With the increase in cloud computing and BYOD in the workplace, it's become increasingly difficult for IT departments to keep track of and manage software and hardware — and maintain a secure environment.
So what can CIOs and other IT leaders do to identify and manage Shadow IT — software and hardware not directly under the control of IT — and mitigate the potential risks? CIO.com asked dozens of IT, mobile and cybersecurity professionals to find out. Here are their top six tips for managing Shadow IT in the enterprise.
1. Monitor your network — to find out if or where you have a Shadow IT problem. "Regardless of whether employees use company-issued or personal (i.e., BYOD) hardware, organizations need to identify where all their data resides — [in house], in the data center, at the edge or in the cloud," says Greg White, senior manager, product marketing, CommVault, a provider of data and information management software.
Then, "to quickly identify Shadow IT, you need to continuously monitor your network for new and unknown devices, comparing the list between scans to determine when new devices appear," says Dwayne Melancon, CTO, Tripwire, a network security firm.
"This can be incorporated into routine enterprise vulnerability scanning, a widely adopted security best practice," Melancon says. "This approach will enable you to gather information about where new devices are on your network and detailed information on what kind of device they are."
Similarly, "you can process the log data from your current firewalls, proxies, SIEMS and MDM products to identify the cloud services being used outside of IT's purview," notes Rajiv Gupta, CEO of Skyhigh Networks, a cloud access security company. "This data can tell you which services are being used, who uses them, how often and how much data is uploaded and downloaded."
2. Prioritize risk. "Not all software/services used outside of IT control is bad," says Gupta. "Leverage an objective and comprehensive registry of cloud services to identify the highest risk services in use and address those first," he suggests. "Prevent access to these high-risk services by blocking them via your existing infrastructure (i.e., firewalls, proxies, MDM solutions) or by identifying users and requesting they cease using the services."
3. Establish guidelines around BYOD and apps/cloud services. "To accommodate the needs of business units, IT can create and share a list of approved software/applications beyond the standard issue software," says Chris Smith, CMO, Zenoss, a provider of IT monitoring and management solutions.
"This would enable business units making their own purchase decisions to be assured that the introduction would not cause compatibility or security issues," Smith says. In addition, "IT should put processes in place that allows it to quickly approve/disapprove new applications actively sought by business units."
Sign up for CIO Asia eNewsletters.