Shadow IT as a business enabler

Transcription

1 WHITEPAPER: SHADOW IT as a business enabler Shadow IT as a business enabler How to turn Shadow IT to your advantage Who should read this paper This paper addresses the challenges of the increasing trend for unsanctioned IT, known as Shadow IT. The paper is targeted at senior IT management and senior IT operations individuals working in organisations of all sizes.

2

3 Shadow IT xxxxxxxxxxxxx as a business enabler Contents Introduction 1 What Shadow IT means to the organisation 2 Mobile 2 Applications 2 Diversion of budget to IT 3 Security awareness is key 3 Recommendations 4 Become part of the decision-making process 4 Apply a business lens to IT 4 How Symantec Solutions can help 5 Discover unknown devices and processes in an environment 5 Regain control of the mobile endpoint 5 Manage access to the network and applications 5 Centralise access to cloud applications and improve user experience 6 benchmark and assess internal systems and applications, audit employee awareness and assess third-party supplier risk 6 Summary 7 References 8

4 Introduction Shadow IT is by no means a new phenomenon. However, as today s business environment shifts rapidly towards consumerisation, Shadow IT is becoming a growing area of concern for organisations worldwide. It is now easier than ever for departments within an organisation to use their own budgets to invest in, and install, applications and Software as a Service (SaaS), without consulting the internal IT department. In addition, as the use of mobile devices within the workplace has become commonplace, employees expect to be able to incorporate the primarily cloud-based applications they use at home into their working lives. The rise of Shadow IT has huge implications for organisations as it brings increased risk, security and compliance issues. However, as it is often driven by a desire for increased productivity and efficiency, it can also be viewed as a powerful business enabler if managed correctly. This paper will look at how Shadow IT has evolved, its main areas of impact and the steps an organisation can take to protect data and infrastructure while enabling Shadow IT to emerge from the shadows. 1

5 What Shadow IT means to the organisation The way in which IT is being delivered to the business is evolving. Organisations are moving away from the traditional enterprise model of PC and data center, towards a cloud-based, browser model that can handle increasing volumes of data 1. This trend towards the consumerisation of IT is having a major impact on how businesses access and use IT, particularly across the following key areas: Mobile devices Mobile devices are increasingly being used in a collaborative role to access an organisation s s, internal servers, calendars and address books. This can help employees boost productivity, however, if unmanaged these devices present a high degree of risk to the organisation. As well as the obvious problems associated with employees bringing in their own, non-secured devices, jail breaking or rooting company-owned devices to download external applications can open them up to increased vulnerabilities. Connecting such devices to the internal infrastructure can then unwittingly subject the organisation to dangerous attacks. Similarly, if employees do not have adequate password protection on their mobile devices, sensitive data can be compromised if the devices are lost or stolen. A Symantec study found that when a business-connected mobile device is lost, there is more than an 80 percent chance that an attempt will be made to breach corporate data and/or networks 2. Applications The current trend for consumerisation and faster networks, such as 3G and 4G, has resulted in increasing numbers of applications being created and uploaded. If users can t find the software internally to support departmental or personal productivity, they will often look to external applications. This has been partly facilitated by the move to wireless networks, which offer the increased bandwidth required to use SaaS. In many instances, employees are unknowingly engaging in Shadow IT. A good example of this is the prevalence of popular online, cloud-based file storage and sharing applications. This trend for downloading external applications is worrying, as it can open up the organisation to malicious code if installation takes place without the correct security and compliance considerations. 2

6 Diversion of budget to IT The move towards a cloud-based model of IT enables individual departments to provision new systems more easily, without the need to involve internal IT. In fact, more and more departments are using their own budget to purchase dedicated applications, access new data or use the services of a third-party supplier. Research by Forrester found that over 90% of business departments spend their own budget on IT 3. As a high proportion of Shadow IT applications are cloud-based, they do not require internal involvement for implementation as they sit on someone else s network. However, this ease of installation and use has to be balanced with the security and compliance considerations of third-party control. Security awareness is key The consumerisation of IT accelerates the use of Shadow IT because the more accessible and simple it is to install, the greater the likelihood that its use will increase, particularly if there are no internal restrictions. It is paramount that IT organisations drive a new security-conscious culture by raising awareness of security and compliance issues within the business and its suppliers. Although media accounts of phone hacking and lost or stolen data have helped to highlight such issues, many employees still do not understand the threat that downloading a single application can bring to the organisation. This is compounded by the fact that many companies do not have the correct authentication solutions or written policies in place to safeguard against these external threats. 3

