The shadow information technology (IT) services provided by unknown third-party vendors introduce multiple risks. Any time data is moved to a vendor or accessed outside the corporate network by a third- or fourth-party, the risk of loss increases.
Companies have, in one sense, lost control of IT. A Forbes article reported that 40% of IT spending is not directed by IT anymore. This loss of control is not only a budget problem; It is one of strategic vendor risk management and of data security.
The scope of third party services used in shadow IT is broad. Shadow IT includes:
- Unmanaged mobile, endpoint devices accessing the corporate network
- Free, personal email accounts
- Unevaluated software purchases
- Unreviewed cloud computing technologies and Software as a Service (SaaS) products
A history of being told ‘no’ by security professionals is partly responsible for the rise of rouge or ‘shadow’ technology implementations. Balancing business needs with security is never an easy negotiation, but a complete lack of IT security staff involvement is also not the path to success. Risk-based approaches are needed to balance business requirements against the impact of data loss.
No due diligence
The first step in managing third party vendor risk is to perform due diligence before signing contracts with the vendor. Due diligence, however, takes time. Departments like Human Resources, Sales, Marketing, and many others, take advantage of shadow IT because it is quick, easy to purchase, and deploy. Many times there are not traditional contracts, just terms of service agreements online that users click through without reading.
Risking data loss
Symantec reported in 2013 that 40% of companies with shadow cloud deployments had confidential data exposed. Here’s how: The third party vendor may be:
- Vulnerable to malware due to misconfigurations or patches that were not applied Access controls may not comply with best practices and standards, or may not provide advanced controls, such as multi-factor authentication
- Data may not be stored encrypted (and, if it is, the keys are out of internal control)-
- Some terms of service agreements may transfer intellectual property rights of your proprietary information to the vendor
- Tools used within the network to protect information, such as data loss prevention software, aren't applied to information created outside the network
No compliance with regulations or policies
Even when cloud providers are approved, ensuring compliance with corporate policies is difficult, but at least they can be audited. There are no audits of unapproved third party vendors. They may or may not:
- Comply with applicable laws covering sensitive financial or health information such as the OCC, SEC, HIPAA, or HITECH
- Require traceability of data flows to guarantee its integrity
- Be in other countries that do not adhere to local regulations regarding data protection
If there is a lawsuit, data that resides on shadow IT servers may be outside the scope of e-discovery.
Uncertain business continuity
Using shadow IT introduces threats to business continuity, because there may not be any provision to recover data if the third party vendor ceases operations. Backups may not be taken or stored according to standards. The lack of service-level agreements (SLA) to guarantee uptime and availability can have an impact on routine operations.
Change control issues also affect continuity; integration and compatibility of corporate applications with versions used by the third party vendor is not assured. Because IT doesn't know about the shadow IT providers, these vendors can't be included in annual disaster recovery tests.
Shine light on Shadow IT vendors
The only way to manage the risks of shadow IT is to bring it out of the shadows. Because you cannot perform vendor risk management if you do not know who your vendors are, the first step is to identify the shadow IT services being used by all departments. Tools help monitor the network to identify new connected devices. Firewall and other log files can help identify the cloud services being used. New and innovative technologies like SecurityScorecard allow IT security staff or vendor risk managers to quickly receive an outside-in perspective on the security risk of any company.
Tip for SecurityScorecard Customers: Type in a website address into the platform to perform an instant security audit and retrieve detailed security-risk information, without intruding on a vendor’s system.
Once you've identified the shadow IT vendors, it's important to speak with the business organizations to understand the business need using that service. Evaluate the risk of using the service, and either approve it or work with the department to select an approved alternative to safely migrate to the new vendor. Because the list of shadow IT vendors is likely to be long, identify the data at highest risk and prioritize regaining control of it first.
After these steps are complete, there should not be any shadow IT providers. But that will only be temporary; You will need to continue monitoring usage, and work with departments to meet their computing needs in an approved way. Organizations should:
- Find out why the department went outside proper channels
- Find ways to streamline the process (requests made the 'official' way might require too much paperwork and take too long)
- Train staff so they understand the reasons for policies, and the risks of working with unapproved vendors
Appreciate your employees
Despite the dangers shadow IT introduces, in one sense companies should be grateful for it. Shadow IT exists because employees want to do the right thing—they want the work to get their work done, and need technologies that speed up manual processes, enable easy collaboration, or simply make work easier and less expensive. Companies face a much bigger challenge if their employees do not care enough to break the rules to make it happen.
