May 11 2020

Shadow IT Provides Clues to the Tech That Federal Workers Really Need

Unapproved apps and devices can become a part of an agency’s workflow if they turn out to be necessary.

Unsanctioned “shadow” IT is a common nuisance at many federal agencies, but some have found that it’s better to take those illicit downloads as a sign that employees are missing the tech they actually need to do their work.

Shadow IT — anything a user downloads to a work computer on his or her own without clearance from their agency — is rarely malicious. Common unauthorized apps include Spotify, Box and similar, familiar entertainment or office collaboration tools.

In other instances, departments may not realize that connected devices such as HVAC systems hook up to their work network and must also be managed by IT.

At the Nuclear Regulatory Commission, IT leaders understand the complexities of shadow IT and are taking a multifaceted approach to control it. The agency bans unpermitted downloads, but users still successfully circumvent measures in place to block them. The NRC’s strategy is to strike a balance between the wants of its users with the need for IT governance, standardization, cost control and security risk management. “We are focused on the customer experience,” says CIO David Nelson. “We work with them on what the solution is. It’s got to be a partnership.”

Nelson’s office has developed an approval process that allows users to request new technologies. And when a need for new IT is discovered, users can submit the technology for approval, and the IT team will consider it.

VIDEO: Federal CIO Suzette Kent explains the government’s IT innovation agenda.

Why Shadow IT Has Its Uses

Shadow IT has grown rapidly during the past decade, particularly with the increased availability of cloud services. The use of this unsanctioned technology, however, introduces security risks and makes agencies more susceptible to data leaks.

The use of unauthorized software can also increase IT spending unnecessarily if different parts of an organization use duplicate technologies without telling one another. It can also disrupt business continuity efforts; if the IT staff doesn’t know about applications, they can’t be properly backed up.

Federal agencies continually monitor network traffic to root out shadow IT. But rather than just saying no to users, some IT leaders, including those at NRC and the State Department, are encouraging users to suggest new technologies and have created pathways for them to gain approval for the apps or devices they want or need to use.

It’s an opportunity to educate users on shadow IT risks — and the responsibility that individual workers have in the agency’s overall security posture.

“It’s creating an ongoing dialogue with users and their participation in the process,” says Frank Dickson, IDC’s program vice president of cybersecurity products. “They are using unsanctioned applications for a reason. There’s a value and need that’s not being satisfied by IT. 

“The iterative process of discovery, figuring out why they are used and creating alternatives to reduce and eliminate shadow IT is a healthy conversation.”

To Block or Not to Block an App?

The Federal Information Technology Acquisition Reform Act (FITARA) gives agencies more of an incentive to manage shadow IT; to do well on the federal IT scorecard, agency CIOs must be in charge of the entire IT portfolio with oversight on budgets and prioritizing needs, Nelson says. In the past, each NRC program office managed its own IT budget.

“We do have a transparent process,” he says. “We allow our different missions or programs to participate in parts of the governance, but in the end, I make the decisions on what investments we make.”

The NRC uses numerous security tools to detect and prevent shadow IT, including endpoint security software on desktop computers, says Michael Lidell, NRC’s senior IT specialist in the security operations branch. Network monitoring tools detect unauthorized devices on the network and automatically assign them to the guest network.

On the internet layer, the agency uses application-aware firewalls and web proxies so that they can monitor cloud usage, he says.

Lidell’s team discovers and removes shadow IT every week, but it’s not always a cut-and-dried decision, he says. For example, NRC uses one particular cloud file-sharing service, but he sees employees using different ones because they share files with external business partners that have standardized on other services. The use cases determined to be business-related are permitted to continue.

“We think we should block that, but when we look at it further, they are collaborating with other agency partners,” Lidell says.

The CIO office wants to work with users to meet their needs, so it encourages users to come forward with their technology requests, says Cris Brown, NRC’s deputy CISO and chief of cybersecurity oversight.

“We do have a process where people can say, ‘I have this business need,’ and what we do is triage it and determine whether we have an existing tool to meet that need, and we offer that up,” she says. “And if we don’t, we take a look at what would be a good solution for the enterprise, and we pursue that.”

