As I was flying home from a customer engagement, I looked down from the window of the airplane to see all the clouds floating lazily below me. It was not a completely overcast day, so I could easily see the shadows cast by the clouds upon the landscape far below. I couldn’t help thinking about cloud computing, and that as beautiful as the cloud is, it too can cast a shadow. The shadow we are talking about is “Shadow IT”, or even “Stealth IT”, and it refers to what you have when someone goes rogue and implements an IT service without going through IT to do it. Shadow IT has been around for many years, but with all the services available in the cloud, the potential exists now more than ever for you to have Shadow IT projects running in your organization.

The problems with Shadow IT are legion. Shadow IT projects aren’t IT’s problem, until something breaks and then IT is expected to fix what they had nothing to do with. Shadow IT projects aren’t reviewed for security or supportability, or even for how they fit in with the long term plans of the company. They may even “compete” with solutions IT is in the process of developing, which often happens when the business becomes impatient or is simply not in touch with what IT is doing. But the largest issue may be compliance. Shadow IT projects don’t follow the processes and procedures, or have the controls and oversights in place that things like ITL, HIPAA, PCI, and other certifications and accreditations require.

While there are many Shadow IT technologies you should be aware of, many of these are even easier for business units to implement now that they are in the cloud. Between the ease of deployment and monthly subscription costs that can be charged to the corporate card, anyone can take these on. Most of these can be excellent and key components of an IT organization when they are implemented by IT, but they are also easy for any department to deploy on the sly. Here’s a list of the top eight Shadow IT technologies which may already be in your enterprise:

1. Storage and backups

Storing data in the cloud is one of the easiest and most common ways Shadow IT can infiltrate your enterprise. Services like Dropbox, SkyDrive and Google Drive, give users a quick and easy way to store files, sync them between computers, and access their data from anywhere. When that data is their personal files, there’s no problem; but when that data is corporate intellectual property, there are severe implications for the security and management of that data.

2. File transfers

Email admins place limits on file attachment sizes for any number of very good reasons. Users frequently need to exceed these limits, also for any number of very good reasons. One thing users are very good at doing is finding ways around restrictions, and there are dozens of services online like YouSendIt or DropBox that will let you upload large files to their servers, and then send a link to whomever they want so it can be downloaded. Again, consider when that large file is a company’s proprietary customer list, or payroll data, or anything else that should not be stored on third-party systems until there is a contract in place and all the reviews are complete to ensure that the integrity, confidentiality, and availability of that data is guaranteed.

3. Email

For compliance, security and privacy reasons, as well as to protect the “brand”, companies require that their employees conduct business using the business’ email system. But users will frequently use their Hotmail or Gmail accounts either because they want to attach files, or connect using their personal devices, or because they think the company’s system is too slow. Not only does that damage the company’s brand and implies their corporate systems are inadequate, but it also puts more data outside the control of the company. That’s particularly scary when a user’s employment ends, but your customers are still emailing him at his Gmail account. If he went to a competitor, so too do those customers and you won’t ever know it. Or when those emails go unanswered, the customer will still go looking for better service from your competitor.

4. Voice

Cloud-based IP Telephony services like Skype or Google Voice have the same implications for your company as personal email services. Your company will have no access to an employee’s personal email, or control of their personal telephone number, which makes those services great ways for you to lose business when you lose that employee.

5. Website hosting

It amazes me how often I run into this. A business unit goes completely outside of IT to stand up a product-specific website with a third-party hosting provider, who handles the name registration, site development and everything else, and no one is the wiser. The employee leaves, the bill stops being paid, and the site goes down. That’s when the frantic calls to IT come in and you realize you don’t even have ownership of the critical IP like the domain name, let alone the login credentials to try to pay the bill and then continue to manage the service.

6. Bulk email service

While you definitely want to use a cloud provider to handle your bulk email needs, and you probably would prefer that Marketing deal with it so you don’t have to, this too presents significant risks to the company, and can quickly become an issue that can impact your users’ regular email when the domain is blacklisted.

