– Espion looks at the challenges for CIOs in the era of “Shadow IT products” –
Like it or not, today’s workers want to use their own devices, applications and software to be more productive at work. Who could blame them for wanting to take advantage of the time-saving, skill-boosting, collaboration-enhancing, process-streamlining (and more) apps and software that have flooded the market.
In many cases, these “Shadow IT products” (non-approved SaaS applications), are downloaded and adopted by employees without consulting their IT department. The scale of this was highlighted last year when a Stratecast and Frost & Sullivan study found more than 80 per cent of survey respondents admit to using non-approved SaaS applications in their jobs. In addition, the study found, the average company uses around 20 SaaS applications; of these, more than seven were non-approved.
This new frontier poses many challenges for CIOs who are expected to deliver IT and enable people to work to their own personal expectations, in the way they use technology in the home – fast, wireless connected 24/7 whilst trying to maintain security and compliance.
In an increasingly complex device, application and software landscape just how can today’s CIO navigate the ever-evolving tasks of Application Management, Mobile Device Management and Enterprise Mobility Management?
The risks versus the rewards
Without doubt, apps and cloud solutions such as Basecamp, Salesforce, Dropbox and Google Apps are great for productivity and flexible working. However organisations need to be highly cognisant of the downside some apps pose for information security risk, particularly as consumers often ignore end user licencing agreements (EULAs), enabling developers to collect and utilise private information to varying degrees.
According to application security company Veracode, 67 per cent of mobile applications can access, add or edit address book contacts. This ability to read data from SIM cards and transmit it to unknown geo-locations could expose an organisation to data loss, improper transmission and storage of potentially sensitive corporate data.
Espion security consultant, Shane Ryan explains: “The worst case scenario is that IT is unaware of cloud and mobile apps employees are using which means they can’t control data access and management. Here a key concern should be corporate data access and data confidentiality issues.
It’s important we learn from the BYOD frontier, where devices were accepted so quickly and extensively that before organisations knew it, vast numbers of employees were using their personal devices for work with little to no consideration of the security implications. As information security moves higher up the corporate agenda CIOs need to take a strategic risk-based approach to managing devices, applications and non-enterprise approved Shadow IT software.”
It is paramount CIOs take heed of the growth in consumer market technologies within the enterprise and accept this trend will continue to evolve. Organisations should plan and address the security aspects of devices, apps and software.
When it comes to protecting your data’s confidentiality, integrity and availability, your resources as well as your reputation here are ten things to consider.
Ten tips for tackling Shadow IT
- Monitor your network to keep track of what Shadow IT is lurking in your systems
By continuously scanning and monitoring your network you will be able to identify Shadow IT and keep track of what’s going on.
To identify the cloud services being used outside of IT’s scope you can process log data from your firewalls, proxies, SIEMS and Mobile Device Management products.
- Quantify the risks by knowing who has access to your corporate data
A key concern should be corporate data access and data confidentiality issues.
By identifying and understanding what data you are processing, transmitting and storing then you can classify data into categories such as confidential, internal organisational use only, public etc. This will help you ensure the right level of controls are used to protect the data.
- What’s the policy?
Consider having a ‘consumerisation policy’ that states what apps, software and devices can be used in the workplace, what part of the network they are allowed to access and what security procedures and protocols they must adhere to.
- Make use of ‘intelligence’ resources that are available to find out about these apps
Currently there are exciting new trailblazing technologies that help enterprises determine the ‘trust’ level of apps with all-in-one App Risk Management services and global databases of analysed public and private apps. Apps can then be blocked based on your risk appetite and enterprise policies.
- Communicate the risks to stakeholders
Explain to colleagues that when they deploy Shadow IT the configuring and managing process (applying patches, authentication and access controls as well as security testing) falls outside the organisation. That makes organisations and their reputation vulnerable.
Enforce the use of approved applications only which meet enterprise standards, and when necessary restrict network access to workers who fail to comply.
- Fear Free apps
While workers may think they are saving money by opting for free apps, these technologies generate revenue by sharing user data with third parties like ad networks which impacts on overall app security and privacy. If you are not paying for the app you and your company data are the product.
- Look for solutions to secure these apps and clouds
When it comes to controlling the extended enterprise, simply and securely, find a solution that can streamline wide-scale deployments by securing or restricting apps automatically.
- Don’t overlook licencing agreements
Shadow software and apps challenge software asset management compliance. What would your organisation do if unapproved software spurred a compliance / regulatory audit with the risk of fines?
- Work with employees to tackle this issue
Aim to work with employees to tackle this issue and have a clear dialogue with business stakeholders about their business challenges and requirements. IT should ultimately be enabling the business to work better and smarter at a known level of risk which is accepted by the business.
Remember to build awareness around the hazards of Shadow IT into your company-wide security awareness and training.
- Perform security testing regularly
Evaluate device security and usage of apps periodically.