How do you detect "Shadow IT" in the cloud?  When Shadow IT was a server under the desk in the office, you had a chance of detecting it.  But, if a non-IT team spins-up some servers in the cloud, or subscribes to some SaaS/PaaS solution, it's going to be a lot harder for IT to discover, monitor, manage, protect. So, what techniques do you have to detect or prevent Shadow IT in the cloud? 

CloudInfrastructure
3.8k viewscircle icon9 Comments
Sort by:
Sr. Director, Head of Global Omnichannel Capabilities Delivery Center in Manufacturinga year ago

Tough one. We try to have a good/strong relationship with our business partners by having our stakeholder manager organization be deeply embedded within the business. This usually solves the problem proactively because they’re aware of their issues, plans, etc. That is our preventive control point :). Our detective control point is procurement not allowing software purchasing without IT being in the approval chain.

VP, Head of IT Operational Riska year ago

Agree with previous responses, one to add on the detective side is leveraging your CASB (if you have one) to give you insight on unsanctioned cloud usage.

1 Reply
no titlea year ago

According to Gartner, a cloud access security broker (CASB) is an on-premises or cloud-based security policy enforcement point that is placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as cloud-based resources are accessed. Think of the CASB as the sheriff that enforces the laws set by the cloud service administrators.<br><br>Organizations are increasingly turning to CASB vendors to address cloud service risks, enforce security policies, and comply with regulations, even when cloud services are beyond their perimeter and out of their direct control.

Director in Manufacturinga year ago

Some good answers. Here’s one I’ve used to find IT “stuff “. Get authorized to search your accounts payables and which departments are paying them. If you can’t get direct access, have account dump a report. I found millions is savings this way sometimes just by moving the shadow service under our proper contract and getting bills reduced. You need an IT generalist who is familiar with thousands of IT businesses to find the bills. An accountant typically cannot do this

Lightbulb on1 circle icon1 Reply
no titlea year ago

It is a challenging problem for some organizations,

Director of Supply Chaina year ago

Mike Szopinski's answer is the most thorough.  My recommendation is to start with #3 in his list, and follow the money.  Everything goes through Finance & Accounting.  So, any cloud costs which are not directly attributable to the IT budget is shadow IT.  The key is in reviewing the vendors to filter for the right things.  Another place is contracts - if your legal department deals with software contracts, they will also likely have a list of in-force contracts - and contracts in process - which can help you find unknown partnerships.

Presumably if a business unit is using shadow IT in the cloud, there must be some connectivity, so Security should have been involved in the assessment and contracting.  However, this is not always the case as some platforms, especially if they are analytic, may just receive files your employees send manually, or in some instances, the vendors can form relationships with other external entities that send you data, and go get the data directly.  It would be helpful to have policies in place around 1) any cloud-based software being vetted by security/compliance/data governance prior to contract approval, especially if there is any data leaving the existing company controlled space and going into the new cloud space.  This policy should have teeth to it to be effective (some form of penalties).  Once this is in place, you can "grandfather" any existing contracts, which must go through the process at contract renewal.  Management of the contract flow from a data governance perspective can help you achieve this.

RKB

Director of IT in Energy and Utilitiesa year ago

I think that there are a number of avenues that are probably part of your processes:

- First is the connectivity.  Any thing "approved" by IT is likely using direct connectivity be it direct connect or VPN tunnels.  Using tools like SkyHigh, you should have no problem identifying the cloud providers used.  Just connect something like SkyHigh to your internet connectivity and have some analyst(s) ready to tell you what is used.  Tools like SkyHigh allow to solve the problem where a given SaaS provider can have huge IP address ranges and figuring out IP to domain mapping can be very time consuming.  Partnering with cyber security group and legal may be very helpful here, because unauthorized use of cloud services is likely a violation of company policies such as where company data is permitted to be stored, vendor vetting for controls over company's data in their systems etc.

