discover what's happening on your network with a security review from Prodec Networks.
Gain visibility on what's really happening on your network by conducting a security lifecycle review. Understand which applications and programs are being used, and what the potential risk to exposure of your data is.
Subscribe to Prodec News
Subscribe to the Prodec blog to receive the latest and greatest blogs, news articles and infographics relating to modern networking in the workplace.