Information Security Challenges by Shadow IT
Amethyst’s Iain Ransome discusses what it means and how it can be managed
Before looking at the challenges of information security in the area of Shadow IT, we first need to clearly define what Shadow IT is.
Shadow IT can be seen as information-technology systems and solutions built and used inside an organisation without explicit organisational approval. It can also be seen as solutions specified and deployed by departments other than the IT department. This ‘unauthorised’ approach brings significant challenges. The biggest challenge is probably related to compliance and governance; followed by how the organisation’s ‘Management Board’ responds.
Compliance and Governance Issues
Security compliance (such as ISO270001 and PCI-DSS) is underpinned by an understanding of the assets within the company (which includes company data), and the controls in place to secure those assets. Shadow IT breaks that model by either removing the assets from the controlled and certified environment, or modifying the environment and therefore undermining the controls in place. In fact, discovering a significant shadow IT presence within an organisation has the potential to invalidate previous certifications (such as ISO 27001), can seriously damage an organisation’s or company’s ability to do business, and has legal ramifications.
Almost all areas of most compliance schemes would be affected by the use of Shadow IT in an organisation, examples include ‘Asset Management, ‘Access Controls’ and ‘System maintenance and development’. How can this be managed?
Two extreme responses to the use of employee selected and quickly deployed IT (Shadow IT) would be to either completely forbid it, or to embrace it.
Forbidding the use of unsanctioned IT would refocus the IT compliance and governance onto the approved IT systems. However, where people decide to break the rules, they are unlikely to be forthcoming about it – this could make the situation worse. In the eyes of the IT and security departments, they have removed the risk of shadow IT and could, therefore, be blinkered to the assets and data sitting outside their IT boundary.
Embracing means the IT and security teams have a view of where company data is stored and can plan and assess the relevant risks; however, this is likely to increase its use which may not be the best outcome, and the overall risk of breaches and loss is going to be increased.
The likely best case scenario for most organisations is somewhere in the middle of those two extremes. A few examples which may work for companies include:
Bring Your Own Device: The security and IT teams of a company establish a BYOD policy. Users are free to use their own devices and systems for day-to-day working, as long as they agree to a set of practices. However, to maintain compliance to certifications, the security team define a set of company data deemed ‘confidential and sensitive’ which is not allowed outside of the corporate network (for example, personnel records, transaction data, technical documentation).
Be Proactive to User Needs: The Security and IT teams work with departments across the business to understand the software, systems and cloud platforms they want to use, and make them part of the ‘approved suite’ of applications by assessment and including them in compliance and risk assessment. Staff and Departments can, with justification, raise requests for access to new applications.
Board Level Responses
Security always starts at the Board, as those individuals define and direct the culture of the organisation. The most ideal starting point is having a CISO (Chief Information Security Officer) on the Board to represent the security perspective – but the CIO will also be part of the discussion. The main bargaining power for the CISO is the potential loss, damage or reputation hits which come from staff operating outside of the IT infrastructure. It can be difficult to quantify, but pointing to examples of other company’s losses from Shadow IT, or breaches on typical providers of these systems (e.g. SaaS / Storage providers) can support the arguments. The job is likely to be easier if the organisation relies on particular certifications or compliance for its business; if they require a particular level of control and scrutiny, then the other departments are putting the future of the business at risk by operating in their own way.
In order to focus the emphasis on the important assets, it may be that the CISO allows certain departments, who do not hold particularly sensitive information (for example sales and marketing), to have more free reign; whilst those working on the most sensitive assets have the most restriction.
Whilst Shadow IT can be a significant challenge to information security it can be managed in a variety of ways, according to the business needs and culture required by that organisation or company.