Thought Leadership
Shining a light into Shadow IT
The story of Corporate IT
unsurprisingly mirrors the
introduction of innovative and
disruptive technologies.
The IT department emerged in a twenty
year period between the widespread
adoption of the mainframe computer in
the 1960s, changing the way organizations
managed business information, and
the explosion of PCs that automated
office tasks in the 1980s. And then came
the network. Suddenly, Corporate IT
influenced every corner of the enterprise
and, with the World Wide Web, very
quickly had a global reach – controlling
the selection, management and security
of powerful enterprise systems working
firmly behind a defined perimeter.
But adapting to and managing these
developments pales in comparison to
the tsunami of change washing over
today’s IT departments. The adoption
of smart devices through policies such
as Bring Your Own Device (BYOD), the
use of social media, the demand for big
data analytics and a seemingly insatiable
appetite for low cost, easy-to-access
software-as-a-service (SaaS) and cloud
applications, have unleashed profound
changes that far exceed the impact of
these individual elements.
By
2018
59% OF TOTAL CLOUD WORKLOADS
WILL BE SOFTWARE-AS-A-SERVICE
(SAAS) UP FROM 41% IN 20131
The security implications of
self-sufficiency
Powerful and easy-to-acquire tools and
technologies – such as Dropbox™² for
quickly sharing a file with a colleague or
partner, to Amazon Web Services™³ for
spinning up development environments
fast – have ushered in an era of business
self-sufficiency. Tech-savvy users now
increasingly purchase, control and
provision their own services and solutions.
And this shift is gathering pace, with
industry analyst Gartner predicting that in
less than three years, 35% of expenditure
on IT will happen outside of the Corporate
IT budget, rising to 90% by 2020.⁴
This shift to the widespread use of
applications that are not sanctioned or
managed by IT is called Shadow IT.
Today’s workforce likes open ways of
working. But while employees may
believe tech self-reliance enables them
to do their jobs with better results, they
are not security or compliance specialists.
Thinking about how the applications
they use, what they post on social media,
or the websites they access, fit within
an enterprise security architecture is
not even on the agenda. And if every
employee, from HR to marketing, starts
working independently to store and share
data, the growth of Shadow IT will create
a security and risk time bomb.
Even in this new age of heightened
awareness of risk at board level, IT
is still seen in most organizations as
responsible for the technology estate,
including the elements it doesn’t even
1. ©Cisco Global Cloud Index: 2014–2019 White Paper 2. Dropbox™ – the file sharing and hosting service by Dropbox Inc.
4. Gartner Reveals Top Predictions for IT Organizations and Users for 2012 and Beyond 5. ©PWC Digital IQ Survey
www.nttsecurity.com
know about. The reality is that if there
is a security breach or compliance fine,
IT leaders will face hard questions, no
matter what the source of the failure.
For those organizations working hard to
improve security maturity by increasing
their predictive capabilities and applying
best practice controls – Shadow IT is a
dark cloud of audit and control risk for
data protection legislation such as the
Data Protection Act in the UK, HIPAA and
GLBA in the US, or the EU Data Protection
Directive and its local implementations.
So what can IT teams do to uncover,
assess and secure Shadow IT? In this
paper, we examine some of the drivers
for this phenomenon and share how
we are working with organizations to
take back control of risk and
compliance, without impairing
enterprise entrepreneurial spirit.
50%
OF IT MANAGERS ADMIT THAT
HALF OF THEIR BUDGET IS WASTED
ON MANAGING SHADOW IT5
Becoming a business partner for
continuous innovation
So why is IT faced with this tide of
unapproved applications? Two words –
speed and resources.
For many organizations, it is a question
of pace. Our reliance on enterprise
technology has stretched IT resources
to a point where demand for new digital
3. Amazon Web Services™ (AWS) – Amazon’s on-demand computing platform
Copyright© NTT Security 2016
opportunities outstrips IT’s capacity to
support continuous innovation. Business
managers and users don’t want to wait in
a traditional development line – not when
they can research and acquire relatively
cheap, off-the-shelf solutions that will give
them 80%+ of what they want, without a
capex investment. In some cases, users
go ahead and secure a free trial account
with their business credit card. Focusing
on the value of first-mover advantage or
the immediate benefits of collaboration
with other partners and stakeholders
across the extended enterprise, business
users pick up whatever tools make most
sense – including social media. The irony
is that by attempting to make it easy to
do business with one partner, they could
impact standards such as PCI and COBIT
that may be required by others.
