How do you detect "Shadow IT" in the cloud? When Shadow IT was a server under the desk in the office, you had a chance of detecting it. But, if a non-IT team spins-up some servers in the cloud, or subscribes to some SaaS/PaaS solution, it's going to be a lot harder for IT to discover, monitor, manage, protect. So, what techniques do you have to detect or prevent Shadow IT in the cloud?
Sort By:
Oldest
Senior Enterprise Architect, Application Consulting in Healthcare and Biotech7 months ago
Typically corporate IT will not be aware of Shadow IT in the cloud until help is requested, usually for integration with corporate systems. There should be clear and enforceable policies regarding deployment of business related data and applications in the cloud. Procurement should ensure any cloud vendor transactions are signed off by executives committed to these policies. A breach or data loss involving proprietary or personal data could be disastrous.Director of IT in Government7 months ago
We don't directly detect Shadow IT, but we constrain our enterprise resources so we know what is connecting to it. We do this by restricting VPCs (virtual private cloud) and security groups and restricting "sandboxes" and uncontrolled instances from accepting external connections.We also use tools to discover assets, mappings & references between resoures, provide security scans, etc. The primary tools we use for this are Servicenow and Qualsys.
Director of IT in Energy and Utilities7 months ago
I think that there are a number of avenues that are probably part of your processes:- First is the connectivity. Any thing "approved" by IT is likely using direct connectivity be it direct connect or VPN tunnels. Using tools like SkyHigh, you should have no problem identifying the cloud providers used. Just connect something like SkyHigh to your internet connectivity and have some analyst(s) ready to tell you what is used. Tools like SkyHigh allow to solve the problem where a given SaaS provider can have huge IP address ranges and figuring out IP to domain mapping can be very time consuming. Partnering with cyber security group and legal may be very helpful here, because unauthorized use of cloud services is likely a violation of company policies such as where company data is permitted to be stored, vendor vetting for controls over company's data in their systems etc.
- Second is access. Anything "approved" by IT is likely connected to some central access monitoring and control tool like Azure AD, CyberArk, Okta, SailPoint etc. etc. Just compare services that are being accessed to what is integrated with tools that govern access. Similarly to the above point, your company likely has policies about account removal or disabling, legal hold etc. and shadow IT likely does not comply
- Third is procurement and payment. There is the proactive thing, where essentially a good company policy can make the head of procurement and his department accountable for ensuring that all technology procurement has IT's approval. That can be a bit of a political nightmare. However, getting data on non-IT payments for technology is pretty easy. This can be discussed with the associated organizations. Any sort of silliness there can be easily stopped by highlighting to the board or to the CEO's directs that company is more likely to be in the news due to improper use of technology or technology assets. Alternatively, have someone like the CIO define a risk acceptance process and ask an officer/executive to sign a document that lists all the risks and accepting all the risks OR the access to the service will be disabled, which IT can easily do.
- Fourth is audit and controls. IT, especially in the I&O area gets audited all the time. Use that relationship with the internal audit team including the officer running internal audit to seek inclusion of shadow IT areas in the audits that IT goes through. It is more likely than not that the shadow IT areas will not do well and most executives outside of IT will quickly want to send the technology and accountability from their org to IT. The main reason is that all audits that are not good go to the company's board audit committee for review. In most cases, such occurrences require the corresponding officer or executive to explain what in the world is going on and usually the CIO can chime in simply with "I can fix that by taking it all over and executive XYZ would no doubt have no objections."
Mike
Director of Supply Chain7 months ago
Mike Szopinski's answer is the most thorough. My recommendation is to start with #3 in his list, and follow the money. Everything goes through Finance & Accounting. So, any cloud costs which are not directly attributable to the IT budget is shadow IT. The key is in reviewing the vendors to filter for the right things. Another place is contracts - if your legal department deals with software contracts, they will also likely have a list of in-force contracts - and contracts in process - which can help you find unknown partnerships.Presumably if a business unit is using shadow IT in the cloud, there must be some connectivity, so Security should have been involved in the assessment and contracting. However, this is not always the case as some platforms, especially if they are analytic, may just receive files your employees send manually, or in some instances, the vendors can form relationships with other external entities that send you data, and go get the data directly. It would be helpful to have policies in place around 1) any cloud-based software being vetted by security/compliance/data governance prior to contract approval, especially if there is any data leaving the existing company controlled space and going into the new cloud space. This policy should have teeth to it to be effective (some form of penalties). Once this is in place, you can "grandfather" any existing contracts, which must go through the process at contract renewal. Management of the contract flow from a data governance perspective can help you achieve this.
RKB
Director in Manufacturing4 months ago
Some good answers. Here’s one I’ve used to find IT “stuff “. Get authorized to search your accounts payables and which departments are paying them. If you can’t get direct access, have account dump a report. I found millions is savings this way sometimes just by moving the shadow service under our proper contract and getting bills reduced. You need an IT generalist who is familiar with thousands of IT businesses to find the bills. An accountant typically cannot do thisDirector of IT in Education4 months ago
It is a challenging problem for some organizations,