7 Recommendations The IT security department is typically risk averse. This is not surprising, as a key focus of the role of IT within an organisation has been to prevent threats by blocking or restricting access to sensitive data. As a result, the IT team is often viewed as a barrier to the introduction of new technologies or innovations within the lines of business (LOBs), rather than being considered strategic to the enterprise. To manage Shadow IT, the IT team has to become better at enabling and innovating. A certain level of informed risk is necessary for every business to develop, and this principle holds true within the cyber world too. Accepting that there is always a risk enables companies to be prepared for it, rather than assuming it can be prevented. There is little doubt that Shadow IT will always take place, so it is vital to embrace it in order to help bring it back within the protection of the organisation. Become part of the decision-making process By becoming strategic to the organisation and forming part of the decision process ahead of Shadow IT project commitments, the IT team can help to guide the LOBs to make the right decisions: not only for their area and the organisation as a whole, but also in terms of business risk. This is not an overnight fix, but involves a cultural change and a more functionally mature business approach to delivering IT and security to the organisation. Apply a business lens to IT There are many governance frameworks that organisations can use to drive functional IT maturity and many of these, like ISO, include aspects outside of traditional IT. However, the majority share the same DNA. Many recommend that organisations gain better visibility of all IT assets, including servers, desktops, mobile devices and storage systems. Once an organisation knows what it has, it must then apply a business lens and map out critical assets. Different policies and controls can then be applied, based on the value they bring to the organisation. In addition, by proactively assessing the risk that different assets pose (for example, a configuration weakness or application vulnerabilities), a rescue plan can be developed with remediation activities prioritised by business impact. This simple, proactive approach has a huge impact on the operational costs of running an IT department. Focusing only on top priority projects that provide the most value to the organisation frees up operational time and resource to work on innovative projects for the LOBs. Looking at IT through a business lens also results in more productive conversations around budget and planning. 4

8 How Symantec solutions can help There are various approaches that IT security teams can take to proactively support the business environment while mitigating the risks posed by Shadow IT. Initially, it is important that the IT teams benchmark their environment, their users, their systems and their applications. Once they understand what they have in terms of sanctioned and unsanctioned IT, they can begin to reach out to those individuals and lines of businesses. Next, IT organisations can begin the process of assessing the impact on the business and reducing risk, whilst supporting the positive outcomes that these Shadow IT projects sought to bring to the business. Discover unknown devices and processes in an environment The changing needs from lines of business managing and supporting too many devices control the complexity for the latest versions of software and hardware, and the adoption of new technologies like cloud, virtualisation and mobile means that IT departments need the ability to manage this change. Using Altiris IT Management Suite, organisations can manage such issues, enabling them to provide a faster and more predictable service. The suite ensures that organisations management infrastructures can easily support new technology changes, adapt quickly to changing processes and business needs, and provide the necessary insight to make more intelligent, data-driven decisions. Regain control of the mobile endpoint With users carrying multiple devices, and whichever deployment models the organisation chooses to support (BYOD, COPE, COIT), Symantec Mobile Management Suite provides modular and integrated management for enterprise-wide mobile initiatives. The cost-efficient per-user (instead of per-device) model and integration with enterprise management products help deliver operational efficiencies and lowers total cost of ownership. With trusted protection at the device, app and data layers, it can ensure that corporate data is isolated and protected from data-loss, malware, and unauthorised access. Manage access to the network and applications Conducting business electronically, and increasingly from mobile devices, has become a business standard. Therefore it is more important than ever to properly authenticate users, restrict access to confidential information, and verify the integrity or origination of sensitive documents and s from all devices. Providing this level of trust-based security enables organisations to facilitate tighter integration with business partners, protect data on managed and unmanaged devices, ensure business continuity, and maintain compliance with government and corporate regulations. These business needs can be addressed using the cloud-based Symantec Managed PKI Service. It enables organisations to issue, renew, and revoke digital certificates that can be used to power strong authentication, encryption, and digital signing applications. 5

