Shadow IT – Security Policy Pillars

Many of our Information Shield customers are asking how to address “Shadow IT” within their information security policy programs.    In this article we will identify the common risks with unapproved IT devices and services and how to address them in your governance and security policy framework.

What is “Shadow IT”?

In short, “shadow IT’ is a term coined by infosec people to describe IT devices and services that are not part of the official IT infrastructure of a company.   According to Wikipedia:

Shadow IT is a term often used to describe information-technology systems and solutions built and used inside organizations without explicit organizational approval. It is also used, along with the term “Stealth IT”, to describe solutions specified and deployed by departments other than the IT department.

The proliferation of and power of personal computing devices and third-party services (like Box and Google Docs) has made this all to easy.   While the issue has many facets, shadow or stealth IT boils down to a simple concept:   Users setting up systems and services without approval.

But how do we control it?  From the perspective of information security, the concept of unapproved devices or services can be addressed in two key areas:  (1) Acceptable Use and (2) Infrastructure Monitoring.

Part 1:  Approval for Devices and Services

The first key control point in addressing “Shadow IT” is to require approval for all information technology devices and services.   An example security policy for this control would be as follows:

“All information technology devices and services that process Company X information must be approved by the Information Technology Department.   Users must not create or connect devices to the network without specific approval”

A related policy that is even more robust is to require that any device connected to the company network must be configured according to baseline standards set by the Information Security Department.

It is easy to overlook this seemingly basic policy and focus just on the technology.  But until you specifically prohibit users from doing something, it is much more difficult to address violations when they come up.

Part 2:  Device and Service Monitoring

The second element of the control framework includes monitoring.   Once you have established that users are not allowed to setup rogue devices and services, you must adopt some form of monitoring to enforce the policy.   An example policy for this control would be as follows:

“The Information Security Department must employ tools to detect unauthorized devices, applications and services within the Company X network environment”

This basic policy can be modified in a number of ways, but the critical element is that some monitoring and alerting must be in place.   As with all good policy statements, this does not require a specific technology.   It does establish a control point – that the IS or IT department must look for rogue IT and systems.

Should I have a “shadow IT” security policy?

The short answer is “no”.   If you have a robust internal control framework, the two primary risks of unapproved devices will already be covered.   If they are not, then your organization should consider updating both Acceptable Use of Assets Policy and System Monitoring Policy.

Keeping “IT” Simple

Information security professionals love to create buzzwords for the latest threat or IT trend.  However, rarely does one of these buzzwords demand an entirely new way of looking at security.   Our recommendation is to “keep it simple”.  Which helps to keep information technology (IT) simple.   Before coming up with a new security policy, look to your existing ones and see if they meet your needs or must be enhanced.