The term “shadow IT” is used to describe IT projects that are outside of normal company structures. Most IT departments have a low opinion of shadow IT projects, for two reasons. The first is that shadow IT grows when normal IT isn’t doing a good job — insufficient resources, process issues, or disagreement on priorities.

Naturally, IT departments don’t approve of initiatives that don’t meet people’s needs. However, even when IT groups move beyond resentment at being told they’re failing in their mission, they encounter the second reason to dislike shadow IT: These projects rarely have the infrastructure surrounding them that makes them supportable and secure. When the initial investment is spent and the investor moves onto something else, IT groups are left with a serious maintenance liability, no funding to fix it and unknown security risks.

In some cases, shadow IT comes about through force of personality — a new group leader who prefers to use videoconferencing solution X, when the corporate standard is Y, and simply goes off and drags their department with them. These situations require not only diplomacy and patience but also an open mind. Corporate IT has to listen hard to understand the true motivations and the real issues, which can be difficult during a politically bruising fight.

Not every shadow IT initiative is implemented through stubbornness or lack of communication. Mature IT groups see shadow IT as a necessary evil that helps the organization understand where the formal process has failed and needs to be fixed. Obviously, the goal is to minimize shadow IT, but the best approach is to minimize the need for shadow IT projects rather than aiming to cut off projects with legitimate requirements. Good IT managers use shadow IT successes and pressures as a way to re-think their own priorities and resource allocations.

Most importantly, IT managers should understand that trying to completely choke off shadow IT can be counterproductive and an extreme security risk. If shadow IT projects are driven so far underground that IT departments never hear about them, there’s a risk that an unauthorized project will be the path for a data breach — and the costs to clean up shadow IT breaches are disproportionately high due to lack of logs, backups, monitoring, or good security practices.

Mobility, Security, and Shadow IT

Enterprises that have embraced mobility and shifted to heavy use of mobile devices such as smartphones and tablets should take shadow IT projects seriously — and build IT architectures that help reduce the risk of security failure when unofficial applications pop up. Four key strategies can help here:

  1. Lock down devices, but not too tightly. If mobile devices are locked down so tightly that the end user cannot run any personal applications, then the risk is that users will simply pull out their own smartphone and use that rather than an enterprise-managed device. With a completely uncontrolled configuration, settings such as passcode lock won’t necessarily follow enterprise standards, which means you could end up with a user with two smartphones, one of which has an unofficial application set and inadequate security due to user error or sloppiness.

Instead, give users space to run their own applications. Features such as Android Enterprise’s work/home profiles allow flexibility while ensuring that the core features of the device are under control and user error opportunities are minimized. Application whitelists may be too confining, but restricting application stores to Google Play (for Android users) allows some shadow IT applications without opening the door too widely.

  1. Expose only APIs you trust to the Internet — and to VPNs. Shadow IT in the office is one thing, but mobile applications usually run over the Internet. This means that devices will have to reach back to enterprise data centers, directly or indirectly, to get access to operational data. If shadow IT applications have to use the same documented, logged, firewalled, and authenticated APIs that official applications use, you’re cutting risk right there.

Letting unofficial application servers be exposed to the Internet directly exposes you to infinite risk, so don’t ever approve that type of firewall hole. By channeling all applications, official and shadow, through the same set of APIs, you gain significant control over risk while allowing mobile-based shadow IT projects to add value in their own way.

The same thing is true of VPN-based applications: Just because something is on the other end of a VPN tunnel doesn’t mean it’s a trusted application. Treat VPNs as a way to protect traffic and provide some authentication, but don’t consider a VPN user above the law when it comes to access controls.

  1. Pay attention to your logs. Shadow IT applications may not announce themselves directly, but they can often be detected through unusual data access or authentication patterns. Mobile Device Management tools and Security Event and Information Managers may help you track down shadow IT applications as well as identify misbehaving applications that create other risks (such as overly-frequent authentications or caching large amounts of data).

IT managers already know that they should be watching logs for performance and security problems. Detecting risky mobile applications built through shadow IT is just another possible outcome.

  1. Keep an open mind about Shadow IT. When someone invests in IT off the books, it’s a signal that they prioritize a new mobile application over other uses for that same budget. That’s powerful information about what is important to staff in the field or line-of-business managers who are working around official channels.

Mobile computing is faster-moving and changes more quickly than traditional desktop environments, and this requires changing some of the timeliness and business processes that IT has been using. When mobile applications are popping up as shadow IT projects, that’s a sign IT may not have found the right rhythm to support enterprise mobility.

Shadow IT is an expensive way to solve problems and can create hidden infosec risks. The secret to avoiding these costs and risks is to understand where shadow IT comes from, and use that information to re-align IT with the business needs of the enterprise.

Gaps in enterprise security can be devastating. Take our mobile security assessment to find out if your company is covered — and how you can stay ahead of the curve.