What Is Lurking in the IT Shadows?

Despite its ever-growing presence in federal agencies, shadow IT remains as difficult to define as it is to detect. Shadow IT generally refers to the trend of users adopting IT tools and solutions that are outside of the knowledge or control of the official IT department. For example, most IT departments provide email to employees, but if an individual user decides to use Gmail, Yahoo, or another email provider, the IT department cannot manage the risks of data compromise, spam, or phishing attacks.

As more technology is implemented by end users and as the workforce continues to become more attuned to what they believe are their individual technology needs, shadow IT is no longer lurking in the shadows for federal IT pros. In June 2015, market research firm Market Connections, in conjunction with SolarWinds, conducted a survey of 200 federal government IT decision-makers and influencers, with the goal of uncovering the key areas where federal IT pros feel they lack confidence and control. In this survey, 58 percent of respondents see the use of shadow IT increasing in the next two years, with only 10 percent expecting it to be reduced at all.¹

While federal IT pros anticipate the rise of shadow IT and the impact it will have, they do not believe that they have the leadership support to tackle the problem. Shadow IT ranked lowest on a list of importance or current leadership focus, indicating that only 12 percent think that it is a very important area of focus for their leadership.² Additionally, it is one of the biggest areas that federal IT pros feel the least amount of control over, only surpassed by public cloud computing.³

Why is there a need for shadow IT?

Before tackling the problem of detecting shadow IT, it is important to understand why users are taking things into their own hands and leaving their IT departments in the dark:

• Nearly half (45 percent) of respondents believe that shadow IT is prevalent in their agency because of the perception that the IT acquisition process is too long and cumbersome.
• 30 percent believe it is fueled by a perceived lack of innovation in the IT department.
• Almost 30 percent indicated that end users believe that their agency’s overall IT strategy is not aligned with specific departments’ missions or goals.⁴

Although many agencies have network policies blocking certain sites or types of traffic, the sheer quantity and diversity of services available can easily overwhelm an already overworked IT department. Which begs the question: why even bother worrying about it? If a user is able to find a solution that works on their own, more power to them, right?

However, those implementing tools and solutions that fall outside the purview of their IT departments forget that along with installing their preferred tool, they are opening up the agency to security threats. Over 70 percent of respondents indicated that security issues were the biggest negative consequence of shadow IT, followed by duplication of IT effort and lack of interoperability.⁵

Detection and prevention 

Now that we understand the why of shadow IT, it is important to focus on what IT pros can do to detect and prevent the use of tools and solutions that they have no control over within their environment.

Over 40 percent of respondents indicated that to curtail the negative consequences of shadow IT, agencies should:

• Improve the security of existing data and systems.
• Implement systems and tools to identify the use of shadow IT and monitor sensitive data that gets stored in unmanaged environments.
• Develop policies that strike the right balance between flexibility and control.
• Educate employees about proper use of technology.
• Involve department heads and end users in the decision-making process.⁶

Understanding these needs and putting them into place are two very different things. Fortunately there are tools and procedures that federal IT pros can easily implement to help secure their networks, detect unauthorized software, and provide their end users with the services that they need.

Management, Monitoring and Security Tools

A significantly greater proportion of our survey respondents who indicated having little or no shadow IT in their organizations noted having multiple management, monitoring, and security tools implemented. They also have more confidence in their ability to protect against the negative consequences of shadow IT usage.⁷

Holistic, automated management and monitoring tools that provide a single-pane-of-glass view into networks, systems, applications, and security can help control the impact of shadow IT.

• Solutions that monitor network performance for anomalies, offer system-wide, automatic network configuration and change management, monitor network bandwidth, and perform deep packet inspection provide federal IT pros visibility into network usage.
• User device tracking, IP address management, and patch management software can help you determine who and what is responsible for certain types of activity in an environment, and secure endpoints.
• Security information and event management (SIEM)software can centrally collect log files, scan for patterns that indicate a security breach, and identify whether that breach was initiated by an element of shadow IT.

Policies and Procedures

While implementing tools to track and shut down the use of shadow IT, it is also important to make employees advocates for the technology provided by their IT departments. By outlining all of the options available through the IT department and providing clear documentation on policies and procedures around creating and using non-sanctioned solutions, federal IT pros can start to ensure that they are consulted about IT needs and can guide users to approved tools.

Additionally, as our respondents indicated, there is a split between embracing and eliminating future use of shadow IT:

• 25 percent of respondents would like to eliminate shadow IT entirely.
• 23 percent are ready to embrace it because it is inevitable.
• 52 percent fall somewhere between these two extremes.⁸

While it is understandable that some environments are too sensitive to allow any IT services that are not strictly controlled by IT professionals, for many departments this could indicate an opportunity to collaborate with end users to improve the solutions they offer. IT departments can identify ways of providing better services by understanding why their users are looking elsewhere to satisfy their IT needs, and investigate ways to implement these technologies throughout their agencies. If IT departments can leverage this opportunity, they might be able to both deliver better services and create a more productive relationship with their end users.

Sources

1. SolarWinds State of Government IT Management and Monitoring, Study, July 24, 2015, slide 9, http://www.solarwinds.com/assets/industry/surveys/solarwinds-state-of-government-it-management-and-m.aspx.
2. Ibid. slide 7
3. Ibid. slide 6
4. Ibid. slide 10
5. Ibid. slide 11
6. Ibid. slide 12
7. Ibid. slide 17
8. Ibid. slide 13