An Examination of Shadow IT

What's Shadow IT? Hint: It's not IT in the shadowsNote: This was a paper I wrote last month for a computer information systems class in my MBA program, so it will be a tad executive leaning. Now that I’m finished with my coursework, I’ll have more time to write after some R&R. Enjoy! 

An Examination of Shadow IT

Abstract

In its early years, Shadow IT was thought of as a budgetary concern for organizations. As its use grew to encompass network-facing applications and hardware with unclear ownership, so too did its accompanying threats to firms’ computer and network security. Today’s Shadow IT has expanded further to include the use of cloud-based solutions and the data-based threats of Shadow Data. Risks associated with modern Shadow IT have also expanded, and now include much greater levels of risk to the confidentiality, integrity, and availability of data that has been made globally accessible. Shadow IT’s existence can be attributed to misalignments between IT and business units, and individuals’ use can be explained several rationalization techniques. Organizations can work to mitigate the threat presented by Shadow IT and Shadow Data through the use of policy, technical controls, awareness training, and effective identity management.  

Introduction and Limitations

Broadly speaking, Shadow IT and terms such as rogue systems encompass any hardware, software, or solution used by a firm’s employees that is neither formally approved by the formal IT department nor prescribed by any policies (M. Silic, A. Back, as cited in Silic, Barlow, & Back, 2017). While enterprise attention given to Shadow IT began with concerns with increasing capital expenditures (Pisello, 2004), today’s Shadow IT presents a widespread threat to organizations and businesses of any size. This paper intends to explore the historical and current trends and risks of Shadow IT, the rise of Shadow Data and its associated risks, examine some of the potential drivers behind the prevalence of Shadow IT, and propose some risk mitigation strategies relevant to Shadow IT.

As stated, today’s Shadow IT is a very broad term. Discussing this topic will encroach on some other information security topics, including the rise of the bring-your-own-device (BYOD) trend, enterprise-level technical controls, data governance, the implications of Shadow Data, and network and systems architecture. In the interest of relative brevity and keep this paper within appropriate scope, these topics will not be explored in great depth. Additionally, risks associated with Shadow IT and potential mitigation strategies are predominantly tailored to organizations within the United States; laws, regulations, and general workplace culture will likely vary in other regions.

History of Shadow IT and Conventional Shadow IT Trends

While “Shadow IT” has been a term in use since the late 1990s and early 2000s, the context surrounding its use has changed since early references. In sectors that change as rapidly as information technology and information security, years-old (if not decades-old) facts and findings may at first appear to not provide much value. However, it is critical for practitioners and decision makers, especially those new to the field, to understand this historical context as it is a driver behind current trends, and may still be in practice today.

In the midst of then-record IT-related capital expenditures, Shadow IT in the late 1990s and early 2000s was generally looked at through lens of “rogue” spending on systems to circumvent backlogged IT projects and other obstacles (Pisello, 2004). Non-IT functional areas in corporations sought to overcome short-term delays by acquiring software and training. Pisello (2004) reported that in the late 1990s, Shadow IT spending was estimated to be 10% of a typical firm’s formal IT budget, and from 2000 to 2003, Shadow IT spending grew to an estimated 20% of total IT spending in average organizations. Even early in the term’s history, the use of Shadow IT extended beyond businesses. According to a 2007 Government Executive article, government workers used Shadow IT applications “to be more productive or, at times, to be entertained” (Noyes, 2007).

A review of available literature and resources suggests that there are few – if any – practitioner surveys regarding Shadow IT usage from the early years of the term’s use. Still, industry analysts and some organizations’ leaders showed concerns in the early to mid 2000s about the data management risks presented by uncontrolled storage media and network vulnerabilities created from unapproved software. As early as 2004, analysts from industry consulting firm Gartner raised concerns about data leakage and malware infections from iPods and other removable media (Contu, 2004 and Leyden, 2004, as cited in Walters, 2013). In 2007, in line with these concerns, the CIO of The Salvation Army took steps to reduce the use of personal hardware for work and work hardware for personal use by branding firm-issued USB drives with the charity’s logo and using endpoint controls to block unauthorized devices (Lacey, 2007, as cited in Walters, 2013).

Despite analysts’ concerns and organizational policies about the use of personal storage media in the workplace, individuals continued to use personal hardware. For example, some firms’ employees went as far as buying ties with special-purpose iPod pockets to circumvent workplace bans on MP3 players (Aughton, 2006, as cited in Walters, 2013). While data are not available on employees’ actual behavior at the time, it stands to reason that the use of unauthorized storage media and other devices was prevalent in the early and mid 2000s.

