Foreign bodies in the enterprise: BYOD and shadow IT

In recent years, ‘bring your own device’ (BYOD) has facilitated a rise of Shadow IT; when IT systems are built and used within an organisation without the explicit consent (or even knowledge) of the relevant IT department

Shadow IT invading the enterprise

Thoughts and concerns should be heard and addressed - and the relevant technologies deployed and monitored in such a way as to reduce the risk to the company from the inevitable shadow IT in its infrastructure

The term BYOB – or “Bring your own bottle” – hails back to the early 1970’s.

Restaurants that didn’t have a liquor license would allow their customers to bring their own alcohol. This was a win-win situation for all parties.

The establishment wouldn’t have to get a license, which could potentially cost (the then equivalent of) thousands of dollars, and customers could still consume their favorite beverages in the restaurant.

The world of enterprise IT has learned a trick or two from these enterprising restaurants.

You probably have heard of BYOD – or “Bring your own device” – where employees provide some or all of the equipment they will use to perform their duties.

Employees are able to use the phones and laptops they’re most comfortable with thus increasing their efficiency, and employers can reduce their procurement budgets.

Another variant of this is BYOA – or “Bring your own application”.

EUDAs (end user developed applications) can be considered an early version of this.

These were applications – often little more than turbo-charged excel spreadsheets – that initially helped with daily tasks, but ultimately proved to be tools that businesses became dependent upon.

Such user-led initiatives have a mixed track record of success, however. While there have been some notable wins, there have been just as many dismal failures.

A recent and high-profile example of the latter is Hillary Clinton’s disastrous decision to set up her own email server.

>See also: How to balance innovation with risk when it comes to shadow IT

It’s a classic example of someone circumventing official channels and using their own resources to get something done.

But Clinton’s approach was fundamentally unsound from a security perspective, and it led to the storage of classified information on a server that wasn’t government approved, and that had a number of serious, and exploitable, vulnerabilities.

However, it’s not just governments who have faced the sharp end of the BYOD-stick.

Enterprises routinely have to deal with another issue affected by BYOD, compliance, which they need to approach from both regulatory and legal perspectives.

BYOD can complicate many of the compliance requirements that enterprises face.
For example, if an employee’s personal device is involved in an enterprise moving data outside a geographical area – perhaps from an EEA (European Economic Area) country to a non-EEA country – it can be harder to establish that all the strict set of conditions required in this type of transactions have been met.

There are also ways in which weak BYOD and BYOA policies can negatively affect your PCI compliance.

The wording of the PCI-DSS specification is very clear about this subject, and says that organisations must:

“Develop usage policies for critical technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, tablets, personal data/digital assistants (PDAs), e-mail usage and Internet usage) and define proper use of these technologies.”

>See also: Why businesses must not fight shadow IT

But just try telling your employees what they can and cannot do with their own personal property, and let me know how that goes.

Then there’s the fact that while many consumer-grade software as a service (SaaS) products aren’t fit for enterprise requirements, and might lack proper controls to protect data from external and internal threats, they still may end up deployed in enterprise environments simply because people like using them.

Finally, when an employee leaves a company, there’s no way to ensure that they aren’t taking client information with them.

If the information is on their personal computer or devices, it can be challenging to ensure that such data has been deleted.

In recent years, BYOD and BYOA have facilitated a rise of shadow IT, a term that refers to information technology systems which are used within an organisation without the explicit consent (or sometimes even knowledge) of the IT department.

With the rise of the cloud, and in particular SaaS applications, shadow IT has also proliferated through enterprises at a rapid pace.

The existence of shadow IT applications doesn’t necessarily imply ill-intent.

There’s nothing wrong about a situation where an employee wants to use, say, Google Docs rather than the copy of Microsoft Word provided.

A deviation from standard corporate tools could be interpreted as an end-user saying that they wish they had better (or a choice between) tools.

Or, it could simply mean that it’s cheaper, quicker, and more convenient for an employee to use a shadow app than to obtain official authorization from the organisation’s IT department.

However, even if there is nothing malicious about the installation of a shadow IT application, a company’s network and data could be open to exploitation if those applications are not properly identified and monitored.

>See also: How to do secure Wi-Fi in the BYOD and IoT era

It’s almost impossible to eradicate Shadow IT from an enterprise environment. That’s because the days of locked-down computer systems are far behind us.

Many jobs now require that employees be familiar with a range of software applications, so it’s not surprising that they might choose to utilise an alternative set of programs.

However, there are ways to manage this diversity.

As is so often the case, awareness of the applications in the environment is crucial. This can be accomplished through a combination of high-tech and low-tech means.

For example, one of the easiest things a company can do is monitor corporate credit cards for any spending on subscriptions to unauthorised SaaS products.

Beyond that, you can monitor the data usage of applications installed on business-owned computer systems, and check to see if there’s any large outbound network traffic to a non-sanctioned SaaS service.

It’s also worth emphasising the power of education. If your users know that using an unauthorized third-party service is breaking the rules and potentially putting their company at risk, they may be less inclined to choose to do so.

However, most IT departments will still end up fighting an uphill battle when it comes to reining in shadow IT.

There is a logical reason why this is the case: most consumer-grade SaaS products are good. They look nice, work well, and are really easy to use.

>See also: Don’t let yourself be the weakest link in the BYOD era

These are the products that people want to use, though they may not be the applications that are commonly deployed in enterprise environments.

If IT departments truly want to reduce the prevalence of Shadow IT systems, then they should increasingly consider the user experience when it comes to the procurement and maintenance of applications.

Perhaps most importantly, though, companies and IT teams should consider shadow IT users not as rogues, but as people invested in the organisation, employees who are simply looking for better and more efficient ways to do their jobs.

Their thoughts and concerns should be heard and addressed – and the relevant technologies deployed and monitored in such a way as to reduce the risk to the company from the inevitable shadow IT in its infrastructure.

 

Sourced by Javvad Malik, Security Advocate at AlienVault

Comments (0)