Michael Dent, chief information security officer of Fairfax County, Va., recalls meeting with representatives of a cloud file-sharing services vendor who wanted to do business with the county. As part of their pitch, the reps showed Dent that county employees already were putting data on the company’s site. That did not go over well with Dent.
“It wasn’t sensitive data, but it was from employees who were trying to circumvent our telework policy, which requires employees to go through a secure virtual private network and enter credentials. They didn’t want to deal with all that, so they put their work in one of those file-sharing sites. We had to work with the public cloud company to get that data back.”
Dent is not alone in being concerned about employees using commercial software as a service without approval from the central IT organization. CIOs have dealt with rogue hardware and software deployments for years. But lately, the term “shadow IT” has grown to include the unsanctioned use of public cloud infrastructure for collaboration or file sharing.
“Shadow IT is not something we would encourage because you are wasting resources or causing your organization to have redundant support agreements,” said Carmen Sandu, managing deputy CIO in the Department of Innovation and Technology for the city of Chicago. “Obviously anytime you have duplicative resources and functionality, that is not a good thing.”
Another concern is leakage of sensitive data. Dent notes that the End User License Agreements or Terms and Conditions that most free cloud vendors offer are not something an employee can legally agree to on behalf of the county. Most employees don’t realize that if they click yes to those, they are essentially personally accepting the risk if there ever were an incident, he said. “These ‘free’ services all come with an ‘indemnification clause’ that absolves the vendor of any responsibility if a compromise or loss of data were to occur,” he said. “Some even state that you agree to file any legal action only in the state or country their corporate offices are located.”
The truth is that most IT organizations still don’t have a good handle on how many instances of shadow IT they are dealing with. In a recent survey sponsored by the nonprofit Cloud Security Alliance, 72 percent of respondents admitted that they did not know the number of shadow IT apps within their organization, but certainly wanted to.
“We found it is a real struggle to be aware of all the cloud services being consumed by organizations,” said Jim Reavis, CEO of the Cloud Security Alliance. “In our survey, only 28 percent of organizations really understood the scope of shadow IT in their organizations, and when they measure it, it is often a factor of five to 10 times more cloud usage than they expected.”
“Any organization that tells you they don’t have shadow IT is either misguided or not really serious about securing their environment,” Dent said. “I know that we do everything in our power to stop it, but with the Internet of Things, it almost becomes impossible. As a security and IT organization, we go to extreme lengths to ensure we have monitoring tools and capabilities.”
Fairfax County is implementing data loss prevention (DLP), so anything that goes out through its Internet connection will be scanned based on policies set in the DLP tool. The county also has just rolled out a solution that will allow employees who must share data with other local jurisdictions or businesses to do so in a securely stored file that the county controls access to.
When Panama City, Fla., started using Google Apps for Government several years ago, IT Manager Richard Ferrick turned to a product called CloudLock to gain visibility into what users were doing in the cloud.
“As an IT organization, we needed to see which employees were sharing files and whom they were sharing with,” he said. “If you are supporting something like this and you can’t see into it, it is a crazy move.”
Panama City has 600 Google Apps users. With CloudLock, Ferrick gets a report every morning showing which types of files are being shared and with whom. “I pay attention if it is human resources or law enforcement,” he said, adding that he wants to make sure no Social Security numbers end up in the public cloud. “We have been pretty lucky so far. Nothing has come back to bite us.”
Panama City also uses a service called Websense for content filtering on an enterprise scale. Ferrick noticed employees were using Dropbox frequently and decided to block it. “Simply from a security standpoint, we don’t know what they are doing there or why they are doing it,” he said. “They already have a file-sharing tool at their disposal so we chose not to authorize use of Dropbox.”
But not every IT executive sees blocking public cloud services as the best approach. “We have heard of agencies using network monitoring tools to see who is using services such as Dropbox and limiting or disallowing them,” said Steve Nichols, chief technology officer for the Georgia Technology Authority (GTA). “We do not do that today. Spending the money and effort on technology solutions probably makes people feel good, like they are fighting the fight of the just, but it may not be the most effective way to reduce their risk.”
