Lurking in the IT shadows

Shadow IT is rearing its head, so what can IT managers do about it?

Despite the best efforts of IT managers, Shadow IT is rearing its ugly head again. If you have not come across the term before you’ll certainly have experienced it. 

Shadow IT is the term used to describe IT devices, systems, software and services outside the control of IT. It can happen for a range of reasons, but usually they all boil down to the same thing, a member of staff or department trying to do their job in a more efficient and timely manner.

This fundamental desire to do a better job is very admirable and in the eyes of (non-IT) management to be encouraged. After all, we’ve all been told to find a way around a problem by the boss! The options available now through portable devices, external cloud based storage and compute resources, software as a service and other technology have made powerful IT solutions very accessible, and in many cases free, to employees, with no need to involve IT. They might be using a service that gets the job done, but could be exposing the business to a number of risks.

Working with files or cloud services through unauthorised hardware such as home computers or mobile devices, increases the risks to a company of a security breach taking place. This could be a hack, or data being shared accidentally in an unencrypted format to an unauthorised person. Devices off the corporate network, and in the shadows, are not protected to the same level as those known to corporate IT, and the same is true of cloud services. They will not be subject to the same corporate, regulatory policies in relation to encryption, authentication, identity and access management, threat detection, device management, or something as straightforward as password policy.

Using cloud services and unauthorised devices can also mean that the regulations by which a company must adhere are being ignored, putting the company at risk of sanctions, as well as creating an opportunity for employees to consciously break rules – even commit crimes.

Cloud services can of course be extremely useful and that is exactly what employees are telling the IT department by using them ‘on the quiet’. The gut reaction of IT departments is to either black list unauthorised applications or restrict access to these services, but if they can be so powerful, maybe it is time to consider how they can be used, and controlled without the company being put at risk.

You can use the cloud and maintain control

In today’s IT landscape, the increasing adoption of cloud-based technology has created a need for advanced security solutions that allow for the use of these cloud based services but are capable of protecting data stored in non-IT control virtual environments. Organisations of all sizes, across all industries, are turning towards cloud solutions to conduct their business better, faster and smarter. 

The benefits of cloud-based technology solutions vary by the needs of the organisation; generally speaking, however, many companies see the cloud as an investment towards their future – creating the ability to better scale economically and have a more collaborative work environment.

One cannot argue against the fact that cloud technologies are changing 
the way the entire world executes and conducts business. Although, as with 
the introduction of any innovation, 
there are aspects of the cloud that must be carefully monitored, managed and controlled. Organisations willing to invest in the cloud must also be educated on the importance of investing in security solutions that protect their business, particularly their sensitive data, once they start to use these services; when organisations use the cloud, in some cases they effectively give up ownership of that service to the provider – but that does not mean they must also give up control of their data.

Getting the balance right is tough, but with internal consultation and implementing an effective cloud strategy the right balance can be achieved. There are a few common challenges to overcome when doing this related to the security and management: effective data protection, managing risk related to unauthorised access, and meeting compliance and regulatory mandates of the industry the business operates in.

Effective Management and Encryption

At the heart of implementing any cloud strategy is having the correct tools to allow the data within the environment to be secured. One of the biggest mistakes made by companies is to use different tools for the unique environments such as private cloud services, public cloud services, mobile device management etc. But this is not necessary, there are tools that allow this to be managed from a single platform, as well as managing the services fundamental to effective protection, such as encryption and anti-virus.

Data encryption, when executed properly, protects the sensitive information stored within any given organisation. Although there are many myths attributed to data encryption, the surprising truth of the matter is that at its core, data encryption provides a foundational piece to any data security and cloud strategy.

As previously mentioned, the increasing enterprise adoption of cloud technology, particularly enterprise file synchronisation services and Infrastructure as a Service, has created a need for security solutions to be able to encrypt files and sensitive data at the endpoint before they are synchronised to the cloud and for cloud based storage. This can be achieved with encryption platform solutions that enable the organisation to maintain complete control over the encryption process, security policy and the encryption key management of these cloud services.

It is important that these encryption services have zero friction for employees. In the past, encryptingand sending files or encryption of cloud storage, has been a very painful process, but now it can be completely transparent. Friction, as we discussed at the start of this piece is one of the areas that gives employees the motivation to ‘find ways around problems’.

You've got to make it work

Simply put – it’s time to educate yourself. The cloud is creeping into your organisation, and with great certainty there is Shadow IT already existing within it. So it’s important that you understand how, not if, you will protect your company’s data.

In a perfect world, cloud providers of all shapes and sizes would be held entirely responsible for the loss or theft of any data in the cloud. But sadly, we do not live in a perfect world, and cloud providers will not be held accountable should your company suffer a data breach of any kind.

That means you remain accountable and responsible for the security of your company’s sensitive data and its down to you to choose the technology that gives you control without tying the hands of your staff.

Andreas Jensen, EMEA Director at WinMagic

Image source: Shutterstock/Kzenon