I touched on the problem of Shadow IT in the expanding world of IoT in a previous blog A Security Fabric for IoT. But there is another ecosystem of applications and hardware besides IoT devices to manage in the realm of Shadow IT. From the old days of departments buying OTS packaged software for special projects, to today’s BYOD to work, organizations struggle with un-vetted and unauthorized information technology accessing sensitive personal and business data. IT SecOps deploys a wide range of security processes to gain some control over these proliferating endpoints in enterprise networks—often with limited success. The proof of that, unfortunately, is in the growing number of successful malware infections and data breaches that use these unregulated endpoints as gateways to the network crown jewels.

Cisco recognizes that security is foundational to the network itself. When you apply identity and security policies consistently throughout the network fabric, Shadow IT devices and applications become part of the managed ecosystem, and not outliers operating under their own security parameters. So when the Finance department, for example, decides to purchase and use only iPad tablets to access SaaS financial applications, only iPads tagged as part of the “Finance” network have access to the apps. Meanwhile, HR’s Surface tablets are assigned policies to send and receive data from SaaS HR apps, not financial data. These policies enforce network intentions.

Policies are codified network intentions that manage and automatically configure access privileges for devices and their associated applications. By assigning policies at the device level, or groups of devices, the network automatically adapts to changes, such as location, ownership, and signs of infection. Let’s look at how intent-based networking simplifies the management of Shadow IT devices and applications—and everything else.

Detecting and Identifying Shadow IT Devices 


Control of Shadow IT begins with locating and identifying devices and applications as they connect to the network. Cisco Identity Services Engine (ISE) scans the network, cataloging in DNA Center all devices or services operating on the wireless and wired network segments. ISE automatically tags rogue devices with policies that limit their access and connectivity until their legitimacy is verified and appropriate security policies applied. In essence, ISE prevents Shadow IT from accessing sensitive data sources without the knowledge of IT.

Providing Persistent Security with Software-Defined Segmentation

After shadow IT devices are identified and tagged by the ISE and cataloged in DNA Center, the concept of micro-segmentation comes into play with Cisco SD-Access. The goal is to apply policies to devices that follow them around the network—campus, wireless, WAN, mobile—virtually segmenting them according to the defined network intentions. The security for any device is therefore persistent, no matter where the device may roam.

For example, the tablets purchased by the finance department can join the network anywhere in a wireless campus environment, yet are constrained to specific data sources to which they can connect. The policies attached to tablets in a virtual segment can also maintain a higher quality of service with priority for traffic to the SaaS financial applications, versus a lower level of service for streaming video from the internet. Devices that have internet exposure are monitored for malware, with policies that automatically isolate an infected device from the rest of the network. This capability is especially critical with Shadow IT devices which may not have up-to-date security patches.

Cisco provides several technologies to manage virtual software-defined segmentation, all working under the umbrella of DNA Center. Tagging individual or groups of devices to create software-defined segments with security policies is automated with Cisco Trustsec, which works in conjunction with ISE. A department’s Shadow IT devices can be tagged as one group and security policies applied consistently no matter where the device connects to the network. Security tagging plays a critical role in compliance too, by ensuring, for example, that payment card data touches only specific groups of devices. Cisco Stealthwatch is a third component working with ISE and Trustsec that is critical to managing Shadow IT. Once devices are cordoned into software-defined segments, Stealthwatch monitors their health to detect any infections such as zero-day malware or ransomware and quarantines the offending devices and connections.

Managing Shadow IT in the Multi-Cloud

The growing use of public and hybrid clouds are another reason to better manage Shadow IT. Recent IT surveys show that the average organization uses over 1,427 different cloud services. When a department decides to use a file-sharing platform, subscribe to a SaaS CRM application, or run apps on AWS, they are doing so to improve efficiency and ease of use. Doing so, of course, opens up connections between sensitive enterprise data and third-party clouds, the security of which are beyond SecOp’s immediate control. With the capability to apply security and access policies, an intent-based network plays a critical role in controlling data inside and outside the enterprise.

For enterprises that have multi-cloud projects—whether officially condoned or emerging from the shadows—the Cisco DNA Center open cloud management platform provides granular control of how devices connect to cloud resources and defines how data flows among data center, public and private clouds, and SaaS platforms. Assigning traffic segmentation policies for public and private clouds creates end-to-end segregation with device and application-aware topologies that select the best paths to achieve desired SLAs and optimum application experience for both sanctioned and shadow technology.

Take Back Control by Integrating Shadow IT into the Network Ecosystem

Shadow IT projects will continue to take root and proliferate throughout enterprise networks. With the ubiquitous availability of cloud apps, mobile devices, and freemium services, employees will find ways to make their work life more efficient, easier, and indeed fun. Instead of fighting rogue devices and applications, IT can exert control over shadow IT by integrating the devices and services into the network ecosystem. With intent-based networking, IT can automate the application of policies to keep data secure while expanding the choices of devices and applications that employees and departments can use.


Anand Oswal

No Longer with Cisco