If you have read this far looking for a solution to the problem of shadow IT risk, you may be somewhat disappointed. I don't have the solution. I do, however, have some practical suggestions to help:
Monitor outbound traffic
One of the best ways to know what is going on within your network is to monitor outbound traffic. Firewalls are used most often to control inbound traffic, with inbound data often being ignored. If you set your firewall to keep a detailed outbound log and look at where the traffic is going, you will quickly be able to identify some of the applications you did not know about. If for example, Box is not an authorized corporate application, and the log shows traffic to that site, you may have a problem. With a little detective work, you will be able to identify the guilty users. A brief chat with the these folks can produce positive results.
Control outbound traffic
In my opinion, the control of outbound traffic is one of the most valuable and overlooked approaches to security management. I contend that it is just as important to control outbound traffic as it is to control the traffic that is coming in. I was reminded of the importance of outbound control a few weeks ago, when I discovered a malware infection in a customer network by looking at the outbound traffic I had blocked on the firewall.
Admittedly, outbound control is a challenge, given that so many of the popular Web applications require only the basic Web ports to function. A Google search will often provide a means of doing this for popular applications, this article on blocking Dropbox being a good example.
As I said, blocking traffic will bring some user backlash, but it will at least prompt a discussion that will allow IT to have input into the risk management aspects of these applications.
All of us in corporate IT have had to deal with the user who knows the risks and is willing to ignore them. There are others, however, who simply don't understand the exposures. The issue of shadow IT should be a part of any security awareness program.
Enlist executive help
It has been my experience that a corporate executive who fully understands the risks of shadow IT will, in most cases, be willing to help with its control. A corporate edict from the CEO with a comment about sanctions will go a long way toward controlling the problem. You may just leave the meeting with a commitment to additional resources as a bonus.
Bottom line: Work to control the issue of shadow IT before it controls the fate of your job.
Sign up for CIO Asia eNewsletters.