- Second is access.  Anything "approved" by IT is likely connected to some central access monitoring and control tool like Azure AD, CyberArk, Okta, SailPoint etc. etc.  Just compare services that are being accessed to what is integrated with tools that govern access.  Similarly to the above point, your company likely has policies about account removal or disabling, legal hold etc. and shadow IT likely does not comply

- Third is procurement and payment.  There is the proactive thing, where essentially a good company policy can make the head of procurement and his department accountable for ensuring that all technology procurement has IT's approval.  That can be a bit of a political nightmare.  However, getting data on non-IT payments for technology is pretty easy.  This can be discussed with the associated organizations.  Any sort of silliness there can be easily stopped by highlighting to the board or to the CEO's directs that company is more likely to be in the news due to improper use of technology or technology assets.  Alternatively, have someone like the CIO define a risk acceptance process and ask an officer/executive to sign a document that lists all the risks and accepting all the risks OR the access to the service will be disabled, which IT can easily do.

- Fourth is audit and controls.  IT, especially in the I&O area gets audited all the time.  Use that relationship with the internal audit team including the officer running internal audit to seek inclusion of shadow IT areas in the audits that IT goes through.  It is more likely than not that the shadow IT areas will not do well and most executives outside of IT will quickly want to send the technology and accountability from their org to IT.  The main reason is that all audits that are not good go to the company's board audit committee for review.  In most cases, such occurrences require the corresponding officer or executive to explain what in the world is going on and usually the CIO can chime in simply with "I can fix that by taking it all over and executive XYZ would no doubt have no objections."

Mike  

Lightbulb on1

Content you might like

Where do you think your organization needs the most help in the Cloud related technologies / solutions?

Cloud Security33%

Cloud Data Analytics (Streaming, Big Data, AI, Data Lake, Data Warehouse etc.)51%

Cloud Migration / Modernization44%

Cloud Native Development (DevOps, Micro Services, Containers, Kubernetes, etc.)29%

Cloud Data (Databases, Data Management, Governance, etc.)14%

View Results

Do you have cyber insurance? If so, does it require multi-factor authentication (MFA)?

We have cyber insurance and it requires MFA44%

We have cyber insurance, but MFA is not required45%

We don't have cyber insurance10%

View Results

We’re currently exploring options to implement an iPXE-based WinPE deployment solution in Microsoft Azure. Our goal is to streamline OS provisioning for virtual machines using cloud-hosted boot scripts and WinPE images, ideally over HTTP/S for performance and flexibility. Key requirements: Must support iPXE booting in Azure (via ISO, custom VM image, or chainloading). Ability to host and serve WinPE images securely (e.g., via Azure Blob Storage or web server). Cyber Essentials Plus compliance is essential, as we operate in a regulated environment. Preferably a UK-based provider with experience in secure cloud deployments and endpoint provisioning. We’ve looked into solutions like 2Pint Software’s iPXE Anywhere, but we’re open to other vendors or managed service providers who can assist with setup, integration, and ongoing support. Has anyone implemented a similar solution or worked with a provider who meets this criteria? Any recommendations or lessons learned would be greatly appreciated.

I'm currently refining a strategic engagement model for the ST+i (Science, Technology & Innovation) function within a corporate group structure. The goal is to strengthen collaboration and alignment with subsidiary companies. We've identified the following key thematic areas as foundational to our model: 1. Cybersecurity 2. Enterprise Architecture 3. Portfolio Management 4. Project Performance 5. Contracting Processes 6. Shared IT Services 7. Innovation 8. Centers of Excellence 9. Knowledge Management and Digital Adoption I’d love to hear from experts in other industries: Which of these areas resonate with your subsidiary engagement models? Are there additional themes or practices you consider essential when structuring relationships with affiliated companies? Your insights would be incredibly valuable as we benchmark and evolve our approach.

As part of our NYSE IPO prep, we’re debating how to communicate our system hardening efforts in regulatory disclosures (e.g., SEC Form 20-F, SFC).

Would you recommend sharing % compliance (e.g., “85% CIS Tier 2”) or sticking to qualitative descriptions of how we identify and mitigate risks? Also, do SFC/ISO 27001 expectations require full ISMS integration, or is a % model acceptable?