Cloud Security Authors: Yeshim Deniz, Zakia Bouachraoui, Liz McMillan, Elizabeth White, Ravi Rajamiyer

Related Topics: @CloudExpo, Cloud Security, @ThingsExpo

@CloudExpo: Blog Post

The Answer to Shadow IT Is at Your Fingertips | @CloudExpo #Cloud

Shadow IT is used to describe information-technology systems and solutions built and used inside organizations

Buoyed by BYOD

Turn back the clock to 2008. The recession was in full swing and IT managers feeling the pinch decided to allow employees to use their own devices (in turn leading to the now ubiquitous term of bring your own device (BYOD)) to undertake their job, thus reducing capital expenditure and allowing IT managers to spend their budget elsewhere. Whether BYOD itself turned out to be good or bad is still a point of conjecture, especially when weighing up its benefits against potential security risks. What is true, however, is that it has played a big part in the current scourge of the IT Manager - Shadow IT.

If you haven't heard of the term Shadow IT yet, you will do soon. Shadow IT is used to describe information-technology systems and solutions built and used inside organisations without explicit organisational approval. It is also used, along with the term "Stealth IT", to describe solutions specified and deployed by departments other than the IT department.

Where the money goes

Staff often download and install applications to help them complete their work more effectively. New software can either help them become more efficient generally or it has become necessary to use the software due to client demands. For example, someone may install Skype because the client only wants to run conference calls via video. However, these employees may feel they cannot approach the IT department to install this software as there is too much red tape, and will be denied the request.

Gartner claims that Shadow IT regularly surpasses 30 per cent of a company's IT spend. According to Atos[1], 36 per cent of that money is being spent on file sharing software, 33 per cent on data archiving, 28 per cent on social tools and 27 per cent on analytics. The worrying primary reason for shadow IT is the IT department's inability to test and implement new capabilities and systems in a timely manner.

Pros and cons

There are undoubted benefits to Shadow IT. It lowers IT costs in a similar way to BYOD, increases flexibility, speeds up task completion and means the user isn't constantly banging on the IT admin's door. But there is a flipside. Shadow IT means no centralised IT oversight so an increase in organisational data silos, impeding cross-functional collaboration issues and increasing security risks. IT bosses are not left in the shadows, but completely in the dark on how securely corporate data is being accessed and shared by staff via unapproved application.

The security issue is unfortunately not only a critical one but a cultural one. When an employee casually uses an application such as Dropbox to transfer files there is likely to be little thought about the risk of potentially sensitive data - whether that is customer contact details, financial information or intellectual property - falling into the wrong hands. But the fallout could be catastrophic and lead to regulatory fines, customer distrust and reputational damage.

This scourge of shadow IT has been accelerated by cloud adoption and cloud-based file sharing. According to a recent survey conducted by Fruition Partners[2] of 100 UK CIOs, 84 per cent believe cloud adoption has reduced their organisation's control over IT, with a staggering nine in ten believing unsanctioned use of cloud services has created long-term security risks. Specifically, 60 per cent of respondents said there is an increasing culture of shadow IT in their organisations, with 79 per cent admitting that there are cloud services in use that their IT department is not aware of.

The perfect solution

When CIOs and IT managers search for additional security layers to protect sensitive data within an organisation, it is best to turn to technologies familiar to their staff. One perfect example is two factor authentication (2FA). The use of the technology has become widespread in the consumer realm, with consumers well versed in how to use 2FA and the importance of it to keep their own private data safe from prying eyes. The latest solutions incorporate near field communication (NFC) - used in Oyster Cards and by Apple Pay - allowing users to simply tap their smart devices to gain access to the information they need. Ironically, by installing an application all BYOD and work devices can be equipped with 2FA to ensure only authorised staff can use them.

While 2FA empowers users, CIOs and IT decision makers also benefit from a flexible solution that can be hosted how, where and when they prefer. 2FA is built to suit any business, as it supports both on premise and cloud hosting and management, making it a strong contender for any CIO changing their security systems. By using existing infrastructure, on premise deployment is often convenient, swift and straightforward, while cloud services are appropriately supported by the 2FA provider. This gives decision makers full control and flexibility over the solution, which can be rolled out to departments and employees at their discretion.

If you can't beat them, join them

Shadow IT is here to stay. IT departments need to appreciate that it is so culturally inbuilt that shutting it down is now impossible; in fact, policies punishing the use of third-party apps would more likely push rogue users deeper into the darkness. The battle that can be won is to better educate staff and make Shadow IT an integral part of the company's wider security awareness program. Some staff are aware of the problems, and will ignore them, but many just simply won't understand why what they are doing could affect the whole business.

The good news is that many of the popular shadow IT applications downloaded by staff - such as Dropbox, Skype and TeamViewer - already have the option for 2FA[3]. By not only adopting 2FA for all BYOD and work devices, but reminding users to add this layer of security to the applications they are using for their business dealings too, would give IT managers piece of mind and is the answer to Shadow IT that until now has itself resided in the shadows.

[1] http://atos.net/en-us/home/we-are/news/press-release/2015/pr-2015_03_26_...

[2] http://fp.fruitionpartners.com/category/white-papers/cio-survey-report

[3] https://twofactorauth.org/

More Stories By Steve Watts

Steve Watts is co-founder of SecurEnvoy. He brings 25 years’ of industry experience to his role at the helm of Sales & Marketing for SecurEnvoy. He founded the company with Andrew Kemshall in 2003 and still works tirelessly to grow the company in new and established markets. His particular value is market and partner strategy; having assisted in the development and design of the products, designed the pricing strategy and recurring revenue model that has been so key to the businesses growth and success.

Before starting SecurEnvoy, Steve was responsible for setting up nonstop IT, the UK’s first IT security reseller in 1994. Prior to setting out on his own, Steve worked as Sales Director at the networking and IT division of Comtec, and had started his career in office solution sales in 1986.

Outside of work, Steve is a keen rugby fan. He also enjoys sailing, mountain biking, golf and skiing

IoT & Smart Cities Stories
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
Machine learning has taken residence at our cities' cores and now we can finally have "smart cities." Cities are a collection of buildings made to provide the structure and safety necessary for people to function, create and survive. Buildings are a pool of ever-changing performance data from large automated systems such as heating and cooling to the people that live and work within them. Through machine learning, buildings can optimize performance, reduce costs, and improve occupant comfort by ...
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.
As IoT continues to increase momentum, so does the associated risk. Secure Device Lifecycle Management (DLM) is ranked as one of the most important technology areas of IoT. Driving this trend is the realization that secure support for IoT devices provides companies the ability to deliver high-quality, reliable, secure offerings faster, create new revenue streams, and reduce support costs, all while building a competitive advantage in their markets. In this session, we will use customer use cases...