The threat of technology initiatives implemented outside the purview of IT is coming full circle. Now, some security leaders encourage line-of-business professionals to investigate and experiment with externally developed systems that promise to deliver utility quickly and inexpensively. But the trick to making these shadow IT efforts viable and safe is to provide an easy framework that includes security vetting but doesn’t get in the way of fast starts at the department level.

Consider these issues as you work to deliver services to areas of your enterprise. Chances are they already use some of what security professionals consider to be shadow IT.

Understanding Business Needs

Enterprise departments are eager to get their work done. When the existing IT systems don’t meet their immediate needs, it’s easy enough for them to search online for cloud-based applications that appear to address their concerns.

But while the general reasons for these excursions into software trials seem obvious, preventing them or even directing users to secure services is much less conspicuous. The first step in harnessing shadow IT is to understand the issues departments are struggling with and evaluating which solutions they have tried or have already put in place.

Evaluating Shadow IT Solutions

Solutions are everywhere, but the ones selected by users may not meet the organization’s IT standards for security, integration or any number of criteria normally associated with enterprise software systems. On the other hand, cloud-based applications have matured over time and some have been hardened to the level of IT scrutiny.

The challenge facing IT is to evaluate the shadow IT solutions being used against internal standards to determine their suitability to occupy a trusted position in the system’s infrastructure. Those that make the cut should be identified and contractually engaged with appropriate pricing and service-level agreements (SLAs).

For those applications that are deemed unfit, IT must identify viable alternatives. But it isn’t enough to simply find a new app. They need to manage the migration, training, implementation, integration and all the other tasks without disenfranchising the users who have devoted time and effort to their projects.

Enlist the Employees

Moving from an unauthorized shadow IT application to a more secure system, or even accepting an application, requires the help of those invested in its use. Every application has its limitations and problems, and no one knows them better than the users who deal with them every day. IT needs to apply its expertise in solving those issues by first identifying them with the help of the users, then addressing them wherever possible.

If the situation demands abandoning one application in favor of another that better fits enterprise standards, IT managers need to develop a solid set of advantages to present to current users to bring them on board with the change. They should enlist employees to advocate for the shift among their coworkers to portray the change as bring driven from within rather than forced upon the user base.

Integrate With IT Expertise

Few applications used in the enterprise exist on their own. IT managers can enhance the value and extend the usefulness of solutions by connecting them to other applications and data.

Many applications that are initially implemented as shadow IT projects have application program interfaces (APIs) available to connect to other solutions but cannot be linked without appropriate permissions. Once IT has validated a shadow application, it needs to investigate what APIs are available and whether the application should be connected to any appropriate systems already in use.

Shadow IT is not disappearing. Adopting the applications users have already found fit their needs can be a shortcut to delivering enhanced services. But IT must evaluate existing solutions for their adherence to enterprise standards and either embrace them or replace them with viable alternatives.

More from Application Security

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…

Securing Your SAP Environments: Going Beyond Access Control

Many large businesses run SAP to manage their business operations and their customer relations. Security has become an increasingly critical priority due to the ongoing digitalization of society and the new opportunities that attackers exploit to achieve a system breach. Recent attacks related to corrupt data, stealing personal information and escalating privileges for remote code execution all highlight the new and varied entry points threat actors have taken advantage of. Attackers with the appropriate skills could be able to exploit…

Does Follina Mean It’s Time to Abandon Microsoft Office?

As a freelance writer, I spend most of my day working in Microsoft Word. Then, I send drafts to clients and companies across the globe. So, news of the newly discovered Microsoft Office vulnerability made me concerned about the possibility of accidentally spreading malware to my clients. I take extra precautions to ensure that I’m not introducing risk to my clients. Still, using Microsoft Office was something I did many times a day without a second thought. I brought up…

3 Reasons Why Technology Integration Matters

As John Donne once wrote, “No man is an island entire of itself.” With digitalization bridging any distance, the same logic could be applied to tech. Threat actors have vast underground forums for sharing their intelligence, while security professionals remain tight-lipped in a lot of data breach cases. Much like the way a vaccine can help stop the spread of infectious diseases, sharing threat intelligence and defense strategies can help to establish a more secure future for everyone.  So what…