By Ruby Bayan

For more on policy management, check out TechRepublic’s IT Professional’s Guide to Policies and Procedures. With 64 customizable policies and templates, the CD-ROM makes it easy to create relevant and enforceable policies that meet your requirements.

“Shadow IT” is as ominous as it sounds.
Detached from corporate IT, running its own systems, and covertly implementing
its own rules and policies, a shadow unit can quickly become a sinister threat
to the company’s security infrastructure.

How should CIOs deal with these ghost entities that seem to
spontaneously spawn and proliferate behind the scenes? We asked two experts to
shed some light on the shadow IT phenomenon: why these groups exist, what
security risks they pose, and how top management should address these risks.

Why do shadow IT groups exist?

Some business environments naturally and expectedly become
fertile ground for informal—sometimes illegitimate—IT operations. Here are some
examples of how these clandestine groups come to life:

1. Shadow IT groups
are pressured into existence.

According to Dr. Dennis R. Moreau, chief technology officer
at Configuresoft, Inc., some
business units initiate IT projects outside of corporate IT because of
“significant reductions in IT spending and an increasing demand for IT to
address infrastructural issues, including but not limited to security,
regulatory compliance, technology migration/updates, and service level

Moreau said, “These two pressures have resulted in
growing IT project backlogs, which has limited IT’s ability to be responsive to
the needs of business units, many of whom are dependent on IT projects to
achieve business objectives.” Business units then take matters into their
own hands.

2. Shadow IT teams
are initiated to address specific business unit needs.

In many instances, Moreau said, corporate IT governance and
standardization efforts don’t appropriately accommodate business needs. The
efforts serve to impede business processes and a company’s ability to compete,
prompting business units to initiate shadow IT projects.

Shadow projects “typically exhibit low risk because of
their very limited scope and tight alignment with business unit needs. They
also exhibit quickly realized ROI, partially because the initial investment
does not address lifecycle project, support, or infrastructural costs,”
Moreau said.

3. Shadow IT units
are stimulated by the delusion of speed.

Some business units rationalize that it would take the IT department
eight weeks to do what employee “Bob” can do in two weeks. “They
fail to realize that Bob doesn’t have to document requirements, decompose
requirements into specs, work with the right people to design schemas in
enterprise-class systems where the data can be normalized and reused,”
said George Spafford, principal of Spafford
Global Consulting
and vice president of publishing for the IT Process Institute.

“This delusion of speed starts to break down as these
shadow systems attempt to scale, have problems, are breached, and so on,”
he said.

What security risks do shadow units pose?

“Systems that are procured and provisioned outside of
professionally staffed, standardized, and monitored IT processes are far less
likely to conform to continuously evolving configuration best practices,
security checklists, and patch levels,” said Moreau. Shadow operations,
Spafford added, are also prone to lack of standards, documentation, business
continuity planning, and understanding of proper security design and

As a result, shadow IT units can expose a company’s overall
IT infrastructure to significant risks. For example:

  • A
    compromised system can provide information about the architectural
    configuration and network infrastructure.
  • Just
    one insecure system represents a significant denial of service risk to all
    other systems on the same network segment.
  • A
    compromised system may also become a launching point for exploit attempts
    against neighboring systems.
  • A
    compromised system represents a potential point from which to initiate
    covert communication of sensitive information.

How should management
address security risks?

What should you do to eliminate, minimize or at least manage
these security risks? Moreau proposed some strategies:

1. Invest in tools
that can discover and characterize the shadow IT footprint.

Systems in this footprint may not participate in corporately
managed domains and may not be instrumented with supported management stacks.
The most effective discovery approaches will involve both active (scanning) and
passive (directories, caches, logs, etc.) discovery capabilities. Comprehensive
remote auditing of discovered systems should include configuration settings,
dependencies, and software deployment (including patches).

2. Improve the
management of existing shadow IT facilities.

Develop the capability to associate and track security
exposure across discovered systems. By conducting continuous assessments of discovered
systems against current security configuration recommendations, corporate IT
can audit organizational exposure over time and across facilities.

3. Make the
initiation of additional shadow IT operations less likely.

Establish mechanisms for more rapidly adapting IT platforms
and processes standards to business needs. This may also mean supporting more
sanctioned platforms and more flexible processes. Emerging configuration
management repository technologies greatly improve IT decision support, resulting
in more rapid compliance assessment, more comprehensive dependency
determination, more efficient configuration correction, and better
configuration correlation.

Encourage IT organizations to aggressively partner with
business units in addressing business-driven needs. Remind business drivers of IT’s
ability to leverage existing IT capabilities and expertise throughout design,
planning, development, operations, and support phases.

Document both support cost and security risks observed in
the operating shadow IT environments. This information is the best ammunition
for fostering improvements in managing risk posed by shadow IT operations.

Spafford added that management needs to understand the risks
associated with the current IT model and make a decision about whether it is
willing to accept the risks. “Management must be willing to formally
document what they are willing to accept,” he said.

Further, Spafford said that management must understand that
shadow IT is part of the overall control environment and is not exempt from
regulatory compliance. “If the shadow IT remains, then they must play by the
same rules as [corporate] IT,” he noted.

“Shadow IT is a fascinating dynamic to watch,”
said Spafford. “It’s all about people, resources, and meeting expectations.
If management fails to set the proper control environment tone from the top,
shadow IT will always exist.”