In addition to storage media and other hardware, rogue software was a Shadow IT concern during this time. In a 2007 Government Executive article, potential network- and host-based vulnerabilities caused by Shadow IT applications were cited as the main concerns of its use (Noyes, 2007). Five years later, a private sector security analyst warned “BYOS (Bring Your Own Software) tools cannot be accessible to groups that handle information protected by regulations, and such groups need to be educated that use of such tools is unacceptable” (Roy, 2012, as cited in Walters, 2013).

A 2014 study examining software installed on all computers at one Fortune 500 company provided insight into how prevalent shadow software use was, as well as the types of software used (Silic and Back, 2014). The researchers analyzed an endpoint scan of over 10,000 user computers and found 19,633 different versions software that comprised 527,403 software installations (Silic et al., 2014). After removing entries for software that had been approved by the company’s IT department, the researchers discovered 2,965 unique versions of unapproved software, meaning 15% of all software installed on the company’s endpoints was “illegal” (Silic, et al., 2014).

The same 2014 study grouped the “illegal” software used by employees into several categories (Silic, et al., 2014). The researchers found that the “greynet” or “greyware” applications, software used for collaboration or communication, comprised the top category of rogue software and were used by 58.97% of employees. This category of applications, “which use evasive techniques to traverse the network [often using proprietary protocols]”, includes instant messaging, peer-to-peer file sharing, and web conferencing software (Silic, et al., 2014). The next most-used category of rogue software was content applications, which “enable users to publish, edit, modify, and create content” (Silic, et al., 2014). Content apps such as PDF editors were used by 48% of employees (Silic, et al., 2014). The third category identified by the researches was extranet software, which is “another [type of] content app that allows access to a computer network from the outside in a controlled way” (Silic, et al., 2014). While many of the 268 extranet utilities were “associated with payments, loans/credits, and banks” their use by more than 11% of employees still presents a risk to the organization (Silic, et al., 2014). Finally, the researchers found that 22.5% of employees used “one or more different utilities grouped into three major categories: 1) PC optimization and cleaning utilities, 2) codecs, and 3) video converters” (Silic, et al., 2014).

In addition to increased capital expenditures, conventional Shadow IT expands the overall attack surface of organizations (Pisello, 2004; Noyes, 2007). Shadow software installed on workstations and servers could feature unpatched or undiscovered vulnerabilities that would allow bad actors to infiltrate otherwise secure networks to install malware, exfiltrate data, or take other negative actions against firms (Noyes, 2007). These effects can be seen in broad survey of IT managers, which revealed that “40% of those questioned admitted that their organizations experienced data integrity issues where data had been compromised, and nearly 25% said that accounts were hacked or misused as a consequence of Shadow IT use” (Symantec, 2013 as cited in Silic et al., 2014).

The use of locally installed software that does not regularly connect to other networks or transfer data for users can present risks to organizations. If users are left to find and install software, they may be susceptible to downloading and installing Trojan software from illegitimate sources (Hausman, Alston, & Chapple, 2005). Trojan software may or may not perform the functions it claims to, but it will install other malware that could give bad actors entry into the host to surveil users or exfiltrate data (Hausman, et al., 2005).

Shadow software obtained from legitimate sources can also be an attack vector. In 2017, thousands of users of CCleaner, a desktop utility for Windows used to remove unwanted files to clear disk space and perform other clean up tasks, unexpectedly received malware with an update of the popular software (Gallagher, 2017). In this incident, the “update supply chain” for CCleaner was compromised, allowing malware to be distributed with what appeared to be a legitimate signing certificate for about a month (Gallagher, 2017). The malware installed in this attack targeted several high-profile companies, but this attack method could have affected a much larger number of hosts if a different malware was packaged with the software (Gallagher, 2017).

Silic and Back’s 2014 study only examined the use of software installed on endpoint machines, and did not explore the use of browser-based or cloud applications. The use of these services within firms and practitioners’ attitudes towards such services is, unfortunately, not well documented in the available literature. However, by constructing a timeline of the launch of several popular cloud-based platforms, it can be reasoned that Shadow IT from the late 1990s to the mid-to-late 2000s was mostly limited to software installed on endpoints and servers, and the use of unauthorized hardware such as storage media.

In 2005, two then-popular consumer cloud storage platforms, Carbonite and Mozy, began publically offering their services; in 2006, Amazon first launched its Elastic Cloud 2 (EC2) storage platform and Google made its Docs and Sheets services available; in 2008, Dropbox first began offering its services to the general public; and in 2012, Google launched its Google Drive cloud storage solution (Computer History Museum, n.d.; Hamburger, 2013). These products ushered in the trends seen in today’s Shadow IT.

