As CIOs Grapple with Shadow IT, a New Attitude Emerges

Officials move past traditional "kill it with fire" approaches and focus on the unmet business needs that are breeding shadow IT.

by / July/August 2017

In recent years, especially as cloud has blossomed up over the tech landscape, IT professionals have started to talk realistically about the threat that is shadow IT. The name alone conjures images of clandestine activity in the dark recesses of otherwise secure networks. Scary name aside, unsanctioned applications and tech are widespread in government, threatening even the most security-conscious organizations.

And while some employees may be willfully trying to outmaneuver their agency’s policies, many more are probably unaware that by signing up for a seemingly harmless Web-based application, they are inadvertently opening the door to any number of nightmare scenarios — the type CIOs and chief information security officers (CISOs) lose sleep over.

A storage solution based out of an unfriendly country, the loss of intellectual property rights in a sketchy set of terms and conditions, or just generally weak application security are enough to give anyone pause. But what is to be done? Past locking down networks and outlining hard-and-fast policies that carry cruel repercussions, is there really anything you can do besides pray that your employees steer clear of the risks? The short answer is: Yes.

Information and Education on the Front Lines

In the nation’s capital, Chief Technology Officer (CTO) Archana Vemulapalli takes a realistic and measured approach to dealing with the complicated issue of shadow IT. She isn’t eager to punish violators or point fingers at offending departments because, as she sees it, much of the unsanctioned tech within her jurisdiction arises not out of ignorance or spite for the foundational IT rules, but rather as the result of unmet business needs.

“The way I look at it is, I don’t assume that anybody that has enrolled in any potential what you would call ‘shadow IT project’ has done it because they just want to be defiant or they want to go do something on their own. I think there is a true business need.”


Archana Vemulapalli, CTO, Washington, D.C. Photo by David Kidd



She will openly admit that government moves slowly in some cases, but explains that it isn’t out of sloth. It’s due to the fact that new technologies need to be vetted before being plugged into the greater network. And the situation is further complicated by the diverse needs of government.

“Most companies have one business goal. The city has a dozen-plus business goals,” said Vemulapalli. “When you are that complex, there are a lot of moving parts. Some of this happens naturally as part of these moving parts.”

There is a certain measure of understanding required when looking at this issue, she added. What might not line up with policy could serve a very real business need that is not being met by the technologies at hand.

To fill in communications gaps and stay on top of pressing issues, the CTO and her technology counterparts meet monthly to outline new policies, departmental needs and the next steps in Washington, D.C.’s organizational evolution. She refers to the group as the jurisdiction’s “collective brain trust.”

“Anytime there is a policy change, we discuss the policy with everybody present so that they understand the impact to their business,” Vemulapalli said. “The technical people get it, but you want to make sure the business people understand the potential risks they are running with. Sometimes they are OK with that.”

To help measure and monitor the overall environment, agency officials are working to create an IT dashboard — a reference point for the technology shops to work from, but also a way to standardize the information they need to be effective. “The way you handle this beast called shadow IT, and IT in general, is you come up with tools that help you in the standardization of information,” she said.

Despite her acknowledgment that government is often slower to respond to business needs than its private industry counterparts, the CTO said technologists in the public sector need to work to meet the needs of their organizations on their timetable.

The prevalence of cloud solutions across the public and private sectors has given rise to a vendor category called cloud access security brokers, or CASBs. Search online for any of these companies and the first thing you are likely to notice is buy-ups by much larger tech companies. Here are some of the other players permeating the government market.

Blue Coat: CASB Blue Coat Systems Inc., based out of Sunnyvale, Calif., was acquired by cybersecurity company Symantec in June 2016 as part of a $4.65 billion push into cloud security solutions. Blue Coat, formerly CacheFlow, was founded in 1996.

CloudLock: In August 2016, IT and networking giant Cisco acquired CloudLock to expand the company’s cybersecurity offerings. The San Jose, Calif.-based company was founded in 2011 and currently supports a number of major companies, including Salesforce, Dropbox, Box and Microsoft Office 365.

Cloud Security Enforcer: Though not a standalone company per se, Cloud Security Enforcer is IBM’s dashboard-driven CASB solution. The software as a service was initially launched in late 2015.

Palerra: In keeping with the trend of acquisitions, international IT titan Oracle signed an agreement to envelope Palerra in late 2016. Under the terms of the agreement, Palerra became Oracle CASB Cloud Service. Santa Clara, Calif.-based Palerra was founded in 2013.

Skyfence: Prior to being acquired by Forcepoint in February 2017, Skyfence had established a name for itself as one of the leading cloud security companies. Founded in 2012 in Palo Alto, Calif., the company provides controls for applications like Microsoft Office 365, Salesforce, Workday and Dropbox. 

