December 27, 2016

The light and dark side of shadow IT

Davitt PotterBy Davitt Potter
Sr. Engineering Manager, Cybersecurity
Arrow Enterprise Computing Solutions


As the reality of shadow IT settles in, it’s important to have security in place every step of the way. Today’s CIO must combat several shadow IT trends, but there are many things your company can do to manage the applications that your employees want to use, all while ensuring security of information and data.

The Light Side

Employees can boost their productivity with advanced and innovative applications that are easy to download and use. Collaborative tools such as Slack, Dropbox and other cloud-based applications allow users to quickly and effectively “get things done” without delaying workflow and deadlines while they wait for the dreaded help-desk call. Even approved applications such as Office 365, Google Docs, and the like are still a blind spot for many organizations – they know they’re being used, but without an idea of the content or true proliferation of them.

The Dark Side

As a result of the ease of “swipe-and-go” with a corporate credit card, internal IT may not have any idea what applications employees are using; therefore, the proper security and compliance measures may not be in place. Indeed, most organizations have very little idea of the true exposure of what information is shared via email, websites or other “unsanctioned” applications.

“Rock the… CASB?”

Anger leads to the Dark Side… one of the primary steps that can be taken to prevent your company from crossing over to the Dark Side is setting up a cloud access security broker (CASB). CASBs can see exactly what service users are accessing in the cloud, and identify any unsanctioned use. Many of Arrow’s vendors have CASB services; from a basic audit, to ongoing identification and control of access to cloud services.

A company must determine what services are allowed to be provisioned – what applications should employees be able to access freely? Does IT know about it? Will they allow it? If so, what information is being put into the cloud? Does it adhere to corporate security policy? Do you know how to remediate problems if and when they arise? Do you know today who has access to your corporate data? When it boils down to it, IT needs to know who is using what so they can best enable employees to do their jobs while also minimizing risk.

Arrow Can Help

Arrow has partnerships and knowledge of many security and networking solutions providers such as Blue Coat Systems’ acquisition, Elastica; Palo Alto Networks’ Autofocus; and other providers including RSA’s Via, Imperva and Skyhigh Networks. These vendors have proven well-grounded in the CASB space in order to protect data and applications in the cloud. The CASBs are usually positioned “in-line” on a company’s internet connection, monitoring what traffic is actively in use, providing statistics around what applications, how much bandwidth, and what computers and users are accessing them. CASBs even provide the capability for companies to decide to allow or deny access to certain applications for certain employees.

Skyhigh Networks recently pulled together a list of 20 of the highest-risk cloud applications that companies should avoid. As a result of the reality of shadow IT and the inherent risk it can introduce, more and more companies are turning to a zero-trust model, assuming that they can’t trust the application, the network, the computer, or the employee using it until they truly have identified that user and device.

Allowing employees to have freedom in their choice of applications and devices while ensuring the proper security of information and data may seem challenging. Arrow has the consulting experience, vendor alignment and management capabilities that can help identify, assess and lead you on the path away from the Dark Side of shadow IT problems.

2017 can be the year IT embraces shadow IT. If you have additional questions about shadow IT and securing your organization, please contact Davitt Potter.

Editor’s note: This post was originally published in June 2016 and has been updated for accuracy and comprehensiveness.