Shadow IT: Gaining control of a parallel universe
For network managers, merely the thought of unknown or even partly unknown IT infrastructures on a network can be enough to send a shiver down the spine. In shadow IT networks, complex infrastructures can develop from everyday practice, without the approval or knowledge of the IT department.
These infrastructures can range from manageable hardware environments to complete ERP solutions that are in daily use throughout the company – using the data of the official ERP system, but that are in no way accessible to the IT department, says Martin Hodgson, head of UK & Ireland, Paessler.
Independent shadow infrastructures often arise as a result of poor management or planning. If a department is not offered adequate solutions for the work they are tasked to do, or heads of department aren’t educated in the need to work from a centralised enterprise network, the situation may arise where solutions are created from the ground up without proper consultation with the IT department. Much like the creatures in Stranger Things, shadow IT networks can unleash a plethora of risks for networks and unwitting IT departments.
Exposing potential vulnerabilities
This is perhaps the first major risk which comes to mind when we think of unknown infrastructure on the network. Infrastructure that has been set up without the knowledge of the IT department often lacks the required level of security to ensure protection from cyber-attack. In some instances, hardware may be lacking up to date firmware and may even be without a firewall or virus scanner. In a world where a network is only as strong as it’s least secured device. This may leave an entire enterprise network vulnerable to attack.
Reducing the damage from data loss
Shadow IT systems and applications run outside of the IT department’s backup and restore plan. This can mean that mission critical business functions may be taking place without a back-up solution at all. In the event of an incident, such as a cyber-attack that leads to data loss, crucial company data may disappear entirely without any chance of recovery. In a worst-case scenario this can cause significant damage to company operations with potential for serious financial repercussions.
Securing data
Even if we ignore the issue of operating without sufficient back up, a shadow IT network may give no overview of potential data access. This means that external service providers, contractors and even former employees may have access to sensitive data. With no permissions overview, there is no way of predicting who can access data and what could be done with it.
Martin Hodgson
Maintaining efficient operations
Shadow IT hardware and software is often installed without the requisite testing. Although these systems may directly benefit the individual activities of the installer, this is often a reason for the creation of Shadow IT in the first place, the untested system may slow or even stop other business critical systems on the network. Even in shadow IT networks that run smoothly, double maintenance and administration is required to ensure the system continues to run smoothly in parallel with the official enterprise network.
Internal compliance
To state the obvious, the creation of shadow IT processes outside of established IT department protocol will likely violate a company’s IT compliance rules. More seriously however, introduction of shadow IT systems for specialist departments may be a fundamental breach of external regulation such as data protection law. In these instances, breaches of external regulation can lead to large fines from regulators and even company collapse.
Scary stuff, but it doesn’t have to be this way. Thankfully even widespread shadow IT issues can be controlled if the right strategies are put into place by the IT department and senior management. The first step to removing shadow IT systems is being able to locate them. Network visibility is the number one factor leading to the detection and removal of shadow networks. Even well-hidden parallel infrastructure may be detected for example via unusual data traffic readings through a router or switch.
The author is Martin Hodgson, head of UK & Ireland, Paessler
Comment on this article below or via Twitter @IoTGN