Shadow IT: how to reduce it with automation
In this article, we will talk about the Shadow IT, i.e. the problems related to the relationship between users and technology, trying to find an answer. Our Sales & Marketing Director, Simone Zanotti, is interviewed by RADIO IT.
In a previous article, Simone talked about the “Sheep on the hill” and he started also talking about the phenomenon of Shadow IT. Today we will deepen both these topics, related to each other, and explain how Shadow IT can be reduced thanks to automation.
Simone Zanotti: Shadow IT is a trend carried forward in recent years, especially in big and structured companies, when users try to solve IT needs and problems by themselves, finding solutions in the software and applications market. This happens when users feel they are not receiving a satisfactory service from the corporate IT. So, Shadow IT is a real escape of users from the services and infrastructures that a corporate IT should provide to them, respecting the operation, service level agreement performance and data confidentiality policies.
The spread of Shadow IT has certainly been higher in recent years, just think of all companies who release their applications in a Software-as-Service mode to anyone who needs it. Users therefore escape from any rule imposed by the IT department of a company, which wants to preserve the integrity and correctness of the data, which in this way is instead endangered.
RADIO IT: How does Shadow IT relate with having innovative cloud-based systems and a highly automated infrastructure, topics covered in previous article? What is the connection between the “Shadow IT” and these topics?
And more generally, how does it connect when we talk about technologies in which the delegation of certain activities to users is one of the cornerstones?
Simone Zanotti: These topics are related because the internal IT should meet the needs of its users, before they turn to the outside, and it should avoid creating leaks, which are also the most dangerous. Equipping a company with the tools to face external hacker attacks, which are in some way predictable, is easier than facing accidental data losses, due to the fact that users have solved their problems using external services.
So, a good IT department should adopt technologies that satisfy users, increase the attractiveness and also its reputation towards its users. In this way, users will no longer have any motivation to seek solutions to their problems externally.
RADIO IT: in this way it is possible either to eliminate in the bud or to greatly reduce the effects of Shadow IT. However, it is noted that many companies have not yet gained the experience and skills necessary for the implementation of these technologies and of these highly automated infrastructures. So, what is the fundamental next step to take?
Simone Zanotti: In this case, the choice of the correct technological partner becomes fundamental.
The partner should know, for each technological purpose, the provision of a particular service in cloud format. Then, it should know what all the possible alternatives on the market are, both for commercial software, or, as in the case of E4, for open-source software (which have to be then integrated or optimized). Choosing the right partner also helps prevent attacks.
There was a very recent case, an American player who created successful software for the management of networks and systems, which contained the vulnerability, and was exploited extensively by various groups of hackers that therefore created great damage to all the companies and governments that had adopted it.
For this reason, the choice of a partner who knows how to guide the company in choosing the right software and technologies to use for its services becomes very important.
RADIO IT: The episode we are talking about concerns the SolarWinds company, in Dec 2020, it found itself to be the main entry point for hackers into a very complex system. According to experts, it could take months to understand the depth of action of this attack. Even years to understand the extent of all the computer systems affected. This episode also has geopolitical implications, in fact the information collected says that the Russian Intelligence Service SWR. The target was not a company but the United States, where several government agencies and hundreds of private companies were hit.
The point is that hundreds of companies around the world were involved in the action, in short it was an attack on the supply chain, on the suppliers of the American public apparatus. The hackers gained access to the Orion update system, the SolarWinds software, and in this way, at the first available update, they installed a backdoor inside the Solarwinds client companies, entering systems without the companies noticing.
But how do you avoid such situations?
Simone Zanotti: To avoid cases like this, a commonsense rule is that by adopting open-source technologies, the quality of the open-source code and the possibility of being able to consult it, avoids the problem of bringing vulnerabilities or even malevolent code into your company.
RADIO IT: So, the highly automated infrastructures are not to be considered valid only in relation to production efficiency but also for safety reasons? Of course, a lot also depends on how these infrastructures are implemented.
Simone Zanotti That’s right, highly automated infrastructures can become, even indirectly, a tool to have greater security, to avoid attacks or leaks unintentionally opened by a third-party supplier.
These infrastructures have many cascading advantages. The repetitive and low-level operations are automated, allowing IT experts to free up a lot of time.
In this environment, the initial phase of tuning and configuration becomes very important and must be very precise. Once this part has been established, it remains fixed, also eliminating the possibility of human error (that could exist even in repetitive activities).
Recapping, automation allows to:
– Eliminate human error;
– Reduce the workload of IT specialists, due to repetitive, trivial and time consuming operations
– Specialists can thus devote themselves to important tasks such as the improvement and evolution of the infrastructure itself and the services provided
– This leads to a reduction in Shadow IT and prevents its emergence
RADIO IT: What about security?
Simone Zanotti: With regard to the specific issue of security, bringing the automation of an infrastructure to a high level means protecting yourself from threats. If an architecture is defined within the “security by design”, all the most trivial, but common, causes that are the attack points of a hacker will be removed.
Therefore, it is also important to set up an extreme granularity in the permissions and accesses allowed to users. These accesses are implemented at the beginning and are managed hierarchically. A good degree of freedom is given to users, who become “sheeps on the hill”, but it is the IT that defines the limit within which they can move. For these operations, new technologies come in handy such as container systems or infrastructure management in micro operating systems that are immutable.
So instead of providing a service from a virtual machine or from a server, which is composed of a certain number of software components and libraries (all possible access points for a hacker), this kind of architecture delivers micro services based on containers: in each container run only the components necessary for my service.
The security components can be made completely defined, so the most vulnerable part of my architecture is immutable over time, while the variable part of the data is stored in an external storage volume, obtaining the “security by design” of the entire architecture.