By Ruby Bayan
For more on policy management, check out TechRepublic's IT Professional's Guide to Policies and Procedures. With 64 customizable policies and templates, the CD-ROM makes it easy to create relevant and enforceable policies that meet your requirements.
"Shadow IT" is as ominous as it sounds. Detached from corporate IT, running its own systems, and covertly implementing its own rules and policies, a shadow unit can quickly become a sinister threat to the company's security infrastructure.
How should CIOs deal with these ghost entities that seem to spontaneously spawn and proliferate behind the scenes? We asked two experts to shed some light on the shadow IT phenomenon: why these groups exist, what security risks they pose, and how top management should address these risks.
Why do shadow IT groups exist?
Some business environments naturally and expectedly become fertile ground for informal—sometimes illegitimate—IT operations. Here are some examples of how these clandestine groups come to life:
1. Shadow IT groups are pressured into existence.
According to Dr. Dennis R. Moreau, chief technology officer at Configuresoft, Inc., some business units initiate IT projects outside of corporate IT because of "significant reductions in IT spending and an increasing demand for IT to address infrastructural issues, including but not limited to security, regulatory compliance, technology migration/updates, and service level maintenance."
Moreau said, "These two pressures have resulted in growing IT project backlogs, which has limited IT's ability to be responsive to the needs of business units, many of whom are dependent on IT projects to achieve business objectives." Business units then take matters into their own hands.
2. Shadow IT teams are initiated to address specific business unit needs.
In many instances, Moreau said, corporate IT governance and standardization efforts don't appropriately accommodate business needs. The efforts serve to impede business processes and a company's ability to compete, prompting business units to initiate shadow IT projects.
Shadow projects "typically exhibit low risk because of their very limited scope and tight alignment with business unit needs. They also exhibit quickly realized ROI, partially because the initial investment does not address lifecycle project, support, or infrastructural costs," Moreau said.
3. Shadow IT units are stimulated by the delusion of speed.
Some business units rationalize that it would take the IT department eight weeks to do what employee "Bob" can do in two weeks. "They fail to realize that Bob doesn't have to document requirements, decompose requirements into specs, work with the right people to design schemas in enterprise-class systems where the data can be normalized and reused," said George Spafford, principal of Spafford Global Consulting and vice president of publishing for the IT Process Institute.
"This delusion of speed starts to break down as these shadow systems attempt to scale, have problems, are breached, and so on," he said.
What security risks do shadow units pose?
"Systems that are procured and provisioned outside of professionally staffed, standardized, and monitored IT processes are far less likely to conform to continuously evolving configuration best practices, security checklists, and patch levels," said Moreau. Shadow operations, Spafford added, are also prone to lack of standards, documentation, business continuity planning, and understanding of proper security design and development.
As a result, shadow IT units can expose a company's overall IT infrastructure to significant risks. For example:
- A compromised system can provide information about the architectural configuration and network infrastructure.
- Just one insecure system represents a significant denial of service risk to all other systems on the same network segment.
- A compromised system may also become a launching point for exploit attempts against neighboring systems.
- A compromised system represents a potential point from which to initiate covert communication of sensitive information.
How should management
address security risks?
What should you do to eliminate, minimize or at least manage these security risks? Moreau proposed some strategies:
1. Invest in tools that can discover and characterize the shadow IT footprint.
Systems in this footprint may not participate in corporately managed domains and may not be instrumented with supported management stacks. The most effective discovery approaches will involve both active (scanning) and passive (directories, caches, logs, etc.) discovery capabilities. Comprehensive remote auditing of discovered systems should include configuration settings, dependencies, and software deployment (including patches).
2. Improve the management of existing shadow IT facilities.
Develop the capability to associate and track security exposure across discovered systems. By conducting continuous assessments of discovered systems against current security configuration recommendations, corporate IT can audit organizational exposure over time and across facilities.
3. Make the initiation of additional shadow IT operations less likely.
Establish mechanisms for more rapidly adapting IT platforms and processes standards to business needs. This may also mean supporting more sanctioned platforms and more flexible processes. Emerging configuration management repository technologies greatly improve IT decision support, resulting in more rapid compliance assessment, more comprehensive dependency determination, more efficient configuration correction, and better configuration correlation.
Encourage IT organizations to aggressively partner with business units in addressing business-driven needs. Remind business drivers of IT's ability to leverage existing IT capabilities and expertise throughout design, planning, development, operations, and support phases.
Document both support cost and security risks observed in the operating shadow IT environments. This information is the best ammunition for fostering improvements in managing risk posed by shadow IT operations.
Spafford added that management needs to understand the risks associated with the current IT model and make a decision about whether it is willing to accept the risks. "Management must be willing to formally document what they are willing to accept," he said.
Further, Spafford said that management must understand that shadow IT is part of the overall control environment and is not exempt from regulatory compliance. "If the shadow IT remains, then they must play by the same rules as [corporate] IT," he noted.
"Shadow IT is a fascinating dynamic to watch," said Spafford. "It's all about people, resources, and meeting expectations. If management fails to set the proper control environment tone from the top, shadow IT will always exist."