Shadow IT has emerged in recent years due to misaligned objectives among teams and the fluid nature of DevOps. We’ve written before that although it may achieve short-term goals for the business units it serves, Shadow IT is detrimental for the long-term stability of organizations, and despite its good intentions, puts companies at greater security risk.
In this post, we’ll explore how development, security, and operations can work together to prevent the need for Shadow IT.
How Shadow IT Comes About
In simple terms, Shadow IT arises when the incentives of one business unit aren’t in line with those of another unit. This causes employees to make technical decisions that have short-term benefits but may also cause an unintended negative side-effect on security.
For example, operations may be tasked with keeping the production systems running with 5–9s availability and maintaining compliance in delivery systems.
Meanwhile, a developer could be tasked with meeting the deadline for a sales requirement or roadmap goal.
If the developer is unable to meet those deadlines with current systems offered by operations, they may launch their own systems on a node outside the official company systems. This leads to potential security issues, as well as financial and ownership issues.
Since the developers and operations teams described above don’t share common goals, they don’t share common resources, either. That is why the developers often try to “bridge the gap” and create their own solutions to get the job done.
Is this harmful to the company? It certainly is. Is it relatable? Of course.
This is how Shadow IT comes into play.
The Good vs. the Bad: Shadow IT
The problem with Shadow IT is that the broken system that causes it to exist in the first place is precisely what hackers exploit for their attacks.
For instance, a strong password security policy could accomplish the goals of one business unit by achieving a higher rate of password rotation. However, this has an unintended consequence. To simplify the password updates, users might create passwords that are easier to remember — and easier to hack. Or, if they don’t receive training on using a password management system, users might write them down on paper and keep them in an insecure place, like at their desks. This defeats the purpose of changing them in the first place.
The password rotation policy would have been made with good intentions, and it’s obviously a good start. But without shared goals and a review across the organization, it’s easy to see how it could actually do more harm than good if these programs are implemented in a silo.
Eliminating Shadow IT and Achieving Alignment
Ultimately, Shadow IT is about implementing technological or security measures without consideration of the impact they have on security. To avoid this risky practice, consider these practical tips to achieve alignment and reduce the need for Shadow IT from your organization.
- Elect a Leader – Choose someone whose job it is to lead security efforts. For larger teams, this may be a ready-made choice, like the CISO or security manager. But for smaller teams, it may be someone from IT or DevOps. Whatever the case, the important thing is that all communication and decisions for security-related matters go through this person.
- Consistent Tools – Developers, security teams, product management, and operations should use the same tools to test, develop, secure, or scale code. A common toolset removes barriers to communication and simplifies changes. It also empowers security teams to contribute directly to the code for changes (rather than delegating those to operations) because they will have the same toolset on their computers.
- Communication – When it comes to resolving security issues, emphasize cross-team collaboration. This prevents the creation of misaligned incentives and the need for Shadow IT. It’s the job of the security leader to bridge silos and guide these conversations.
- Processes – We’ve written before that, when combined, people, processes, and technology are the magic combination for a successful security organization. When it comes to processes, automation is key. An effective way to streamline security processes is to automate configuration auditing, security updates, and vulnerability scanning, among others. This way, key processes can happen faster, keeping your security posture stronger.
- Leverage Security Software – One thing is for sure: You don’t have to go this alone. If you can build security into every aspect of your IT infrastructure, you can gain complete visibility without slowing down your team. When embedded at the host level (which is what we recommend), security tools can spot potential issues caused by things like Shadow IT so that no matter who is doing what, you’re in-the-know. In our view, this is the single best way to maintain control of your environment and stay ahead of security threats.
Final Words . . .
A lack of communication is at the heart of the Shadow IT issue, and an empowered security leader can facilitate the right conversations and share information across teams to ensure that incentives are aligned at the end of the day. With shared goals, employees are more likely to share resources and are less likely to need to resort to Shadow IT practices that put the company at risk.
Considering investing in cloud security software in 2018? Download the Cloud Infrastructure Buyer’s Guide today.
Cloud Infrastructure Security Buyer's Guide
Navigate the cloud security market space and choose a vendor for your organization.