Tags


Latest Posts


Latest Comments


Authors

Shadow IT in the Public Sector: Chasing your shadow

mark-hall.jpg

Posted by |

With the proliferation of the cloud, BYOD and the consumerisation of IT has come an increased understanding of technology that lies outside of the IT department. Now it seems everyone’s an expert. This in turn has resulted in users provisioning technology to meet short term needs without any thought to the buying process or indeed the assurances required to ensure that data, systems and people remain secured. Self-provisioning of IT, or shadow IT has it has becoming known, has taken control out of the IT department and into the hands of the user.

While there are some who feel that ‘shadow IT’ is beneficial in certain circumstances, in the public sector it remains a security threat. It also goes against government strategy, which has a clearly defined mandate for data sharing, collaboration and so on. Despite strict security policies, users are still self-provisioning applications and solutions without thought to assurance. In fact it’s the formal accreditation process for assurance that is, in some ways, causing the rise in shadow IT.

Over time the public sector found itself as the holder of more and more critical data. As a result (and a reaction to a number of user-based security breaches) it developed strict security assurance levels. Anyone who wanted to supply the public sector had to ensure that it was able to adhere to these levels and provide evidence to back up their claims.

Assurance levels are complex. For each public sector network and delivery mechanism is a set of standards to be met. Take G-Cloud for example, each supplier wishing to gain a place on the buying framework has to test its solution against 14 principles that identify how it’s accessed, controlled and so on. Once the principles are met, the service is then checked externally and then finally it will be accredited. This lengthy process can be prohibitive to maintaining security assurance levels. For suppliers of major, ten-year contracts, for example, its unlikely that they will reassess their service during the course of the contract and indeed many are unlikely to maintain the skills required to keep all applications at the standard required.

The investment is not just on the side of the IT supplier, public sector departments found that once they’d bought a supplier on board that it was difficult then to undertake assurance with a new one when looking for smaller, incremental new applications. Rather they look to existing assured suppliers to provide these solutions, outside of their existing contract, whether the application has been assured or not. This means that some users within in the public sector are self-provisioning applications that don’t adhere to security levels and sit outside of existing contracts.

G-cloud was supposed to support both suppliers and users by facilitating the assurance process on a regular basis. The responsibility for delivering assurance however lies with the supplier and not with the Government Digital Service (GDS). With 1400 suppliers on the latest iteration of G-cloud, some delivering between 6-14 services each, it’s almost impossible for the GDS to check each provider. In fact it’s estimated (although not confirmed) that only 12% of G-cloud suppliers are targeted auditing.

So what can be done to limit the rise of shadow IT within the public sector? The first is the need to decrease the cost and complexity of assurance in the first place. By doing so you’d remove a barrier that holds back suppliers from applying assurance to all products it supplies. The other option is to work with suppliers who are involved in assuring products day in, day out – whether on behalf of their own products or for other suppliers. Those who maintain those skills internally are more likely to ensure that all products reach the standards required. Users who approach them for additional needs would be placed into the standard buying framework and solutions bought within contract for the right need.

Comments

 

Post a comment

Comment submitted! Comments needs approval before being displayed.