Back

How to Find Shadow IT in Your Organization

To keep your networks secure you need to know about everything thats on them The two leading items on the Center for Internet Securitys list of ...

6 min read
Published on Jul 25, 2018
how-to-find-shadow-it

To keep your networks secure, you need to know about everything that’s on them. The two leading items on the Center for Internet Security’s list of basic controls are keeping an inventory and control of hardware and software assets. You can’t secure what you don’t know is there.

Sometimes people add their own software without getting authorization or letting the IT managers know. This is called “shadow IT.” It isn’t as sinister as the name sounds. Usually, it’s people trying to do their jobs in what they think is a responsible way. There’s some task which they need to accomplish, and there isn’t already a tool available for it, or they don’t know there is.

They aren’t trying to create risks, but the simple fact that their software isn’t in the inventory raises concerns. It might not meet security and compliance requirements, and they probably won’t rigorously install all the patches that come out. Confidential information is insufficiently protected when it’s transferred to cloud services of unknown quality.

People don’t even have to install software to engage in shadow IT. All it takes is a browser that connects to a service. People who go that way often don’t think of it as something requiring approval. IT can configure computers so that users can’t install their own applications, but it can’t easily stop them from running cloud services from a browser.

Most managers seriously underestimate the amount of shadow IT that goes on in their networks. A data breach or regulatory violation could blindside them with serious consequences.

How to Detect Shadow IT?

To identify Shadow IT, organizations can employ various methods, such as conducting employee surveys to gather information on the applications individuals use for their tasks and consolidating the data. Alternatively, automated tools like Enterprise Architecture, SAM (Software Asset Management), or SaaS management platforms can be utilized for detection.

Tracking Applications

Knowing what applications are running on the network is central. Software packages such as Microsoft 365 Cloud App Security are designed to achieve this. It lets managers discover all cloud use, authorized and unauthorized. They can identify activity which isn’t on the approved list and get a risk assessment on each case. Cloud App Security has information on over 16,000 applications, ranking them against industry standards. If it’s a known application with a good reputation, there may not be any need for further action beyond documenting its use. If there’s no good information about a service which people are using, or if it’s one which has known problems, it’s time to look more closely. In some cases, the tools will disclose which users are running the application. The next step is simply to talk to them and find out why. They may not even be aware that they’re doing anything out of the ordinary. They may not know that there’s an authorized alternative. Or perhaps what they’re using really is the best solution, but it needs to be brought under the IT umbrella so it gets proper maintenance and monitoring. Sometimes old applications were installed before there were systematic policies. They’re still in use, running in the background, and no one is aware of them. Detecting them provides a chance to get rid of them and eliminate possible risks.

Locating Sensitive Information

Most businesses consider it legitimate to store some sensitive information on cloud services, but only if it meets strict requirements. The business must already be familiar with these cloud services. They need to follow a high-security standard, both in storing information and in transferring it. Only authorized parties can have access. Cloud App Security analyzes log files from proxies and firewalls to provide insights into where information is going. It gives the IP addresses of destinations and shows where they are in the world. Most traffic should be going to known services. After eliminating them, there could be other destinations that need a closer look. They might indicate the use of an unauthorized service or even a data breach. If the destination is in another country, it might violate regulations and policies even if its purpose is legitimate. A common mistake is storing information on consumer-grade services such as Google Docs and Dropbox. They provide some security but aren’t adequate for sensitive personal information such as Social Security and credit card numbers. It’s vital to discover and eliminate any uses of these services where real security is needed.

Establishing Policies and Priorities

Mitigating the risk of shadow IT requires adopting consistent policies and prioritizing concerns. So the more sensitive a set of data is, the more closely you need to watch it. Using a cloud service to share information which is already public is rarely a problem. Using it to hold personal medical or financial data requires close attention. The absence of information is a warning sign. A known application with identified users is at least well behaved, and some additional checking can confirm whether it’s being used safely. If log entries don’t correspond to any identified service, or if its records are inadequate, it may not be a trustworthy application. It makes a big difference what kind of client is accessing a service. Consumer-grade services aren’t untrustworthy as such, but their use should be limited to cases that aren’t sensitive. Banning their use across the board may not be feasible, but any access to them from sensitive parts of the network should raise alarms. For example, backing up user data to a weakly-secured offsite service may not be a major problem, but backing up a critical database to the same place is a serious issue.

Maintaining Communication

Shadow IT happens. The important thing is to discover the risky uses of it and find better alternatives. Knowing how to find shadow IT is key. Being so strict about it that people resort to secrecy will only make matters worse. So, create channels where users can report what software and services they’re using or would like to use, and provide them with feedback. Just knowing that they can do that will encourage them to think more carefully about their choices.

Learning More

Agile IT offers workshops to help identify cybersecurity threats, including shadow IT and vulnerability to rapid cyber attacks. The Shadow IT Assessment workshop will help you identify security objectives, define requirements, use Cloud App Security effectively, and create a roadmap for application visibility and control. With the training it provides, you will be better able to help users to accomplish what they need to do while letting you manage and minimize the security risks. Contact us to schedule a free consultation.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

NIST 800 171 vs NIST 800 53

NSA Cybersecurity Collaboration: No-Cost Services Available to DoD Contractors

Learn how NSA cybersecurity collaboration provides no-cost services to DoD contractors, helping enhance security and compliance with advanced cyber protections.

Jan 10, 2025
6 min read
When is a New CMMC Assessment Needed

Understanding When and Why You Need a New CMMC Assessment

Learn when to schedule a new CMMC assessment, what triggers reassessments, and how changes in scope, contracts, or compliance impact your certification process.

Jan 6, 2025
9 min read
How Does VDI Solve the CUI and CMMC Conundrum?

How Does VDI Solve the CUI and CMMC Conundrum?

Explore how VDI for CUI helps businesses meet compliance requirements, ensuring secure data access while simplifying CMMC certification.

Dec 30, 2024
9 min read
Disaster Recovery Plan Enough

Is your disaster recovery plan enough?

Strengthen your Office 365 disaster recovery plan with granular backup, retention policies, and solutions to prevent data loss.

Dec 18, 2024
7 min read
Outlook Organization Tips

Outlook Organization Tips to Take Back Your Outlook Mailbox

Struggling with a cluttered Outlook mailbox? Discover quick and efficient organization tips to streamline your email management.

Dec 17, 2024
6 min read
Managing your Organization's Data-Backup on the Cloud

Managing your Organization's Data-Backup on the Cloud

Learn how to efficiently manage your organization's data backup on the cloud. Discover strategies for optimizing backup processes, reducing storage costs, and ensuring data availability and disaster recovery.

Dec 10, 2024
4 min read

Ready to Defend and Secure Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Defend. Secure. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Defend. Secure. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation