“Shadow IT” refers to the too-common practice whereby managers select and deploy cloud services without the consent or even the knowledge of the IT department. These services act as extensions of the corporation but are steered entirely by groups that lack the knowledge or process to ensure they follow necessary guidelines, introducing security, compliance, and brand risk throughout the enterprise. Gartner predicts that by 2020, one-third of security breaches will come in through shadow IT services.
1. Understand your users’ motivations
Your users aren’t selecting and deploying their own cloud solutions out of any desire to give you headaches or put the company at risk. They view these services as safe, reliable ways to make their jobs more effective, and it doesn’t even occur to them that there is a good reason to involve the IT department in these decisions. The more you can consider their perspective, the easier it will be to enlist their cooperation.
2. Know who’s sending email
Most enterprise cloud services somewhere along the line will send email as part of their workflow, usually with one of your corporate domain names in the From address. That’s good news because you can employ the DMARC open email authentication standard to gain visibility over all email sent using the domain names you control, even if that email originates from a service entirely outside your network. Legitimate cloud services sending on behalf of your company are overwhelmingly likely to be in use by your employees. If they’re not already on your radar, that means they’re shadow IT.
3. Reach out
Once you know the sending services, you’re ready to track down their owners. For some of these it will be easy to create a shortlist: Look to customer service for a ticketing system or marketing for a bulk emailing service, for example. For others you may need to ask the finance team; after all, somebody is paying for them. A company-wide communication to management may even be in order.
4. Resolve compliance issues for each service
Now you can engage the owners of these services to identify how they’re used and if they present risk to the corporation. By taking a reasonable approach with business needs in mind, you should be able to serve the business and still meet the company’s security and compliance requirements. The goal is not to eliminate good cloud services. Rather, it’s to ensure that all cloud services in use are good.
5. Find out what else they have
Managers who are spending money on cloud services often don’t stop at one. When you do identify these owners, it’s a good time to find out what other services they have in use that you may not have discovered.
6. Be patient
Some of these procedures will take a little while. You will need time to get the message out, and you may need some time to work with vendors and internal departments to ensure services are OK for use. Remember, employees probably are unaware that their behavior could bring risk to the company, so they’ll have to go through a learning process.
7. Give them a deadline
Patience is a virtue, and yet we can’t let things drag on forever. You will find that, left to their own devices, some users won’t prioritize your project and some services will never meet with your satisfaction. That means you’ll have to have some kind of deadline, after which non-compliant services will be shut off. Give your users every opportunity to work with you first, and then be ready for the enforcement phase.
8. Shut off the offenders
Here is where email authentication comes in again. If you’ve already used DMARC to identify the email sources, that means you are able to shut down unauthorized senders as well. This enforcement will prevent email from unauthorized senders from showing up in mailboxes both inside and outside your corporate walls. Sometimes this step will get your users off the dime, and sometimes the company will decide it doesn’t want these services working on its behalf.
Bringing new services online
Your employees won’t stop wanting new cloud services just because you have run through these eight steps. Moving forward you can establish a process for them to bring services to the IT department first to ensure compliance with policies and security needs. When these needs are met, the IT department can enable each service individually for use.
Images from iStockPhoto.com