Thanks to increased adoption of SaaS, Cloud infrastructure and Cloud platforms, many business units within organizations are able to innovate at a faster rate than before. This also means avoiding IT as BU does not need IT to provision new infrastructure. This is often termed “Shadow IT” by industry vendors and analysts. Shadow IT can put IT audit and compliance teams in a tough spot as they can not assure the security and compliance posture of their organization. In many cases, the central IT may not even be aware of the existence of Shadow IT.
However, when talking about “Shadow IT”, it would be shortsighted to limit the discussion to just what employees are doing. While SaaS adoption is a major factor in creating Shadow IT, there is also increased adoption of Infrastructure as a Service (IAAS), integration with Cloud services through APIs. Other side of the equation is BU providing services to partners and customers without IT being aware of it.
Lets look at some concrete examples:
- Sales team goes ahead and signs up for a new SaaS service to automatically fill-in details for a lead.Does the data sales department pulling into their systems violate any privacy requirements that the organization may have committed to?
- An employee with a business unit decides to surface order data to a partner by standing up a simple app on Amazon Web Services.Does audit department know about the data being sent out to partners? What kind of tracking is available on who is downloading this data and looking at it?
- A developer with a Business Unit may integrate with a third-party cloud service to support payments.Is the use of third-party cloud service to process payments approved by the compliance department. Does this cloud service provide enough risk assurances?
- A business unit head may decide to try out a new custom app for scheduling appointments.Is this new app known to the security department? What are the implications of leaking this executive’s appointment details without adequate guarantees?
- A business unit stands up a new app for consumption by other departments. Is the data being exchanged between departments within the parameters of what can be shared? For ex: Personally Identifying Information (PII) data may not leave HR department inadvertently. Someone without knowledge of compliance requirements may not account for it when writing the new application.
We can broadly summarize the Shadow IT as coming from three different places:
- Employees/Developers using Cloud Services ( without IT knowledge )
- Partners/Customers connecting to your organization provided cloud services ( without IT knowledge )
- Internal apps used between departments ( without IT knowledge )
Addressing Shadow IT
Despite these risks, it is not recommended that IT take a control approach to Shadow IT. Such an approach often would backfire and business units would view IT as getting in the way of doing business.
Whatever you do, do not panic and shut down BU usage of cloud services.
Step 1 of a viable IT tactic to deal with the risk presented by the Shadow IT is to discover it. By using new tools provided by many vendors, IT can discover the Shadow IT in their organization. This is not a one-time exercise and has to become part of regular IT cadence.
Armed with this knowledge, IT should talk to business units that are doing Shadow IT to understand their requirements and how IT can supplement them to secure their usage of the cloud services. This should be done in a collaborative manner.
Once these cloud services that are at risk are identified and a business discussion has happened with business units, IT shall define security policies to enforce based on risk assessment for their organization. These security policies can be enforced with a cloud security gateway in the market.
In future posts, I will discuss some examples of discovering Cloud Services and example Cloud Security policies.