In today’s complex IT world, the management and control of technology assets can quickly go off the rails. Companies are finding it increasingly difficult to keep track of exactly which assets they have acquired, which ones have already been implemented, whether they are being consumed properly, and exactly how and by whom they have been used and secured. This is due to so-called “shadow IT,” which occurs when users within organizations start installing systems and applications without the explicit approval of the IT department.
Why does this pose a problem?
Because shadow IT can be any type of application used for business processes but not approved by a central IT or IT security department, the likelihood that it was not developed, supported, or even aware of its existence within the organization is extremely high. This poses a problem because it increases the likelihood of unofficial data flow and makes compliance with the following data compliance regulations massively more difficult:
GLBA (Gramm Leach Bliley Act)
COBIT (Control Objectives for Information and Related Technology)
FISMA (Federal Information Security Management Act of 2002)
DFARS (Defense Federal Acquisition Regulation Supplement)
GAAP (Generally Accepted Accounting Principles)
HIPAA (Health Insurance Portability and Accountability Act)
IFRS (International Financial Reporting Standards)
ITIL (Information Technology Infrastructure Library)
PCI DSS (Payment Card Industry Data Security Standard)
TQM (Total Quality Management)
DSGVO (European Data Protection Regulation)
Примерно 90% всех установленных приложений неизвестны ИТ-отделам.
Ignoring shadow IT is not a solution
SoftwareONE estimates that about 90% of all installed applications are unknown to IT departments – even in highly regulated financial, political and healthcare organizations. With various data protection regulations currently in place globally, it’s important that your organization not merely accept that Shadot IT exists, but act on it. Shadow IT can already become a compliance issue when, for example, an employee stores company data in their personal Dropbox or Google Drive account.
Applications that fly below the radar of your corporate IT and its security policies pose a number of legal and security risks to your organization because they are not covered by the same security measures as supported technologies.
Who is in on it?
The consulting firm CEB estimates that 40% of a company’s IT spending is done outside the IT department. Rapid growth is typically driven by the quality of consumer applications in the cloud, such as file-sharing apps, social media, and collaboration tools. Increasingly, business units are also doing their part by delivering enterprise-class SaaS applications. In many ways, shadow IT makes businesses more agile and employees more productive. However, IT and the IT security team are still responsible for ensuring the security and compliance of the business data that employees upload.
Who is responsible for the risks associated with shadow IT?
IT and your IT security team. While IT is not responsible for the physical infrastructure or management of the application, it is responsible for ensuring that business data remains secure when uploaded to the cloud. This puts IT in a difficult position. They might consider denying employees cloud apps for their work, and even blocking access to cloud apps using the company’s firewall or web proxy. We do not recommend this. Unfortunately, for every app that is blocked, employees can find other, lesser-known and potentially riskier services to use instead.
It’s important to note that feelings about shadow IT are mixed. Some IT managers may fear that if shadow IT were to be deliberately allowed, end users could create data silos and prevent information from flowing freely throughout the enterprise.
What can you do about shadow IT?
At SoftwareONE, we believe that the full extent of shadow IT within an organization cannot be determined without thoroughly inventorying its environment using scanning tools. However, you can already put the following actions in motion independently.