Insight and analysis on the information technology space from industry thought leaders.
How to Detect and Manage Shadow IT Within Your Organization’s Network
While often well-intentioned, the use of Shadow IT can lead to increased software costs, support challenges, and security risks. Here's how to address it.
October 24, 2023
Enterprise-level organizations frequently rely on hundreds if not thousands of applications, although many are adopted without the blessing or knowledge of IT departments. When employees across organizations resort to these so-called “Shadow IT” systems, their motivation is often well-meaning and designed to improve key business processes.
However, while Shadow IT systems may seem harmless, they can lead to rising software costs, challenges supporting these applications, and even security concerns. For these reasons, IT departments often expend significant time and effort to bring these applications under control. They are not always successful, though. According to G2 research, 58% of employees admit to using software that has not been approved by IT. Additionally, an IDC study found that only 39% of enterprises are confident in their ability to detect Shadow IT.
Of course, network data offers a wealth of insights into IT use across the enterprise. It’s hard to hide network activity, particularly when organizations have robust monitoring systems in place. This makes the network a great place to look when searching for Shadow IT applications after other avenues have been exhausted, such as following a formal or informal audit of enterprise application use.
Conduct an audit to gain insights into unauthorized services being used.
Employees often use Shadow IT to improve their productivity, communication, or file storage and sharing. That means these programs or services should be at the top of the list for IT teams to watch out for when conducting an audit. Furthermore, audits do not necessarily need to rely on more technical processes to discover Shadow IT, as offline tactics can yield results.
For example, some organizations have succeeded by looping in finance departments to review expense reports for unauthorized software purchases. Many applications are available for free or offer extended trial periods, of course, so this tactic may only sometimes work. Alternatively, examining recent help desk tickets may uncover particularly problematic shadow IT systems, especially if these systems are regularly breaking down and causing disruption to essential processes.
Finally, a simple survey asking employees what applications they use and why can provide valuable insights. Conducted regularly, IT leaders can uncover shifts in application usage to inform future budgeting and enterprise-wide deployments, since consolidating applications can create more efficient operations. Meanwhile, IT teams can reference this data to investigate new applications and assuage potential security or performance concerns. In such cases, IT teams may need to look to the network, which offers its own unique source of intelligence for Shadow IT detection.
Check DNS and firewall logs for signs of suspicious traffic.
As more applications and services rely on processing in the cloud to function, monitoring external traffic by checking DNS logs represents a great method of detecting shadow IT systems. By analyzing DNS logs, IT teams can identify any unusual or suspicious domains accessed, indicating the presence of unauthorized applications, and identify patterns that deviate from the form. Administrators can then use DNS filtering to allow or deny client and domain lists to ensure that only specific users are permitted access to specific apps and services.
Similarly, firewalls can help detect Shadow IT by processing data from connected systems, proxies, and SIEMS to identify specific applications being used, the devices accessing them, the frequency of usage, and how much data is being uploaded or downloaded. In this way, IT can stitch together a more comprehensive view of Shadow IT use. However, relying simply on logs of external traffic has its limits, as IT can only figure out when an external server is being accessed. A more comprehensive method of Shadow IT detection requires a deeper understanding of network behavior at the packet level.
Implement deep packet inspection at scale for comprehensive network visibility.
Deep packet inspection (DPI) is a type of data processing method that inspects the data or information sent over a server, allowing administrators to block, alert, relocate, or log the data being moved and identify the behavior of applications within the network. By applying DPI at scale, IT gains a more comprehensive means of monitoring traffic across any infrastructure environment, including data centers, private and public cloud environments, and co-location facilities serving customer-centric applications such as voice, video, SaaS, and UCaaS, regardless of their point of access.
IT teams using deep packet inspection can look at clues like source IP addresses and port numbers to determine the identity of unknown applications, which business units are responsible for their use, and how frequently they are accessed. By analyzing packet contents, IT teams can identify unauthorized applications based on their unique traffic patterns or signatures, even if they never connect to external servers. More advanced systems can also label applications by referencing pre-existing data and server pool definitions, making detection automatic.
Attain control and visibility of Shadow IT across your enterprise.
Shadow IT use is on the rise within enterprises, and IT departments need comprehensive and consistent visibility across their entire digital infrastructure to detect its use. While most Shadow IT applications promise increased productivity or improved communications, in many cases, the risks of Shadow IT applications outweigh their reward as enterprises face potentially higher software costs, support requests, and security concerns. Thankfully, tried-and-true methods of auditing Shadow IT systems can help detect their use, and by using more advanced networking techniques, such as DNS tracking and deep packet inspection, IT teams can finally bring unsupported applications under control.
About the Author
You May Also Like