Shadow IT: when users go against the IT department. Reasons, consequences and solutions to curb shadow accounts -> Shadow IT, also known as phantom accounts, refers to the use of tools and software by business teams without prior authorization from the IT department. These IT resources have not been provided by the company and are therefore used unofficially, in the shadow of the IT department, which has no visibility.
What's the background to shadow it?
Shadow IT doesn't just happen, there are reasons for it.
And no, your employees don't want to harm the company!
On the contrary, they want to benefit from new tools to work more efficiently.
Sometimes, the solutions proposed by the company may be too rigid or fail to fully meet users' expectations.
By looking for external solutions, users can find tools better suited to their needs. They're easy to set up, often SaaS solutions, sometimes free or very attractively priced with trial periods.
Users are used to downloading and testing personal applications on a daily basis, so it's relatively tempting to test professional tools for the workplace in just a few minutes.
Herein lies the problem: the user will create accounts on several tools, entering and storing professional and confidential information without the IT department being informed. For example, a user wishing to store documents in the cloud and access them anywhere could create a OneDrive account.
As more and more accounts are created, security holes appear.
But why not talk directly to the IT department and go through the processes established internally?
Because it's long... Much too long. The steps users have to take are restrictive.
When the user has an urgent need and can't wait for traditional administrative procedures, creating an account outside the process becomes attractive.
What's more, official requests are sometimes rejected after a superficial analysis by the IT department.
It's in this climate that users can break the rules.
Why do user practices run counter to the rules laid down by the IT department?
It would seem that users and the IT department are finding it difficult to find common ground and respect the established rules.
- The IT department has no way of knowing which accounts have been created on which devices.
- Users don't dare or don't want to communicate their needs to the IT department.
But what's preventing users and CIOs from working well together? May they not live together hand in hand in harmony? 😕
If the IT department is not sufficiently flexible and open to suggestions, users are tempted to bypass the rules and choose the tools that suit them best, without being constantly monitored. For example, in accounting, employees or managers don't necessarily want the IT department to know about information that doesn't concern them.
They may feel infantilized if they get the impression that the IT department is trying to control and restrict their actions.
This kind of user behavior is dangerous for corporate security. By circumventing the rules laid down by the IT department, a user could, for example, create orphan accounts undetectable to the IT department, or a manager could buy licenses and not use those provided at the outset.
But that's not all.
Users are not always aware that there are regulations governing the use of tools or technologies within the company. If the IT department fails to communicate clearly and effectively about regulations and provide adequate training, users can find themselves lost and unknowingly adopting non-compliant practices.
Users should know what they can and cannot do. Can he send himself professional e-mails? Store data on a USB stick? Use cloud services?
These grey areas need to be clarified through exchanges between users and the IT department.
Finally, if the regulations laid down by the IT department are too restrictive and unsuitable for the user, mainly because the process takes too long, then users are encouraged to Shadow IT.
Factors driving the growth of shadow IT in recent years
We shouldn't think that Shadow IT occurs in companies solely because of users and CIOs. There are factors external to companies that have a significant impact.
Firstly, the rise of SaaS solutions and the Cloud have played a major role in the rise of Shadow IT. Thanks to a wide range of innovative offerings, SaaS is very accessible, with attractive prices for both personal and professional use. The advantages of SaaS solutions lie in their rapid deployment and availability on all types of device, whether computer, tablet or phone.
Secondly, with the development of teleworking, users often find themselves mixing their tools, work and personal devices. For example, they may use their work computer for personal tasks, or vice versa.
The lack of guidance and precision on the rules to be respected when teleworking gives users a certain flexibility and freedom to test unregulated tools on their devices.
Humans create shadow IT as part of their daily lives, but even seemingly innocuous connected devices can create shadow IT! We call this shadow IoT.
These seemingly innocuous devices are a godsend for hackers looking to break into a company's network. Whether it's a simple coffee machine, a connected loudspeaker, or office equipment such as a printer or photocopier, they are often implemented without the necessary security controls, at the level of corporate standards, and configured using easy-to-decipher logins and passwords.
In fact, a cyberattack took place on a casino that encountered a major security breach due to Shadow IoT. As Le Figaro explains in its article, this establishment was hacked because of a connected thermometer in an aquarium. The hackers used it to enter the network, and then gained access to the database.
Shadow IT and Shadow IoT both present challenges for IT departments in terms of management, security and compliance.
Mastering Shadow IT
Shadow IT is on the increase in the enterprise, and its total elimination is not feasible. So, yes, we can bury our heads in the sand, but that's not the solution.
Shadow IT must be mastered in order to :
1. Avoiding security breaches
Unauthorized use of unsecured software, applications and services can lead to potential security breaches within the company.
This practice will create openings in the information system that are not monitored and known by the IT department, giving rise to cyber-attacks.
2. Better vision for the company
As Shadow IT develops, it becomes more and more difficult for the IT department to have complete control and insight into the technologies used by employees.
This problem is compounded by the difficulty of carrying out audits and finding out who has which licenses. Without visibility of user accounts, the IT department finds itself unable to effectively monitor license usage and take measures to optimize their use.
3. Access rights management
Shadow IT can lead to ineffective management of access rights. Employees using unapproved solutions may be granted excessive or inappropriate authorizations, increasing the risk of data leakage or compromised confidentiality.
There are a number of ways to deal with Shadow IT.
1. Identify software, accounts and users in an IAM solution.
Implementing an identity and access management solution enables you to :
- control user privileges: by granting rights and privileges consistent with the user's functions
- manage orphan accounts: when an account is active but not attached to a user
- detect duplicates: when an error occurs during account creation and another account is created without deleting the old one, which is still active
- manage system accounts: accounts created by system administrators
- manage shared accounts: when several users use the same account on a tool
IAM won't eradicate Shadow IT - that would be too simple. On the other hand, an access and identity management solution will enable you to clean up your information system (remove orphan accounts, duplicates, etc.) by managing system accounts and users.
2. Establishing a constructive dialogue between IT and users remains the most important step in slowing down Shadow IT.
To improve communication, you can :
- organize training courses: Presentation of best practices in the use of the company's IT tools.
- listening to each other: the IT department needs to listen carefully to employees' needs in order to meet them as effectively as possible, and why not, adopt innovative and effective solutions. Users also need to be more understanding of the dangers caused by their practices, more sensitive to the company's security and more respectful of IT decisions.
- two-way communication: IT must communicate clearly and transparently about policies, reasons for restrictions and available alternative solutions. Employees can express their needs, while IT can provide information to guide them towards approved solutions.
- Quarterly meetings with departments: These meetings enable us to keep current solutions up to date and evaluate them, and to regularly monitor technological needs.
Conclusion
The development of shadow IT in companies is often the result of a lack of flexibility in the in-house solutions offered by the IT department, cumbersome administrative procedures and the frequent rejection of requests without in-depth analysis.
You can't get rid of it, you can't pretend it doesn't exist.
It's important to strike a balance between user satisfaction and corporate security, promoting a collaborative approach to reducing the use of Shadow IT while meeting employee expectations for efficiency and technological innovation.
