8 steps to regaining control over shadow IT

Learn how to discover those employees who went roaming for outside services.

0 shadow it intro

A dangerous practice on the rise

“Shadow IT” refers to the too-common practice whereby managers select and deploy cloud services without the consent or even the knowledge of the IT department. These services act as extensions of the corporation but are steered entirely by groups that lack the knowledge or process to ensure they follow necessary guidelines, introducing security, compliance, and brand risk throughout the enterprise. Gartner predicts that by 2020, one-third of security breaches will come in through shadow IT services.

ValiMail CEO Alex Garcia-Tobar provides a step-by-step process for discovering shadow IT services and bringing them back under control.

shadow IT

Understand your users’ motivations

Your users aren’t selecting and deploying their own cloud solutions out of any desire to give you headaches or put the company at risk. They view these services as safe, reliable ways to make their jobs more effective, and it doesn’t even occur to them that there is a good reason to involve the IT department in these decisions. The more you can consider their perspective, the easier it will be to enlist their cooperation.

shadow IT

Know who’s sending email

Most enterprise cloud services somewhere along the line will send email as part of their workflow, usually with one of your corporate domain names in the From address. That’s good news because you can employ the DMARC open email authentication standard to gain visibility over all email sent using the domain names you control, even if that email originates from a service entirely outside your network. Legitimate cloud services sending on behalf of your company are overwhelmingly likely to be in use by your employees. If they’re not already on your radar, that means they’re shadow IT.

shadow IT
Wenjie, Zhang (Creative Commons BY or BY-SA)

Reach out

Once you know the sending services, you’re ready to track down their owners. For some of these it will be easy to create a shortlist: Look to customer service for a ticketing system or marketing for a bulk emailing service, for example. For others you may need to ask the finance team; after all, somebody is paying for them. A company-wide communication to management may even be in order.

shadow IT
Thinkstock

Resolve compliance issues for each service

Now you can engage the owners of these services to identify how they’re used and if they present risk to the corporation. By taking a reasonable approach with business needs in mind, you should be able to serve the business and still meet the company’s security and compliance requirements. The goal is not to eliminate good cloud services. Rather, it’s to ensure that all cloud services in use are good.

shadow IT

Find out what else they have

Managers who are spending money on cloud services often don’t stop at one. When you do identify these owners, it’s a good time to find out what other services they have in use that you may not have discovered.

shadow IT

Be patient

Some of these procedures will take a little while. You will need time to get the message out, and you may need some time to work with vendors and internal departments to ensure services are OK for use. Remember, employees probably are unaware that their behavior could bring risk to the company, so they’ll have to go through a learning process.

shadow IT

Give them a deadline

Patience is a virtue, and yet we can’t let things drag on forever. You will find that, left to their own devices, some users won’t prioritize your project and some services will never meet with your satisfaction. That means you’ll have to have some kind of deadline, after which non-compliant services will be shut off. Give your users every opportunity to work with you first, and then be ready for the enforcement phase.

shadow IT

Shut off the offenders

Here is where email authentication comes in again. If you’ve already used DMARC to identify the email sources, that means you are able to shut down unauthorized senders as well. This enforcement will prevent email from unauthorized senders from showing up in mailboxes both inside and outside your corporate walls. Sometimes this step will get your users off the dime, and sometimes the company will decide it doesn’t want these services working on its behalf.

shadow IT
Thinkstock

Bringing new services online

Your employees won’t stop wanting new cloud services just because you have run through these eight steps. Moving forward you can establish a process for them to bring services to the IT department first to ensure compliance with policies and security needs. When these needs are met, the IT department can enable each service individually for use.

Did we forget any steps? Head over to Facebook to let us know.

RELATED: Empower your employees by embracing shadow IT