The changing face of shadow IT

The changing face of shadow IT

Image:
The changing face of shadow IT

Cloud, smartphones and the pandemic. How to maintain control over proliferating devices and services?

Shadow IT first emerged as a serious challenge for IT leaders with the arrival of SaaS service. It them ramped up with smartphones and BYOD, and of course the pandemic lockdowns, which forced people to work remotely often on their own devices, were another step change.

Post-pandemic we may hear less about shadow IT than we once did, but this is more about shifting news cycles than problems solved. Enabling people to work securely and conveniently from anywhere and using a variety of devices remains a tricky problem, particularly for large and complex organisations.

"BYOD is a real challenge for us, we haven't yet solved it," said Amanda Niblett, IT director at the University of East London, in a session during last week's Cybersecurity Festival.

The university employs 3,000 staff, "all of whom can be flexible," who are provided with secure devices. Then there are the 26,000 students whose needs were accommodated during lockdown by building cloud based environments to isolate their activities from the core network. But the real headache is the multiple partners and associates, most of whom use their own devices and who need access to core services.

Sadly, Niblett said, it seems the answer will have to be more restrictions for those over which the university has no control.

"Either you put something like Windows Defender on your device so that we can monitor your antivirus, so we can understand what applications you're accessing or when you're accessing them, or we're not going to allow you in. Yes, it's Big Brother watching. So that's the conundrum that we're still trying to solve. It's a challenge."

A related problem with BYOD is UX - how to secure devices without being a burden. The university uses MDM software so staff devices can be tracked and locked, but there's still the issue of unauthorised access.

"We have short screen lock policies so if you get up and nip to the loo the laptop shuts down as quickly as possible, but that's really frustrating," said Niblett.

University-issued notebooks now come biometric sensors to allow faster unlocking, but the wider piece is about educating people as to why these frustrating measures are necessary, which means and regular training. But, she admitted, training courses are poorly attended "because let's face it, it's a boring topic for most."

Shifting boundaries

Training courses are also delivered online, which brings up another problem: what is and what is not IT?

"If you're buying training from a company, what you're buying is a SaaS offering," Niblett said. "But it looks like training to Procurement, so it doesn't get picked up as IT. Then all of a sudden, we're getting requests for some single sign on for this product that we didn't even know we had. Nine times out of ten, you find that the security around that product is just not something we're going to favour. It can be a real problem."

Another effect of bypassing IT when purchasing services is wasteful duplication, she added. Recently the university's procurement rules were updated, but prior to that academic staff would constantly buy products that were already available, but they just didn't know it.

On the other hand, shadow IT can be a source of innovation and discovery, said Nick Ioannou, information security officer at property-letting platform Goodlord. Users occasionally find something that's genuinely novel and useful.

"Managing 100 SaaS solutions is a nightmare," he said. "But you can learn from it, and it doesn't have to all be a negative."

Nevertheless, the pandemic brought with it a whole new set of shadow IT problems, Ioannou went on.

"There's a lot of shadow IT in everyone's homes: their routers. If someone's got a really old router, that's a potential security problem."

Then there's bandwidth. The router might be shared by other people streaming videos or playing games making work difficult. "And who knows who they are sharing facilities with?"

Not to forget compliance. At one stage, certifications like Cyber Essentials required companies to provide hardware firewalls to permanent home workers, but this has been softened to allow software firewalls instead. It's worth keeping an eye on such developments, Ioannou said - although of course that's one more job to do.

Farewell office IT?

John Stenton, head of IT at Thrive Homes, looked forward to the day when he can ditch the office firewall altogether, and issue staff with laptops equipped with 5G SIM cards.

"My priorities are productivity, security and visibility as to what's happening on that device," he said. "They can work from anywhere, on our bandwidth and we don't get those restrictions.

"We can rip out the APs and a lot of that infrastructure, and they can work from Starbucks on whatever network they're on without worrying about insecure open Wi-Fi points."

However, this will have to wait until 5G is ubiquitous and the laptops are more mature: "They're getting there. At that point do you need any IT in the office, or does it just become a place to congregate?"

Tackling the modern face of shadow IT, especially as more and more IoT devices enter the picture, requires some kind of zero-trust approach, but, Ioannou said, everyone has a bad day, nothing is 100% secure and things will go wrong.

"The main thing is to have all your bases covered, so you have that visibility and you've got some type of remediation."