Philosophically it is a little difficult to try to lock all the windows and doors, he added. “If you have an employee responsible for a $10 million budget, do you want to start zapping them anytime you see a nine-digit number in their email? That is one way to roll,” he said. “We would rather emphasize education and awareness, and provide alternatives. If they are getting value from Dropbox consumer grade, let’s stand up Microsoft Business Class OneDrive and use that instead.”
In fact, Nichols and Tom Fruman, director of GTA’s Enterprise Governance and Planning Division, have taken an approach to shadow IT they call “Catch and Release.”
"We don’t want to be the agency that just says no to everything,” Nichols explained. “That’s just inviting people to ignore us and go around us, and they have legitimate reasons to use these cloud services. Honestly, our time is better spent on the subset of systems that really are critical to the state and that have high-impact data. What Catch and Release means to us is, we’re not going to say no. We just want to know about it. When someone asks us how many systems we have in the cloud, we will know the answer.”
GTA’s policies align with the federal government’s FISMA (Federal Information Security Management Act) controls. Instead of asking Georgia’s agencies what their regulatory requirements are, GTA asks them to determine if the use case is low-, moderate- or high-impact. “We have said if you are going to go to the cloud and it is a FISMA low-impact system from a confidentiality, integrity and vulnerability point of view,” Nichols said, “you can go directly to the cloud and just give us a heads-up on where the data is.”
In fact, the Catch and Release model feeds into what some IT leaders refer to as “shallow IT.” The term “shallow IT” may be a more sophisticated version of the term “pace layering” coined by Gartner, Nichols said. The idea is that you’ve got core systems that are stable and more closely governed, with clearly defined change management processes. But something that is new and not critical yet, you can have a much looser set of processes, using agile methodology, DevOps and consumer-grade IT. With those you do not have as many checks and balances. So GTA is moving some IT projects from shadow to shallow. “We have started down a path called tiering, dividing up projects into three tiers, with large complex systems at the top and smaller, noncritical projects at the bottom,” Fruman said.
“They don’t need the same number of processes. With some, you just say go forth, good luck, and do the best you can.”
Chicago’s Sandu says the shallow IT concept is fairly new. Her definition of the term involves enabling the business or department outside the central technology group to experiment and test technology and see how it can be of value in areas that might not initially have been thought of. For example, Chicago opened the application programming interfaces to its 311 system to enable the building of mobile apps and Web apps on top of the core technology. “There have been cases where functions developed outside the central IT department have been folded back in because they have brought added value,” she said.
To Sandu, shallow IT also means bringing new technology to groups that wouldn’t necessarily have envisioned utilizing it and allowing them to test it out to see if there is some applicability for them. “That is more common in the academic world. When I worked at the University of Chicago, we found that the most innovative and creative approaches were when people from different areas of study and IT people built a project together because they could think outside the box and see applicability for things outside the norm.”
Shadow IT is a big part of an organization’s digital persona, and getting a better picture of it helps executives understand how IT is really used, said Cloud Security Alliance’s Reavis. Cloud discovery tools offer a more nuanced way to move people to the best cloud services or securing the services they have.
“The purpose is not to block, which is unfortunately what some people take out of the research we do, but it is actually to guide organizations toward the better options within any category of cloud, because there are some that are more secure than others,” he said. Or it may involve just turning on the right features and functionality in the cloud services that have been selected, because there are some default settings that don’t encrypt properly or set up proper access control permissions.”
Cullen recommends taking a portfolio approach, and not just detailing which services you will allow. “It has to be laying out what situations you allow people greater latitude and ï¬exibility, because there’s less risk to the organization,” he said. “You do that so that you can make a reasonable case for compliance. You tell people you recognize they have legitimate business reasons for wanting to go outside. You are simply telling them what the gradations of risk are.”
“You want to allow shallow IT, but not shadow IT,” Cullen added. How do you do that? You have to establish zones. A zone could be some function people want to do, or some common need, or a core capability of the agency. And for each zone, describe the rules of the road based on the risk level. For those deemed least risky, you can use shallow IT — a cloud-based service that is free and consumer-oriented. IT could allow employees to contract on their own for a service as long it meets specific criteria, and IT also could work with employees to evaluate it.
“If you want to get people to move away from shadow IT to shallow IT, then you have to make clear your intentions in advance and what your rules are,” Cullen said. “Develop a framework that signals your intent and tailor it to your own organization.”