The threat of technology initiatives implemented outside the purview of IT is coming full circle. Now, some security leaders encourage line-of-business professionals to investigate and experiment with externally developed systems that promise to deliver utility quickly and inexpensively. But the trick to making these shadow IT efforts viable and safe is to provide an easy framework that includes security vetting but doesn’t get in the way of fast starts at the department level.

Consider these issues as you work to deliver services to areas of your enterprise. Chances are they already use some of what security professionals consider to be shadow IT.

Understanding Business Needs

Enterprise departments are eager to get their work done. When the existing IT systems don’t meet their immediate needs, it’s easy enough for them to search online for cloud-based applications that appear to address their concerns.

But while the general reasons for these excursions into software trials seem obvious, preventing them or even directing users to secure services is much less conspicuous. The first step in harnessing shadow IT is to understand the issues departments are struggling with and evaluating which solutions they have tried or have already put in place.

Evaluating Shadow IT Solutions

Solutions are everywhere, but the ones selected by users may not meet the organization’s IT standards for security, integration or any number of criteria normally associated with enterprise software systems. On the other hand, cloud-based applications have matured over time and some have been hardened to the level of IT scrutiny.

The challenge facing IT is to evaluate the shadow IT solutions being used against internal standards to determine their suitability to occupy a trusted position in the system’s infrastructure. Those that make the cut should be identified and contractually engaged with appropriate pricing and service-level agreements (SLAs).

For those applications that are deemed unfit, IT must identify viable alternatives. But it isn’t enough to simply find a new app. They need to manage the migration, training, implementation, integration and all the other tasks without disenfranchising the users who have devoted time and effort to their projects.

Enlist the Employees

Moving from an unauthorized shadow IT application to a more secure system, or even accepting an application, requires the help of those invested in its use. Every application has its limitations and problems, and no one knows them better than the users who deal with them every day. IT needs to apply its expertise in solving those issues by first identifying them with the help of the users, then addressing them wherever possible.

If the situation demands abandoning one application in favor of another that better fits enterprise standards, IT managers need to develop a solid set of advantages to present to current users to bring them on board with the change. They should enlist employees to advocate for the shift among their coworkers to portray the change as bring driven from within rather than forced upon the user base.

Integrate With IT Expertise

Few applications used in the enterprise exist on their own. IT managers can enhance the value and extend the usefulness of solutions by connecting them to other applications and data.

Many applications that are initially implemented as shadow IT projects have application program interfaces (APIs) available to connect to other solutions but cannot be linked without appropriate permissions. Once IT has validated a shadow application, it needs to investigate what APIs are available and whether the application should be connected to any appropriate systems already in use.

Shadow IT is not disappearing. Adopting the applications users have already found fit their needs can be a shortcut to delivering enhanced services. But IT must evaluate existing solutions for their adherence to enterprise standards and either embrace them or replace them with viable alternatives.

more from Application Security

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory.…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however,…