Shadow IT: Convenient, But Not Without Risk

What is Shadow IT?

“The street finds its own uses for things” is a line from William Gibson’s cyberpunk short story Burning Chrome, and it’s often used to explain the uses of technology that are unexpected, unintended, and oftentimes unsanctioned. In Burning Chrome, the “street” was the criminal and hustler class in Gibson’s Blade Runner-esque “Sprawl” universe. An article in today’s New York Times suggests that in real life, it’s your coworkers.

Shadow IT sounds like some kind of future slang that Gibson would’ve coined, but it’s an office term referring to the set of applications and systems that are used in organizations without that organization’s approval, and especially without the approval of the IT department. It’s usually the result of one or a handful of employees discovering an application, service or system that solves a problem in a way that seems more effective, expedient, and more free of red tape than if it were solved by IT. Shadow IT usually starts off as an ad hoc solution, but if it becomes popular within an organization, its use can become standard practice, even without the approval or oversight of the IT department.

Among the applications and services that fall into the category of shadow IT are:

• Wifi: In offices that don’t provide wifi but provide broadband access through ethernet, people bring and plug in their own wifi routers.
• “Sneakernet”: Carrying a USB key is still the simplest, highest-bandwidth way to pass files within an office. In offices where the email server has a policy of not allowing email attachments over a specific size, sneakernet can be quite useful.
• Email forwarding: A common trick to bypass security measures in enterprise email systems is to forward emails from a company account to a personal account for later reading.
• File-sharing/-storage services: In situations where sneakernet won’t do, such as sharing files among people in different offices, or with remote coworkers, or to have “anytime, anywhere” access to specific files, services such as Box, Dropbox, Google Drive, SkyDrive, and YouSendIt are often used.
• Collaboration services: When people work collaboratively on documents, passing around files often leads to those files going out of sync and the rise of different versions of the same document being passed around. In such cases, Evernote, Google Apps and the web version of Office are the preferred collaborative tools.
• SYOD devices: SYOD is short for “smuggle your own device”, our shorthand for when people bring their own devices without IT’s knowledge or approval.
• Text, voice and video chat: Popular “out-of-band” communications tools include Facebook, Google Chat and Skype.

Many organizations even have a shadow IT budget to cover the costs of these services. In a 2012 survey of IT managers by PriceWaterhouseCoopers, nearly half the respondents said that at least half of their corporate IT spending was on shadow IT.

Upsides and Downsides

Shadow IT is a mixed blessing for organizations. It solves a lot of problems for business workers, and relieves IT of some of their load, as they’re services that they don’t have to install, maintain or support. It also blurs the line between work and home life — what some call “life splicing” — which companies like, because it often works in their favour, getting extra work out of their employees.

One downside is that they may put the organization in violation of certain compliance guidelines, such as HIPAA or Sarbanes-Oxley.

They also increase the number of ways that organizations can lose control of their data through attacks on the servers on which the services reside. Examples include:

• The 2011 Chinese attempts break into the Gmail accounts of several U.S. government officials. Investigators believe that the people who broke into the Gmail accounts were hoping to find messages forwarded from the (presumably) more secure government email system to personal email accounts.
• The attack on Mat Honan, which made use of the strange overlaps in security measures of various online services.
• Break-ins on popular sharing and collaboration services such as Dropbox last July, or on Evernote this weekend.

Mobile devices further complicate things. They’re easy to carry, but that means that they’re also easy to lose. One notable case brought up in the New York Times article is the recent loss of a mobile device assigned to an employee of Florida’s Department of Juvenile Justice. It was neither encrypted nor locked with a passcode, making the records of up to 100,000 youth and department employees accessible.

No Easy Solution

The seemingly obvious solution is simply to ban the use of non-sanctioned services. However, policy along is insufficient; Florida’s Department of Juvenile Justice had a policy specifically forbidding the storage of sensitive data on unsecured, unencrypted devices, for all the good it did them.

Solutions such as the DNS control provided by BlueCat Networks can limit access to such services. By taking control of an enterprise network’s DNS, you can restrict access to specific sites and services and lock out unauthorized devices. This protection is available as long as you’re using the enterprise network to access the internet; outside, you’re not covered.

Educating employees of the risks of such services can help, but there are always some employees you’ll never be able to reach, no matter how many sessions they attend.

People resort to shadow IT because no acceptable solutions exist within the organization. The most effective solution may be to implement a system that meets employees’ needs at least as well as outside services. This, of course, is easier said than done.