40%
OF SHADOW CLOUD DEPLOYMENTS
RESULTED IN THE EXPOSURE OF
CONFIDENTIAL DATA7
There are industry voices that continue
to encourage IT to re-establish a vicelike grip over technology decisions and
procurement, but for most organizations
this is unrealistic. IT will never have
sufficient resources to facilitate all
elements of every business initiative.
Even trying a dictatorial blocking
approach, which some software tools
promise, risks undermining business
efficiency rather than offering valuable
insight based on domain experience.
Instead of panicking about losing control,
IT departments can choose to take the
role of business partners in the quest for
continuous innovation. By developing
a deeper understanding of business
objectives and priorities, IT can build a
framework that clearly outlines whether
or not it is appropriate to go it alone. In
this way, IT can focus on managing risk
and compliance in line with its strategic
security architecture – rather than on
administering every application and tool
business users want to try.
By
2017
35% OF NEW APPLICATIONS WILL
USE CLOUD-ENABLED, CONTINUOUS
DELIVERY AND ENABLED BY FASTER
DevOps LIFE CYCLES TO STREAMLINE
ROLLOUT OF NEW FEATURES AND
BUSINESS INNOVATION8
7. ©Symantec Internet Security Threat Report 2013
10. NTT Security Risk:Value Report 2016
www.nttsecurity.com
Evaluating the risks of shadow IT
Aspiring to a role as business partner
may be all well and good, but it does
not give IT immediate visibility to the
scope of the very real yet unknown and
unmanaged risks Shadow IT creates.
As the guardians of enterprise security
strategy and compliance programs,
information security professionals are
under pressure to discover the extent
of the Shadow IT landscape. This means
examining its digital footprint across
social media, web, mobile and cloud
applications; evaluating its potential
impact in terms of risk; and building
governance frameworks to include these
previously unidentified elements of
enterprise technology. This intelligence is
then used to put risk in context and
focus resources.
The time to act is now. Industry analysts
predict that by 2020 there will be 32
billion connected devices on the planet.9
The potential of the Internet of Things
to accelerate continuous innovation, will
make the task of managing Shadow IT
even tougher. A business focused on
the value of IoT for customer service,
operational efficiency or revenue
potential, will not consider the impact of
a breach – which according to NTT
Security research now costs an average
of $907,053.10
Shine a light into shadow IT
Managing Shadow IT will require
organizations to:
• Invest in their predictive capabilities
– putting intelligence in context by
discovering the extent of the digital
footprint and the cloud services in use.
Who is using them? Why are they being
used? What data is being shared? This
information can then be used to assess
the risks each service, application or
website poses in the context of the
organization’s data protection and
compliance frameworks
• U
nderstand the cloud services that the
business uses and segment them into
those that are authorized by IT and
those that are not
• Review access to both sanctioned and
unsanctioned applications – many
organizations use single sign-on (SSO)
• B
egin to evaluate and select cloud
services in terms of their ability to meet
security and compliance requirements,
using an industry registry of cloud
services and their specific security
controls
8. IDC: 2015-2017 Forecast: Cloud Computing to Skyrocket, Rule IT Delivery
• E
nsure that all enterprise data
is always protected as per your
defined policies – this may require
you to classify data both residing
in, or travelling to and from, cloud
applications. This may mean
preventing certain types of sensitive
data from being shared. Information
security professionals can add value
here by advising users of different
ways to operate securely – perhaps
reviewing how the business encrypts
and tokenizes data
• A
pply granular security policies that
enforce appropriate levels of data
access and cloud service functionality
according to variables such as a user’s
device, location, and operating system
• Detect anomalies that could signal
compromised credentials, noncompliant behavior, malware or data
theft or exposure
• C
reate an education program that
communicates policies and criteria for
selecting new mobile, web, digital and
cloud services. Ensure that you inform
users in real-time when they have
acted in a way that is not compliant
• M
aintain compliance with continuous
monitoring and reporting of cloud
audit trails and remediation
• S
ecurity controls must be selected,
implemented and operated in
an integrated manner with the
appropriate priorities
There is an emerging set of solutions
that can help information security teams
with these tasks. Some of these tools
focus on discovering an organization’s
digital footprint and assets outside of the
perimeter – helping evaluate the risks
to web, mobile and social properties.
These predictive capabilities speed, and
ultimately automate incident response
and remediation. Others offer a way to
establish a clear picture of unsanctioned
cloud services using log data from
firewalls and web proxies, giving security
teams a way to apply consistent,
granular security controls across all cloud
applications. These solutions are called
Cloud Access Security Brokers (CASBs).
