The managed service provider (MSP) Nero Consulting just got a shiny, new button.
When an end-user wants to install an unsanctioned application—say, Dropbox—the “Admin by Request” tool pops up on their screen to ask why. Integrated into Teams chat, the tool allows CEO Anthony Oren or IT specialist Roman Shain to grant or deny permissions based on the response.
“If it’s not valid, we’ll actually ask you to give us more business-case reasoning,” said Oren.
The button reflects the balancing act that security pros make when addressing the shady challenge of shadow IT, aka unapproved assets. Shadow IT teams, however, often produce brighter results than their murky name implies, and IT pros are meeting in the middle, somewhere between total “deny” and total “approve.”
“You want those ideas from every employee to come to the forefront, and you also want operations to move at the speed they need to move. So, even if it does mean IT departments need to be more lenient on their policies, I think that’s really important,” said Olivia Montgomery, associate principal analyst at Gartner.
Come out, come out, wherever you are. A March survey from asset-intelligence vendor Sevco Security uncovered home laptops and personal devices connecting to corporate productivity tools like Office 365.
Seventeen percent of the study’s IT assets accessing corporate networks did not appear in enterprise sources, like directory services or mobile device managers (MDM), which push security policies to network-connected devices.
According to Pew Research: 35% of employees that can work from home do, which means more devices and precious company data outside a controlled network perimeter.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“My fear today is we have made that information available on all these mobile devices; we haven’t taken the basic steps sometimes to put them in an MDM,” said James Darby, VP of customer success at Sevco Security.
Shad-dont? Shad-do! A shadowier risk may involve eager non-IT teams—say, a sales group collecting leads at a trade show without using company-approved CRM tools.
Montgomery sees IT project managers as approachable liaisons who can launch projects without undermining the company tech teams.
“They really can be that person that both sides can go to, especially operational leaders. Maybe it’s not your IT manager because sometimes that person isn’t always readily available…Often people on the business side prefer to talk to other business-side people,” said Montgomery.
Research from the Gartner-owned marketplace Capterra found light in the IT shadows. While 76% of the SMBs admitted a hidden IT effort posed moderate to severe cybersecurity risks, 98% of respondents with shadow IT reported long-term positive impacts like employee satisfaction and financial gains.
Another guardrail to balance security and end-user overstepping, said Montgomery: sandbox environments. IT’s spare software versions can act as a testbed.
Such shadow-IT solutions—sandboxes sitting between production and IT, project-managing go-betweens, and admin-request pop-ups—are quite literally attempts to meet in the middle: quickly giving teams their desired tools without sacrificing security.
“We just hit a button. This makes it a great compromise of, ‘No, you can’t have anything’ and, ‘Yes, you can have everything,’” said Shain.—BH