cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
iluom
Contributor II

Shadow IT happens

 

Does Shadow IT a positive sign?

 

What does it mean by the rapid growth of shadow IT ? 

 

I suppose IT departments in organizations are not able to pickup the pace to embrace digitization to support staff and employees. It has become a common phenomena in all types and sizes of organizations.

 

it's being a commonplace to use opensource and SaaS application at work without ITs approval

somehow they are helping to increase the productivity, but there are risks as well.

 

 

 

 

Chandra Mouli, CISSP, CCSP, CSSLP
10 Replies
CISOScott
Community Champion

Shadow IT happens when other departments feel like IT isn't moving fast enough for them or IT security has become too restrictive AND they have access to their own budgets to procure the items needed to accomplish their IT needs.

 

Shadow IT can also happen when IT does not understand the customer requirements. One of the commonly overlooked pitfalls of Shadow IT is the lack of lifecycle maintenance. One example I had from a few years ago (2016). We had one department come to IT and ask for a new computer as their old computer had died and they needed a replacement. The IT shop did not have anything in their database showing they had any equipment in that particular shop. so they went down there and found a computer that was running WINDOWS MILLENIUM EDITION (ME) in 2016!!!!!! The only purpose of this computer was to print labels for pipes. The shop had purchased it 17 years ago and IT didn't even know it existed. It was not being maintained, secured or anything. No one knew about it so no one though to include it in a lifecycle refresh plan. The software wouldn't run on a Windows 10 machine. And to top it off they were mad at the IT shop for not being able to come in and replace it right away. Keep in mind this was government so procurements are regulated and not something that can always be done in a hurry. We eventually found out from the company that we could pay to have some new printer software shipped for about $1000 that would run on Windows 10.

 

I told my guys to go through the entire 11 acre industrial plant and find every computer that was there in every building and document it. I left the job before the task was complete but at the 50% mark we had found over 100 computers that:

1) The IT shop didn't know anything about,

2) The were not being updated,

3) They were out of security compliance,

4) They may or may not have had any AV products or security software on them

5) They were not on any lifecycle replacement plan

6) No one was responsible for watching/maintaining them.

 

So you see there are a lot of ways Shadow IT can come into an organization and there are a lot of problems that can develop. Luckily we were an industrial plant so we did not have a lot of network access that the Shadow IT could connect to the main network, but as we began modernizing the plant it became more of a risk. We also discovered several rogue networks with access to the Internet which was problematic for industrial security secrets.

CISOScott
Community Champion


@iluom wrote:

 

Does Shadow IT a positive sign?

 

What does it mean by the rapid growth of shadow IT ? 

 

I suppose IT departments in organizations are not able to pickup the pace to embrace digitization to support staff and employees. It has become a common phenomena in all types and sizes of organizations.

 

it's being a commonplace to use opensource and SaaS application at work without ITs approval

somehow they are helping to increase the productivity, but there are risks as well.

 

 

 

 


Shadow IT is not a positive sign. It is a sign that things are not working in your organization. It is a sign that either IT is not communicating well with the organization (could be either party, IT or the business) or that IT is not able to meet the customer requirements of the business.

 

Rapid growth of Shadow IT means that IT cannot meet the business needs therefore the business units are turning to other means of getting it done. It also could reflect bad IT procurement policies, bad security policies (no security policy, poor security policy. too restrictive security policy, etc.), poor understanding of customer requirements, poor budget management policies (i.e. each department has their own budget and lacks IT controls/oversight over what they can purchase), poor IT security posture or poor IT security relationships, or several other things.

JoePete
Advocate I


@iluom wrote:

 

I suppose IT departments in organizations are not able to pickup the pace to embrace digitization to support staff and employees. It has become a common phenomena in all types and sizes of organizations.

