Shadow IT is here to stay. Called “Shadow IT” because it operates outside of the official federal IT department, this challenge was once posed only by the most tech-savvy employees. Today, however, the consumerization of IT means that almost every employee has his or her own devices, applications, and cloud storage options.
As you might imagine, Shadow IT has the potential to introduce a range of security and privacy risks within an agency. The solution? Understand what you can control, understand what you cannot; control what you can, and block what you cannot. This approach ensures a more secure IT infrastructure for agencies and employees.
What You Can and Cannot Control
Despite agencies’ best efforts, it is very difficult to control Shadow IT. Inevitably, Shadow IT will (or, has) become a part of your IT environment.
According to the results of a SolarWinds survey, nearly 8 in 10 respondents say that Shadow IT exists within their agency. They are not simply experiencing rogue employees with rogue devices; employees often feel they have good reasons to bring in new technologies.
Since many federal IT departments do not provide a managed file transfer service for exchanging large files with other agencies, employees needing this technology deploy Dropbox or Google Drive to get their work done without checking with IT – this is an often cited example of Shadow IT. Others are challenged by the government’s lengthy procurement process when a hardware device or software tool is needed to solve a project’s problem. In fact, according to the survey, nearly half of the respondents think a long or cumbersome IT acquisition process is also at least partly responsible for the use of Shadow IT.
With the understanding that stopping Shadow IT is not an option, federal IT pros can insert control by implementing inherent limitations. One of the many ways agencies are controlling Shadow IT is by moving to a virtual desktop infrastructure (VDI) environment. By implementing VDI, the agencies control the users desktop – regardless of the desktop device being supplied by the agency or end-user. The IT department can then control a secure desktop image, what applications are presented, where the data is stored and the desktop’s local memory can be erased after each session.
Control Through Knowledge
Another key to controlling Shadow IT is to understand what’s on your physical and virtual IT infrastructures and to take corrective action if necessary. There are three critical capabilities you’ll need to embrace when managing an IT infrastructure: visibility, monitoring, and management.
Visibility: You must be able to see your hardware infrastructure so you can quickly identify rogue devices and locate non-approved devices (or cloud based services).
Monitoring: You must be able to detect changes in the environment quickly, whether physical devices, virtual machines or new services.
Managing: If you’re going to embrace Shadow IT instances – whether it is hardware, software or a service, you must be able to identify the Shadow IT instance and determine if you and your team can manage it. Tools are needed to create a baseline of your IT infrastructure and also to manage the infrastructure. When a Shadow IT instance is identified, it is critical your staff can determine if tools are in place to manage the new Shadow IT instance – or if new management tools are needed. If your IT staff cannot manage the Shadow IT instance, work with users to find an alternative solution.
Once you’ve gained these three capabilities, you have the knowledge to enhance your agency’s security posture and embrace (approved) Shadow IT instances.
Remember, effectively managing your agency’s IT infrastructure and keeping Shadow IT under control is a continuous process. You must be able to see, monitor, and manage effectively. Be proactive, embrace the user community, and ensure controls are in place —or, you may risk losing control and weakening your agency’s security posture.