–Brian Pereira
A few years ago we heard about BYOD (Bring Your Own Device) and now everyone is talking about Shadow IT or Bring Your own IT. There’s a trend of more employees working outside the office, be it from a hotel room, a customer site, a café or from home. And these road runners are building their own IT infrastructure, using personal clouds for storage, helping themselves to software applications off the cloud; Excel spreadsheets and PDF docs are exchanged over email. Heavier files like images, voice files, and videos are transferred over cloud-based file transfer services. And communication happens over Whats App, Skype or instant messaging on social media sites. All this must be giving the CISO (Chief Information Security Officer) or Chief Risk Officer sleepless nights. We asked Ruggero Contu, Research Director, Gartner how organizations must act to safeguard its information assets in the wake of the shadow IT trend.
“Shadow IT does not require approval for deployment. It could be something like deploying a service like Dropbox. Organizations should seek better visibility and better control on shadow IT. There are tools like CASB (Cloud Access Security Broker) that can provide better visibility.”
Some organizations try to block access to online resources and social media sites when they find out that their employees use these services and tools at the workplace. Ruggero (and other Gartner analysts that we heard at the summit) feel that this is the wrong approach. Rather, organizations should empower users to use these services, in a responsible manner, of course. And these actions should be closely monitored, if necessary, to ensure that resources are not misused.
As former US president Ronald Reagan used to say, “Trust, but verify.”
“Employees must be made aware that they are responsible for the manner in which they deploy and use these resources. They should be empowered rather than dissuaded. You can do this through training and by creating awareness,” said Ruggero.
Shadow IT can also happen at a departmental level. For instance, the marketing department may deploy its own applications from the cloud.
While most organizations may permit this, it is imperative to deploy sufficient controls and monitoring mechanisms, advises Ruggero.
“I’ve had conversations with marketing departments and for them social media was the key to their functioning. In many cases, the business actually sponsored the purchase of controls that facilitated the use of social media in a more secured fashion,” said Ruggero. “It is not the Security department or IT that is paying for that – it comes from the business or a particular department.”
So the resources to support shadow IT comes from outside the IT department.
“There are various ways to check shadow IT, like Mobile Device Management, containerisation, sandboxing, end-point detection and remediation, threat intelligent services, monitoring user behaviour etc. So there is a new set of security technologies emerging. However, some challenges will remain, especially when you have a private device (BYOD).”
———————————————————————————————
- The writer visited the Gartner Security & Risk Management Summit 2015 in Mumbai, held between September 1 – 2, 2015. More reports on the summit follow.
- “Shadow Dancing” is a disco song performed by English singer-songwriter Andy Gibb that reached number one for seven weeks on the Billboard Hot 100 in 1978. (Wikipedia)