 


Or it may just mean that people just chase the latest fads and tools. A few things done well is a much better than a mish mash of resources that no one can keep track of, but it is too easy for someone to see some app that makes life "so easy" for them that they insist everyone else has to use. Here's a simple case in point: Venmo. People seem to be flocking to the thing and what's its selling point over Paypal or (heaven forbid) sending a check? It's integration with social media. Yes, by all means, announce to the world the bill you just split. I can sincerely say that 90 percent of the "technology" that comes across my desk each day is pure crap. That doesn't stop the lemmings from buying it, downloading, using it, and getting bitten by it.

dcontesti
Community Champion

I started working for an organization that actually had split their IT functions due to Shadow IT.  It stated with the IT folks not being responsive enough to the needs of the development teams.  As this happened a Shadow IT department sprung up and finally became recognized as an official IT supplier.  So there were two sets of Computer Operations folks, development teams, support people and networking folk.  Unfortunately, there were still a few shadow IT groups so there was no real Architecture or Strategy (long or short term).

 

After a few years, this came under review and found to be "unhealthy" to the organization due to duplication of systems, people, multiple computer rooms, etc.  At this point, it was decided to merge the groups into one (fortunately no jobs were lost) and the coming together proved beneficial to the organization.  

 

So yes Shadow IT does happen, sometimes for the good of the department and sometimes to the detriment of the organization.  

 

Folks in IT are concerned with keeping the organization functioning and secure (payroll, ordering, customer service) while departments want the latest tech (ipads, smart phones, surfaces) and the latest apps (Docusign, skype for business, etc.).  Sometimes the two are at odds as IT doesn't have time but the department has one or two techies who are more than fill the empty slot and bring in tech that IT must now scramble to support.

 

Shadow IT is now bad when done correctly.

 

Just my nickel Canadian.

 

Diana

 

iluom
Contributor II

Yes, I agree with you. I tool felt the same.
Chandra Mouli, CISSP, CCSP, CSSLP
iluom
Contributor II

 

I guess DevOps has potential to address the issues with Shadow IT. isn't it ?

 

 

Chandra Mouli, CISSP, CCSP, CSSLP
mgorman
Contributor II

DevOps can make Shadow IT far worse.  The tools and resources associated with DevOps, cloud, SaaS, etc. are a credit card and expense report away for any developer.  One of the many problems is that then there is a potential back door to Internet for data loss, incoming malware, etc.  Systems "out there" are probably also not well configured or protected, which means they are at a high risk of compromise, if for nothing else than to mine cryptocurrency.  But in the end, the company is probably paying for that usage.  

 

Well done, DevOps is a great strategy. Done poorly, it is an awful mess for all those involved, exponentially increasing the headaches for IT and IS teams.  Although, I must agree with some earlier comments, if you have a significant shadow IT presence, find out why.  IT and IS should be enabling the business, if they have to be gone around to get things done, something is wrong, and needs to be fixe

iluom
Contributor II

 

There is ample scope for reducing the danger of shadow IT with DevOps for sure. DevOps brings IT Out of the Shadows.

 

there are two benefits that DevOps brings to the table that minimize the potential for shadow IT.

More rapid development and empowering individuals.

 

The reality is, you can either declare your organization will never do shadow IT and lose the battle, or you can recognize its proliferation and start putting some governance around it. Here’s how DevOps can help.

 

DevOps is all about fostering better communication and collaboration between teams and across platforms. it’s all about including people from different areas of the business, even outside IT, from the beginning development stages of new software to the end. If you’re going to “okay” certain projects under shadow IT, there should be communication and transparency about what’s occurring.

 

Another important aspect of DevOps is enabling people with the tools they need. If people are sharing data on Google Docs, why isn’t your organization providing them with an excellent collaboration tool like Atlassian Confluence?

 

With DevOps, you prevent shadow IT groups from scouting and using unapproved open-source tools that may not integrate well with your environment or that aren’t properly secured or licensed. Instead, you provide good tools that help people be productive and successful.

 

Fighting shadow IT is a battle no organization will ever completely win, but letting it run amok is financially dangerous and unsecure. The best tactic for organizations is to control their shadow IT activity by improving their own development, operations and security organizations through DevOps best practices and being willing to address small but high-priority business initiatives quickly.

 

 

Chandra Mouli, CISSP, CCSP, CSSLP
rslade
Influencer II

Who knows what evil lurks in the hearts of systems?

The Shadow IT knows!

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
In order to make anything a reality, you have to dream about it
first. - Adora Svitak
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468