Skyhigh Networks: Since coming to the marketplace five years ago, Skyhigh has worked with the likes of Maricopa County, Ariz., and the state of Missouri to secure cloud assets. In May, the company announced it had achieved Federal Risk and Authorization Management Program certification.

“If the business need is for a service and I am two years in and not delivering the service, then there is something we are not setting up right,” Vemulapalli contended. “You want to make sure you are meeting people’s requirements in a timely manner. You can be slow, but not slow to the point where you are crawling to get people the service that they want.”

To Innovate or Not to Innovate

Oregon is also grappling with how various unknown technologies affect the larger patchwork of the state’s system. CIO Alex Pettit has no illusions about the fact that state agencies are dealing with the same challenges as other state and local governments, but the Oregon case is complicated by its federated governance model, he said.

In 2016, Executive Order 16-13 gave the CISO authority over all things touching the state’s digital perimeter, allowing officials more insight into agency traffic. “Prior to that point, there simply was no way for us to have either a control or even knowledge of the ability to identify or discern what things were going through the firewalls, what services were being subscribed to and what have you,” said Pettit.

Since November, more attention has been turned to what kind of exposure each agency is bringing to the network. One area Pettit sees immediate need for review is around the use of third-party storage and file-sharing solutions.

“Our biggest concern is the storage being used right now,” he said. “We haven’t as much visibility on what is being taken up there and being taken down.” Pettit’s fear, shared by so many of his peers, is that a breach brought about by an unsanctioned tool could degrade constituent trust.

While Pettit understands the need to work efficiently in government, he agreed with Vemulapalli’s assessment that speed must be balanced against security considerations and the safety of the data citizens entrust the state with.

He contends that more important than having a government that innovates is people feeling comfortable knowing their data is well cared for.

“People want a lot from their government, but generally speaking, they don’t want innovation. They look to the government to be secure, they look to government to be efficient, they look to government to be reliable and all-inclusive … but by and large, you don’t associate government with being innovative or risk-taking,” he said. “The desire for most people is they want convenience and they want it to be efficient.”

Rather than standing between state employees and the use of more productive tools, Pettit said the burden of meeting their needs falls back to the technologists to figure out better ways to vet and supply the applications and services.

“You’re not going to prevent people, and you don’t want to prevent people, from doing the things that make them more efficient. We don’t want to inhibit efficiency, but at the same time, that puts the burden upon us as the technologists to articulate solutions that do that.”

In Oregon, this articulation comes in the form of Basecamp, an IT services catalog for agencies to draw from. Agencies are able to locate services that meet their business need from approved vendors that meet the state’s data management criteria, as opposed to pulling randomly from the marketplace.

Hunting in the Shadows

Not surprisingly, the need to identify shadow IT where it lives has created business opportunities for companies like Skyhigh Networks, a third-party cloud access security broker.

As the minds that spend their time shining light into the shadowy realm see it, one of the most serious issues is the fact that IT shops know these third-party add-ons exist within their cyberjurisdictions — they just can’t see them, Skyhigh’s Jon Fyffe explained. “It’s really an eye-opener when governments go from knowing they have a problem to being dark to really discovering, ‘Oh, now I see how many are being used.’”

According to the company’s figures, the average government organization has 5 to 8 percent of exposure throughout its enterprise. These vulnerabilities potentially open organizations up to threats to everything from foreign exposure to the loss of intellectual property.

Fyffe ties the prevalence of unsanctioned applications and services back to the ever-increasing expectation of immediacy created by the Internet and industry.

“Cloud and the Internet made the ability for everyone to become their own IT department, not waiting for IT and their corporate provisioning,” he said. “So, it’s like, ‘Oh, we want to share files, we want to store information, we want to collaborate, there’s an app.’”

But government faces unique constraints in how it operates. Where some have made the argument that a foreboding central IT authority creates a breeding ground for off-the-books solutions to take root, Fyffe again points to the modern online consumer mentality and the changing technology dynamic as the primary causes.

It’s easy to see how these expectations might extrapolate into issues for slower-moving government agencies and frustrations for their employees, but meeting the speed of industry isn’t so much the charge of government.

“I don’t think it’s irresponsibility- or authority-driven, it’s just that bureaucratic structures of government that were designed to be fair and equal and not promote bias are not as agile as some of the organizational structures that are not constrained by public policy,” Fyffe said.

Eyragon Eidam Web Editor

Eyragon Eidam is the Web editor for Government Technology magazine, after previously serving as  assistant news editor and covering such topics as legislation, social media and public safety. He can be reached at eeidam@erepublic.com.