David Nelson, CIO, Nuclear Regulatory Commission
We are focused on the customer experience. We work with them on what the solution is. It’s got to be a partnership.”

David Nelson CIO, Nuclear Regulatory Commission

The goal is to standardize on an enterprisewide solution that everyone at the agency can use, which controls costs and improves cybersecurity, says John Moses, director of NRC’s governance and enterprise management services division. They test products and include users in the process.

“We are building relationships with partners across our mission, regional and fellow corporate offices and work with them to identify new solutions,” he says.

READ MORE: What are the benefits of a ServiceNow approach for agencies? 

State Department Streamlines Its IT Governance

The State Department doesn’t completely view shadow IT as a negative. IT leaders within the State Department’s bureaus and offices deploying it are simply trying to solve a need, says Gerald Caron, the department’s director of enterprise network management.

“A lot of shadow IT is good solutions,” he says. “The bureaus are focused on delivering on their mission and trying to accommodate their users’ requirements.”

But it’s important to know what is on the network, so the enterprise IT organization can ensure applications and hardware meet governance and security requirements and that the department is running as efficiently as possible and not duplicating efforts, Caron says.

The State Department is working to streamline its governance process to make the entire process faster and easier.

Since becoming State Department CIO a year ago, Stuart McGuigan is creating more oversight by launching a governance group made up of IT leaders across the department’s bureaus and offices. It not only allows the enterprise IT group to better understand each mission and find ways to better support them, it’s also a way to get a handle on shadow IT, Caron says.


The percentage of employees who use shadow IT for communication/collaboration

Source: Entrust, “The Upside of Shadow IT:The Entrust Datacard Shadow IT Report 2019,” October 2019

“He’s federating the governance, so there’s closer monitoring, more transparency and understanding of what everyone is doing in IT,” Caron says.

The department deploys several tools to discover shadow IT, including a continuous monitoring tool that identifies and reports IT risks.

Caron manages the network infrastructure, including Active Directory and firewalls. So by the very nature of his job, he comes across shadow IT when bureaus request a change on the enterprise network to accommodate an application.

“Central IT may not be aware of it, and governance may not be properly where it should be in terms of security and data use,” he says. “We will raise a flag on it, and it will be reviewed. We make sure it has the proper controls in place before we make the change.”

The State Department’s Change Control Board, which includes cybersecurity staff, must give applications proper approvals, he says. 

VIDEO: See how the General Services Administration helps agencies modernize their technology. 

Naval War College Turns to VDI

The U.S. Naval War College also tackles shadow IT with a multipronged approach. The educational institution, which is part of the Navy, uses virtual desktop infrastructure and network policies to prevent the installation of unauthorized applications or accessing unapproved applications, but it also offers an avenue for users to gain approval for software they need.

“We deal with shadow IT up front. Users do not have administrative privileges to install applications, and everything is locked down per regulations and centrally controlled,” says CIO Joe Pangborn.

The college in Newport, R.I., standardized on VDI as a desktop replacement nearly five years ago and has deployed 1,500 zero-client devices with no operating system, memory or storage. Windows OS, applications (such as Microsoft Office) and data are all housed centrally in the college’s data center.

The IT staff has built standardized virtual desktop images in order to manage patching and maintenance requirements. The IT staff enforces a least-privilege policy on Active Directory, preventing users from installing apps when they’re logged in. The college also blocks some Navy-disapproved cloud applications as directed. Students who use their own devices can only connect to the guest network.

The Naval War College works with faculty and staff who need new applications, however. Users can make a proposal to the college’s Configuration Control Board, a group of IT and security professionals on campus. When users make a request, the board considers the potential security impacts, Pangborn says.

“We try to work toward a ‘yes,’ by engineering mitigation factors and other security mechanisms into a particular request, but occasionally it’s a ‘no,’” he says.

Once approved, the IT staff goes through a procurement process and makes sure applications are not duplicative, are reasonably priced and can be integrated into the IT infrastructure.

“We tell folks, ‘Don’t bring us a solution. Bring us the problem and we will work with you to identify a solution, and that way we can integrate it into our architecture and security environment,’” Pangborn says.

Cecilie_Arcurs/Getty Images

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.