For those old enough to remember, the controversy surrounding shadow IT in the cloud computing world recalls a time when personal computers and spreadsheets first threatened the IT mini and mainframe priesthood. The motivations seem very much the same: business users want solutions quickly, and want to try different tools and methods now instead of going through the red tape of writing IT proposals and business cases, getting money for budgets, etc.
The motivations may be similar, but the threat and regulatory landscape is very different than it was thirty years ago. In particular, if your business handles credit card or medical information, the audit and oversight requirements from both industry groups and government regulations can be formidable.
Developing an adversarial relationship does neither side any good. If IT blocks Dropbox, creative users will find a more obscure (and likely less secure) alternative. Whitelisting at the perimeter is the ultimate means of control, but no list can anticipate all user’s needs, and will certainly annoy the user base to no end.
The best solution is for in-house IT to “embrace the shadow” as much as possible. Require vetting of cloud solutions, but make the vetting as easy and painless as possible. “Painless” includes quick turnaround – part of the current problem is user’s impatience with what seems to them glacially slow responses to requests. Depending on the size of the company, this may mean personnel dedicated to this function, or at minimum an allocated block of someone’s time. If a requested tool is inappropriate, have a reasonable explanation to present to the requestor, and have a similar alternative suggestion if possible.
The vast expanse of possibility that is the growing world of cloud computing brings new challenges to IT support, and IT must rise to the challenge and adapt to the new reality.
Keith Salustro, based near Boston, MA, has been working in Information Security since 1997 where he began integrating firewall solutions. Today Keith provides IT security support, implements the latest defenses including firewalls and Intrusion Protection solutions, and conducts network assessments and penetration testing.