“Who knows what evil lurks in the hearts of men?
Only the Shadow knows!”
That is the intro to the iconic 1930s radio show “The Shadow,” which featured a crime-fighting vigilante with psychic powers. But it could also relate to the use of shadow IT in today’s government.
IT managers are on high alert following the data breach at the Office of Personnel Management and the use of shadow IT — roughly defined as employee use of nonapproved computer applications for work — present an inherent security risk.
But talk to CIOs like Joe Paiva of the International Trade Administration, and it turns out “the Shadow knows” what applications employees want to use.
“I figure out what applications 80 to 90 percent of employees use and then drive the rest of the organization to them,” Paiva says. “Trying to block these applications is silly. You’ll wind up blocking the best ones.”
Incorporating Application Management into Shadow IT
The use of shadow IT has grown in recent years along with the number of available consumer applications on the Internet. Employees become accustomed to using certain applications in their personal life and then bring them into the workplace, feeling they are easier to use than what the organization provides.
These unapproved applications create additional vulnerabilities that can be used to gain access to federal information. The key for federal IT managers is to balance this need for new applications with security.
Paiva says stopping shadow IT can be self-defeating. He argues that the staff knows which Software as a Service applications — approved or not — work best for a task.
“Does it make sense to block Gmail or iCloud and drive people to use some small, foreign competitor we’ve never heard of and nobody tracks?” Paiva asks.
Paiva plans to implement Microsoft’s Enterprise Mobility Suite to track what applications people use on their mobile devices. The information collected will be used to work with best-of-breed independent software vendors to help them become compliant with the Federal Risk and Authorization Management Program, a governmentwide initiative that standardizes the security requirements for cloud computing products and services.
“FedRAMP gives us a wedge to help drive industry toward adherence to federal security standards,” Paiva says.
Kirit Amin, CIO at the International Trade Commission, leverages FedRAMP as well to usher in applications. He says shadow IT is rarely an issue because his agency is small, and all purchases must go through his office.
“If I have a business unit that wants a unique application, I work with them to purchase the product through FedRAMP,” Amin says. “I had more of an issue with shadow IT when I worked at the State Department or the Department of Commerce, but for the most part I’m able to work it out with the business units at the ITC.”
Amin says with the expansion of FedRAMP, federal agencies now have more than 40 cloud applications to choose from — a number that seemingly grows each week.
Shadow IT’s Root Cause
George Jakabcin, CIO at the Treasury Inspector General for Tax Administration (TIGTA), says shadow IT exists because there’s a perception that the IT staff does not deliver the tools employees need.
Jakabcin says TIGTA, which conducts investigations on waste, fraud and abuse at the IRS, set up a change management board where department managers can discuss their needs with him and other IT managers.
“We take a step back and find out what business problem they want to solve,” Jakabcin says.
Jakabcin and his team of 50 support about 800 staff across 70 locations. He says the issues raised at these meetings are not always about cloud applications, but the core technology people use to do their jobs. For example, TIGTA employees recently used five different text editors and six audio/video editors to do investigations.
“We sat down with everyone and realized that we didn’t need that many devices,” he says. “We now have it down to two devices for each category. It’s now much more effective and efficient for us to support the user.”
IT leaders have shown there are ways to identify shadow IT and get those technologies to work within the system, whether it’s through mobile device management, a change management board or other options.
In the end, it makes more sense to improve communication than to have the majority of an agency’s staff working in the shadows.