Tuesday, 21 August 2007

The Dangers of Shadow IT

In case you are not aware of the term “Shadow IT”, it basically refers to those users within the corporate user base, who pretty much do their own thing IT wise within the corporate environment. Think about it, gone are the days where the vast majority of corporate help desk calls revolved around user related help like “How do I create a table in Word?”, “How do I do formula in Excel” etc. Why? Because users are more technical savvy these days, especially within younger users, who have grown up with PCs and the Internet all their lives, they tend to solve their own IT problems instead of bother the help desk. If your organisation doesn’t have a good security culture, you’ll find these sorts of users can be up to all sorts of tricks, such as installing their own applications, using unauthorised hardware like USB hard drives, installing network hardware like Switches and Hub, and God forbid wireless access points, as well as using the Internet for all sorts of things which was never envisaged by the business, such as web 2.0 stuff like social network sites.

I mention this topic as a friend of mine was telling me how he re-routed his Internet access away from the corporate provided remote access via a proxy server, to directly from a “self purchased” ADSL router within an a small office site, which he and colleagues had setup without any input from the IT Dept. He said the IT Department still think they are using VPN Client access over 3G cards. Another who works within an IT Department, was just telling me the other week that he come across several users running self purchased and self installed copies of the Windows Vista operating system on their laptops, even though his company were still standardised on Windows XP, and had no plans to move until next year.

It is fairly clear Shadow IT poses many dangers to corporate information security, as a security professional I know it can be extremely difficult to turn around a Shadow IT culture. However if are an IT Manager or Security Manager, it is an absolute must to get a handle on all IT systems and their usage within your corporate environment. Also it is equally important not to forget those users and devices which access the corporate network remotely.

So how would I go about correcting a Shadow IT culture? Well first of all ensure there are (or if not write) company policies to specifically cover all areas affected by Shadow IT such as, employees are not being permitted to install any IT hardware without expressed permission from the IT dept, failure to comply is a disciplinary matter etc. Next is to ensure your polices are enforced, I would first recommend giving the users a chance to get the message, so educate them about the policies, why the polices are important and try to change the culture. Then follow up the user awareness training with IT audits and network scans, and start to clamp down. Finally look into using technology to control the IT infrastructure, this will can be a bit costly, but depending on the budget and staff IT expertise, it is pretty much possible to force control with just about anything IT wise, from preventing users from installing applications, to the use of unauthorised USB devices, to the control of specific devices allowed on the corporate network (NAC).

I should warn you that it may not be as straight forwarded as I painted either, just think of the ultimate Shadow IT act, which affects just about every company on the planet, namely the use of USB memory sticks. You have users who buy or even get for free their own USB memory flash devices, and they just go ahead and use them within the corporate environment without the permission of IT or even their line managers, often copying corporate data and removing it from the environment. In most places the benefits USB memory devices provide against the control of their usage, is a political hot potato, especially when there are clear benefits to the business and their uncontrolled use has been acceptable for a number of years already. However I say you shouldn’t just sweep this issue under the carpet for another day, at the very least you should seek written sign off by someone senior within the business to accept the risk. However if you can persuade the business about the need to reduce the security risks of an uncontrolled USB culture and get the budget, you can go out and buy the specialist software to only allow approved devices and appropriate provide encryption.


buy dissertation said...

Great work! Thanks a lot for post.

http://www.essaycapital.com/ said...

Great post! Thanks a lot for sharing.