“Shadow IT” (also known as “Stealth IT”, “Client IT” or “What have those eejits in marketing done now?”) is the term used to describe IT systems which are developed and owned by business teams outside of the control or jurisdiction of an organisation’s IT department. Usually initiated with pure intentions, these systems can pose a significant security and regulatory threat to your business and can cover anything from an Excel spreadsheet through to a multi-user CRM database that is based in the cloud.
Shadow IT systems can expose your business to regulatory risks, as well as increasing the chances of compromise to the confidentiality, integrity and availability of your organisations data.
Organisations are required under GDPR to be able to provide a copy of all the data they hold on an individual and comply with deletion and modification requests. The processes built to ensure compliance with this regulation (and the avoidance of the stiff penalties for non-compliance) will cover all known data repositories in the organisation. Since Shadow IT systems are often unknown to an organisation’s IT department, it is possible that the organisation could fail to meet its GDPR obligations simply because it is storing data in-scope for GDPR within systems that are outside the organisations control. In the event of a GDPR subject access request from an individual whose data is included in the Shadow IT database, it may be impossible for the organisation to account for how the information is stored, processed, modified or deleted by the Shadow IT organisation, as the organisation will have a limited view of the Shadow IT organisations internal processes and infrastructure.
PCI-DSS and ISO 27001 both employ clear scope boundaries for parts of the network which are governed by their respective standards and those which are not. A Shadow IT system which contains payment card information can dramatically increase the scope of PCI – and expose the organisation and its customers to the risk of a data breach, as the sensitive data may not be adequately protected.
The confidentiality of company and client data can be put at risk by using Shadow IT services, often because the creators of the Shadow IT systems do not have an appreciation of the risks involved. For example, a spreadsheet full of client data may be stored in a personal cloud storage account (such as Dropbox or OneDrive) in order to facilitate staff working on the data while out of the office. The cloud storage account may be secured by a weak password that a member of staff uses for all their personal web logins, and may be compromised in a credential stuffing attack when an unrelated website suffers a breach or data spill.
Any time business data is copied or collected in systems that are outside of the organisation’s control, it may be at risk. Confidentiality is best preserved by providing a means for business users to view the data they need to fulfil their role, but not to keep their own copies of that data in uncontrolled systems.
When a Shadow IT system (such as an Excel document or Access database) contains the master (or only) copy of business data, the lack of change control around these end-user documents can result in intentional or accidental corruption of the data. For example, a team of quantity surveyors for a builder that uses Excel spreadsheets stored on their laptops to track progress of building projects. Over time, the formatting and formulas used in the Excel documents by different surveyors can diverge, resulting in different definitions of the costs and profits being calculated and reported to head office. This means that the business may be unable to report accurately on the costs and liabilities of the projects. This could be because individuals try to misrepresent the profitability of their projects on purpose in order to hit targets or because of accidental edits.
Any data which is used to calculate or generate statutory reports needs to be protected from unauthorised changes. Not only are the officers of the business exposed to legal or regulatory sanction is they report incorrect data, the management of the business is not able to make sound judgements if the management accounts or other key performance indicators that they rely on are untrustworthy. Unfortunately the errors in these figures often do not come to light until they are analysed during the post-mortem of a catastrophic failure.
Information Security is concerned not only with preventing unauthorised access to data but also ensuring that when authorised users want to access the data, they can, because the data is where it is supposed to be. Most business users do not consider the risk of data loss, instead assuming that modern computers and ‘the cloud’ are available and reliable 24/7. Events like the recent data loss of 50 million artists songs at MySpace underline the vulnerability of using free cloud services for storage. It is likely that Shadow IT system are not adequately covered by the backup and archiving regime controlled by the IT department, which significantly increases the impact of data loss.
Consumer-grade cloud storage systems generally do not offer the ability to revert to a previous version of a document – you can access the last saved version of your document but not the version from yesterday. As a result, such systems are vulnerable to ransomware attacks on the users personal computer. In the event of a ransomware attack against a folder which is synchronised with the cloud storage system, the automated upload to the cloud will replace all its copies of the files the with new encrypted versions generated by the ransomware. Unless the user has made additional backup copies of the data, all the user has now is two copies of their encrypted data.
How to respond to Shadow IT
Users who create Shadow IT systems are generally not trying to subvert the IT department or place the business or clients data at risk – they are simply trying to do their job. Recognising this truth, IT managers can examine the systems users are trying to create and then put in place appropriate tools and controls.
For example, the rise of end user reporting through the use of tools such as Microsoft PowerBI or Tableau is a reflection of the increasing sophistication of many business users. Markets move fast and business decision makers want to change their reports today in order to analyse the latest market trends – no longer are they happy to wait three weeks for a new version of a report to find its way through the IT change control process. “Agile” is the watchword for the whole business – not just the software development teams.
Taking BI and reporting as an example, IT Managers could provision read-only views into IT-controlled databases (with sensitive fields excluded) then allow business users to connect their chosen reporting engine to those views. Compliance is achieved because the database views only include the fields those users are permitted to see, and integrity is protected as the views are read-only.
Security Awareness Training that engages and educates business users is another important piece of the puzzle. When users understand the risks posed by a data breach or data spill and the simple steps they can take to mitigate them, it is easier to build a security-minded culture across the business.
Security Managers can track down Shadow IT systems by reviewing how their business makes decisions. For example, by considering the KPI and metrics used by the senior management team to measure the business performance each month. By tracing back how those metrics are calculated, can help to identify if they come direct from reports in core line-of-business systems or are there unexpected Excel documents involved in collating and calculating the data. Once these additional processing actions have been identified, steps can be taken to add the protection and possible automation that is missing to ensure the business is protected and everyone has the information they need to do their jobs. If a web-filtering system (such as a proxy) is used by the organisation, the logs may be used to identify if staff are using online Shadow IT systems which are outwith the organisation’s control.
External auditors and penetration testers can also be helpful, both in identifying Shadow IT systems and to highlight the risks they pose if their security is compromised.