Security Connected

December #SecChat Recap – The Security Impact of Shadow IT

By on Dec 23, 2013

The numbers don’t lie—employees are increasingly circumventing IT, using unapproved Software-as-a-Service applications (SaaS) in their daily tasks. This dangerous habit, practiced by more than 80% of employees (known as Shadow IT), might seem harmless to some, but can, in fact, put sensitive corporate data at risk. Last week, Graham Clarke, the Senior Director of Network Security Product Management at McAfee, and members of the security community met on Twitter to discuss the security impact of Shadow IT.

The hour-long chat covered a spectrum of security concerns when it comes to the use of unauthorized cloud applications from types of apps used to what the future holds for Shadow IT. Highlights from our December #SecChat are below.

Why does Shadow IT happen?

We usually start by defining our topic, but since Shadow IT is already a well-known issue among both security and IT professionals, we began with a deeper dive into the topic, by asking a different question—why does Shadow IT happen?

Our special guest @gclarkesecurity was able to jump in and address this question by noting that a lot of Shadow IT is driven by the need for business agility:

Screen Shot 2013-12-20 at 5.35.59 PM

@LabNuke responded by saying that Shadow IT affecting networks is nothing new and has been happening for years—there are just more tools increasing its visibility now. This is true and complements @Selil’s point that the idea of Shadow IT has been around for a long time, it simply presented itself in different forms:

Screen Shot 2013-12-19 at 10.33.16 AM  

How do we curb the existence of Shadow IT?

What is the solution to manage such a widespread problem? Many of our security experts pointed to the cloud. Despite its dangers, the best option is to embrace cloud offerings. @ArabSec stated that the cloud can be used to control employee app usage and reduce security risks:

Screen Shot 2013-12-19 at 10.17.02 AM

Security professional @Raj_Samani commented that controlling Shadow IT is less about tools and more about governance, budget, impact and voice within an organization.

Screen Shot 2013-12-20 at 5.43.30 PM

One thing is for certain: it is the job of IT to make the use of apps secure, regardless of the app. Unfortunately, as @SecurityBuzz points out, this control and extended security can be difficult when it’s not known what apps are being used:

Screen Shot 2013-12-19 at 10.44.29 AM

What does the future hold for Shadow IT?

Will things get better anytime soon? Our special guest @gclarkesecurity responded with the following:

Screen Shot 2013-12-19 at 10.14.45 AM

The future of Shadow IT depends on the ability of IT and CTOs to embrace new SaaS apps and not ban or block them from employee usage. @LabNuke replied to this final question as well, saying “monitoring Shadow IT is like monitoring other covert ops using infosec tools—it requires sensitivity, tuning, and response.”

Business agility and adaptability are needed in ongoing efforts toward quelling the security impact Shadow IT. To stay current on the best methods for protecting your organization, follow #SecChat host @McAfeeBusiness on Twitter. Also, feel free to check out the entire #SecChat transcript here and download our full report on Shadow IT.

We look forward to seeing you all next time!