“Shadow IT” refers to the too-common practice whereby managers select and deploy cloud services without the consent or even the knowledge of the IT department. These services act as extensions of the corporation but are steered entirely by groups that lack the knowledge or process to ensure they follow necessary guidelines, introducing security, compliance, and brand risk throughout the enterprise. Gartner predicts that by 2020, one-third of security breaches will come in through shadow IT services.
1. Understand your users’ motivations
Your users aren’t selecting and deploying their own cloud solutions out of any desire to give you headaches or put the company at risk. They view these services as safe, reliable ways to make their jobs more effective, and it doesn’t even occur to them that there is a good reason to involve the IT department in these decisions. The more you can consider their perspective, the easier it will be to enlist their cooperation.
2. Know who’s sending email
Most enterprise cloud services somewhere along the line will send email as part of their workflow, usually with one of your corporate domain names in the From address. That’s good news because you can employ the DMARC open email authentication standard to gain visibility over all email sent using the domain names you control, even if that email originates from a service entirely outside your network. Legitimate cloud services sending on behalf of your company are overwhelmingly likely to be in use by your employees. If they’re not already on your radar, that means they’re shadow IT.
3. Reach out
Once you know the sending services, you’re ready to track down their owners. For some of these it will be easy to create a shortlist: Look to customer service for a ticketing system or marketing for a bulk emailing service, for example. For others you may need to ask the finance team; after all, somebody is paying for them. A company-wide communication to management may even be in order.
4. Resolve compliance issues for each service
Now you can engage the owners of these services to identify how they’re used and if they present risk to the corporation. By taking a reasonable approach with business needs in mind, you should be able to serve the business and still meet the company’s security and compliance requirements. The goal is not to eliminate good cloud services. Rather, it’s to ensure that all cloud services in use are good.