7. Hardware Purchasing

IT has hardware standards for a reason-it makes support manageable. Whether we’re talking about the operating system images, applications that are licensed for the company, securing those systems, or warranty support, IT should be buying the hardware that IT must support, and that the company depends upon to conduct business. But when an executive runs down to the local retailer and buys the latest shiny new consumer grade PC, and then expects IT to support it, you have a real problem.

8. Infrastructure

I recently worked with a customer whose corporate IT direction was to move towards IaaS with Microsoft and their Azure offering. As they began to identify systems in their datacenter that could be migrated to Azure, it came out that one group (actually a part of IT!) had gone out and deployed their project on AWS, because they didn’t want to wait for the organization to make up its mind on which provider to embrace, and they guessed wrong on which vendor would win.

Here are some things you can do in your organization to minimize the chance that Shadow IT will become a problem for you:

1. Establish a policy

You can’t expect users not to do this, if you don’t have a policy saying they can’t. That’s amazing considering how upset they would be if IT started recruiting new team mates, or negotiating their own health insurance, or went out and got their own offices, but some things are just always going to be “do as I say, not as I do.” Create a policy that defines what Shadow IT is, and that prohibits it. Get senior management approval and then make sure everyone with a corporate credit card or purchase order authority gets a copy, and actually reads it. Be ready for this event to reveal some stealth IT projects that are already out there when users fess up to their sins.

2. Publish and promote what you are doing

Other business units should be aware of what IT is doing; which new technologies you are considering, and the service offerings that are on the horizon. Your CIO should be sharing this information in leadership meetings, but you want to also evangelize what is coming up. Many times stealth IT projects are implemented due to impatience.

3. Poll the business for what they need

At the end of the day, IT is there to support the business. Talk to the other departments. Find out what they are doing. Look for ways that technology can support them in their initiatives. If you partner with them you eliminate the need for stealth IT.

4. Be responsive to the needs of your users

Make sure you foster a relationship that works both ways. The business should be able to come to IT with their problems, challenges and needs, and get help with them to see how technology can be a tool to grow and support the business. If a manager in another department feels he or she cannot approach IT for help, soon, they won’t bother trying any more. They can find a solution online more often than not.

Knowledge is power, and if you’re going to have a conversation regarding Stealth IT, it helps to know what is going on in your environment, rather than just guessing. The next points will guide you on how to detect any Stealth IT projects on your network.

5. Check your proxy logs

If you use web content filtering of any kind, your proxy logs should help you to quickly and easily find evidence of stealth IT projects of the cloud variety. You should see a fairly significant number of entries repeating for users accessing URLs that should jump out at you.

6. Review any requests for DNS record changes

Several cloud based IT services require DNS entries for your domain in order to operate properly. Review requests for CNAMEs and SRV records for evidence that something’s being deployed in the shadows.

7. Look at your DNS cache

If you don’t have web content filtering, mine your DNS cache on your internal DNS to see what sort of names are being queried. WWW records may indicate interest. Third and fourth level A records may indicate use!

8. Take a network trace

Lacking anything else, take a network trace. At your Internet edge, several users all with large HTTPS volumes are worth investigating. Internally, switch ports with high traffic, that are assigned to desktop segments, can reveal a server hiding under someone’s desk, or running as a VM on their workstation.

9. Look for new, repeating credit card charges

Remember that most cloud-based services are sold as subscriptions, making it easy to buy with a credit card and pay for on a monthly basis, and then to expense. While that’s a great way to operationalize costs, it also makes it much easier for a business to spin up a solution without going through IT or even hitting their purchasing authority.

10. Ask

Shadow IT isn’t out there because people want to do things they know they shouldn’t. Most people won’t even consider that they did something wrong, so you can always sit in on a cross-departmental meeting and simply ask the team. It will be a lot easier to work with the culprits directly rather than playing Sherlock Holmes.

Stealth IT projects can present significant risks to the business, and challenges to IT when the inevitably have to become involved. Review the list of technologies above and decide if you need to add any service offerings to your catalog. Remember that almost all of the vendors out there offering the consumer services that are scary have enterprise offerings with the security and features you want. Then go through the suggested ways to avoid the problem, and implement those you aren’t already handling.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!


Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.