What I Learned in Boating School is…

Well, it’s been about a year since I first stood up this site, marked unceremoniously by changing out my certs and paying for some more hosting. As the title (and video below) alludes to, sometimes I have some writer’s block when I think about what I want to post here. I’ve also been a little busy.

Continue reading “What I Learned in Boating School is…”

I’m Back! Well, kinda.

Times makes fools of us all

As summarily stated by Futurama, time makes fools of us all. Shortly after getting my hardware set up last year, I decided to jump head-first into spinning up VMs and making use of my resources. I didn’t document as much as I wanted, and by the time I got things set up, I was hit with some very challenging, time-intensive school work (looking at you, last semester’s database, accounting, and economics classes). Winter break wasn’t much better, with day-job commitments, holiday travel to see friends and family, and some well-needed R&R.

After reviewing this semester’s syllabi, the next few months don’t look much better, either. This semester, in addition to taking organizational behavior & theory, ERP systems, and marketing, I plan on also continuing studying for the CompTIA Security+ exam, which I will hopefully be able to earn in late May or early June.

As time allows, I plan on posting about how I configured ESXi and FreeNAS, as well as documenting some of the projects I’ve been working on. I may not be able to keep a steady publication schedule, but bear with me. If you want to get email alerts with new posts, enter your email in the subscribe box. At this rate, you won’t need to worry about too many messages cluttering your inbox.

Finally, if you’re interested in the study book I’ve been using to study so far for the Security+, you can find it here on Amazon (not a ref link). The book is “CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide” by Darril Gibson. So far it has been an easier read than the McGraw Hill “All-In-One” series, though some of the information and explanations are a little redundant.

Anyways, thanks for reading!

The Pursuit of Homelabs, Part 5 – IT LIVES!

jdmoorexyz_fanclubWhat a week it’s been! After receiving all my parts from my first eBay order, then waiting on a set of M246M cables to come in the mail (oops), I was all set to get started… or was I? After some great “learning opportunities”, I was able to successfully boot my R710! Keep reading to see what all I learned along the way.

Continue reading “The Pursuit of Homelabs, Part 5 – IT LIVES!”

The Pursuit of Homelabs, Part 3 – How I Learned To Love the R710

homelabpart3_001LAST TIME in THE PURSUIT OF HOMELABS, I talked about what my options were in upgrading my at-home resources I could use for virtualization and storage. Until I took the plunge, I didn’t want to get too much into the specifics of what my decision was. I’ve done my research. I’ve done a lot of window shopping. I’ve slept on it for a while. And now… I’ve got some parts in the mail! Keep reading to see why (and how) I chose Dell’s R710.

Continue reading “The Pursuit of Homelabs, Part 3 – How I Learned To Love the R710”

Prevent Windows 10 From Automatically Restarting After Installing Updates

PreventWin10RebootSometimes you need to do things on your own schedule. Sometimes you have a set of tasks set up that will take a few days to run, and sometimes those tasks happen to be running across Patch Tuesday or whenever Microsoft releases an out-of-band update, meaning you can’t reboot to install the latest updates to your OS as soon as Microsoft tells you to. This is for you.

Continue reading “Prevent Windows 10 From Automatically Restarting After Installing Updates”

The Pursuit of Homelabs, Part 2 – What Are My Options?

Earlier this week, I announced that I’m looking to expand the resources I have at my disposal for homelabbing, and just a few days ago, I posted a pretty lengthy list of criteria I took into account planning my potential expansion. Today, I’ll be talking about what my options for expansion are and how well they might fit my needs.

Continue reading “The Pursuit of Homelabs, Part 2 – What Are My Options?”

What to Consider When Planning Homelab Hardware

Planning_Homelab_HardwareIt’s now no secret that I’ve been planning to expand my at-home storage and computing resources. In my last post, I outlined some criteria that I used to help me consider what hardware to purchase. I thought it’d be a good idea to expand on that list of criteria in case anyone else wanted to use it to help them work through finding some new hardware. This is going to be a long one, so settle in!

Continue reading “What to Consider When Planning Homelab Hardware”

The Pursuit of Homelabs, Part 1

Project_Homelab_Part1The last couple of weeks have been a flurry of learning, planning, and (for now) window shopping. Some earlier attempts at spinning up a few VMs at once on my desktop have been met with sluggish disappointment and a really warm office at best, and incompatibility and wasted time at worst. Despite being more than enough for gaming, it seems as though my desktop won’t cut it for what I’ve got planned. It’s for this reason that I’ve decided to look into expanding the resources at my disposal.

Continue reading “The Pursuit of Homelabs, Part 1”