9 Centralise access to cloud applications and improve user experience Organisations are already adopting new Software as a Service (SaaS) cloud applications to improve business agility, lower IT costs, and enable a more mobile workforce. But these types of applications come with a new set of operational challenges and associated information security risks that IT departments must manage. To succeed in the cloud, IT departments need to become more integrated and aligned to the organisation, as the LOBs will continue to select and implement their own IT systems; the majority of which will be cloud-based because of the ease of deployment and use. Symantec O3 is a new control platform that solves cloud security problems using identity-based access control across multiple cloud applications. In the cloud, where a traditional enterprise perimeter doesn t exist, solutions like Symantec O3 will fill the gap. Leveraging existing identity management infrastructure, Symantec O3 will enforce security and compliance policies for cloud applications without getting in the way of productivity. Benchmark and assess internal systems and applications, audit employee awareness and assess third-party supplier risk Managing IT risk and compliance in today s organisations is challenging. Organisations now face a growing number of business and regulatory drivers, an evolving threat landscape, and increasingly complex IT infrastructures. How can these changes be embraced while minimising IT risks? The ability to transition the traditional role of technical expert to business risk advisor is critical to success. Today s IT departments must be able to clearly communicate the state of their constantly changing environment to a range of different stakeholders IT operations, audit, and business leaders in terms that each group can understand and act upon. As security threats and IT risk management become boardroom-level discussions, security leaders must be able to communicate and prioritise their IT risks in business-relevant terms in order to drive change and accountability. For many organisations, this transition is a challenging one. Their view of IT risk is often generated by multiple point-product solutions, each one providing only a narrow tactical perspective. Bringing together all of the data from these solutions and creating one composite view of IT risk and compliance can be difficult and time-consuming. Any organisation that has not yet automated this process relies on manual assessments, which can often yield inaccurate results that quickly become obsolete in the rapidly changing environment. Symantec Control Compliance Suite can address these complex IT risks and compliance challenges by providing a solid framework on which to build an IT Governance, Risk, and Compliance programme. Control Compliance Suite helps organisations to communicate IT risk in business-relevant terms, prioritise remediation efforts based on a composite view of risk, and automate assessment processes to improve overall security and compliance posture. 6

10 Summary IT departments cannot halt the spread of Shadow IT and its associated risks. Therefore, it is vital that traditional IT becomes part of the key decision-making process within organisations. By embracing Shadow IT as a key business enabler, then using governance, management and control solutions to mitigate risk and protect valuable data and assets, IT departments can proactively help the organisation to use Shadow IT to achieve its business goals. 7

11 References 1 The Big Five IT trends of the next half decade: Mobile, social, cloud, consumerization, and big data, Dion Hinchcliffe, ZD Net, October Symantec Smartphone Honey Stick Project, Scott Wright, 2012, p12 om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2012mar_worldwide_honeystick 3 IT is too important to be left to the IT department, say business execs, Pete Swabey, Information Age, May it-is-too-important-to-be-left-to-the-it-department--say-business-execs 8

12 About Symantec Symantec is a global leader in providing security, storage, and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. Headquartered in Mountain View, Calif., Symantec has operations in 40 countries. More information is available at For specific country offices and contact numbers, please visit our website. Symantec World Headquarters 350 Ellis St. Mountain View, CA USA +1 (650) (800) Symantec helps organizations secure and manage their information-driven world with data deduplication and deployment software. Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other names may be trademarks of their respective owners. Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and are subject to change. Any future release of the product or planned modifications to product capability, functionality, or feature are subject to ongoing evaluation by Symantec, and may or may not be implemented and should not be considered firm commitments by Symantec and should not be relied upon in making purchasing decisions. 05/2013