We view CASB as an interesting but as
yet immature market. Organizations
need to review the options carefully to
find the best match for their business,
architecture, and security policy and
compliance requirements across all cloud
access scenarios.
9. ©IDC/EMC - the Digital Universe
Copyright© NTT Security 2016
2
Our Risk Insight service gives you a complete overview of your information security risks. Aligned to
our Global Enterprise Methodology, our consultants will deliver tangible and relevant value using the
following approach:
Example case study: secure critical
data with insight into cloud
applications
Challenge:
Di
sc
ov
er
y
Eva
lua
tio
n
Results
y
rit ns
cu tio
e
a
S er
p
O
n
atio
ent
lem
p
m
I
Confidence
Visibility
Solution:
Focus
Planning
Prioritization
The NTT Security point of view –
turning Shadow IT into Social IT
With estimates calculating that there
is up to $1.3 trillion in untapped
value from social technologies which
could be exploited through improved
communications and collaboration within
and across business,11 there is no doubt
that users will continue to seek out tools
that help them work together more
effectively. And by 2019, the SaaS model
will account for $1 of every $4.59 spent
on software.12 Much of this money will be
spent by departments outside IT.
The risks of Shadow IT will not decrease
without intervention. This does not
automatically mean introducing conflict
with the continuous innovation goals of
the business. The risk must be managed
but without reaching an impasse over
who controls what with users. Detection
of all the unsanctioned applications
and data exchange is only the first
step towards managing Shadow IT. As
with every new technology innovation,
controls introduced to tackle this issue
A large global retailer needed to
understand exactly what applications
– sanctioned and unsanctioned –
were being used across the business,
and the security implications of this.
must integrate with enterprise security
policies and compliance frameworks, be
regularly reviewed in a business context
and monitored in terms of effectiveness
against the wider security program.
There is technology that can help to
detect, assess, monitor and control the
use of Shadow IT. This will solve the
problem without negatively impacting
flexibility and innovation, but must
be carefully selected to give the right
functionality and scale. Organizations
must also ensure that the intelligence is
aggregated in the right way to increase
predictive capability rather than hinder it.
But at the heart of Shadow IT is a
resourcing issue. Where IT resources are
stretched too thinly and users have taken
things into their own hands, organizations
may also need to look beyond technology
and find opportunities to strategically
out-task elements of day-to-day security
monitoring and alerting that give back
time to build deeper relationships with
and add value for their business users.
Stage 1 – Identify the extent of the
problem
• Audit POC – unsanctioned SaaS
usage was 10x expected level
(over 2,000 apps)
• L
ive audit to cover multi-100,000 IT
users – real time SaaS app usage,
business readiness rating, block
unsanctioned apps quickly
Stage 2 – Secure the critical
SaaS infrastructure
• Office 365™,13 ©ServiceNow,14
©
Salesforce.com15
• Classify content by risk type
• S
ecure critical content – prevent
risky exposure
• U
ser behavior – identify broken
process and poor user behavior,
introduce threat detection
Business value of the solution:
The global retailer was able to secure
its critical content – applications and
information – tightening permissions
and reducing the exposure of
that data. They also got greater
insight into poor user behavior and
identified broken business processes.
This helped them understand how
these applications were potentially
being abused by employees – insight
which allowed the organization to
improve policies and communication
across the business.
About NTT Security
To learn more about NTT Security
and our unique services for information
security and risk management, please
speak to your account representative
or visit: www.nttsecurity.com
for regional contact information.
NTT Security seamlessly delivers cyber
resilience by enabling organizations
to build high-performing and effective
security and risk management programs,
with controls that enable the increasingly
connected world and digital economy to
overcome constantly changing security
challenges. Through the Full Security Life
Cycle, we ensure that scarce resources
are used effectively by providing the right
mix of integrated consulting, managed,
cloud, and hybrid services – delivered
by local resources and leveraging our
global capabilities. NTT Security is part
of the NTT Group (Nippon Telegraph
and Telephone Corporation), one of the
largest information and communications
technology (ICT) companies in the world.
For more information, visit
www.nttsecurity.com
11. ©McKinsey – Capturing business value with social technologies 12. IDC Worldwide SaaS and Cloud Software 2015–2019 Forecast and 2014 Vendor Shares
13. Microsoft® Office 365™ – software plus services subscriptions 14. ©ServiceNow Inc. – ITSM and cloud computing provider 15. ©Salesforce.com Inc. – CRM cloud computing product
www.nttsecurity.com
Copyright© NTT Security 2016
3