Remote Work: Managing Technology Sprawl

With remote work a reality for more employees and companies than ever before, technology has become far more critical as the glue that holds teams and businesses together. Even prior to COVID-19, remote work was a growing option. According to a 2019 study by Owl Labs, 62% of the U.S. workforce worked remotely at least part of the week. Over the past decade, remote work has quadrupled, according to a January 2020 study by GetApp.

Employees working remotely are logging in online on a wider array of platforms and devices. For example, they may be using their work-issued laptop, their personal desktop, or a tablet to complete office-related tasks and connect via either a mobile hotspot or their home WiFi. Combine this new variety with the ease of installing and setting up new software and services and IT departments face a growing challenge of technology sprawl (and its close cousin, Shadow IT). For workers, technology sprawl may feel like empowerment and autonomy; they can pick the tools they want for your team. For CISOs and CIOs, technology sprawl is a security, maintenance, and support challenge further complicated by remote work requirements.

IT asset management systems with automated discovery and data cleansing capabilities can help alleviate part of this problem. Smart policies and a good relationship with workers are also crucial ingredients to effectively managing tech sprawl. Here is some basic guidance on how IT teams can address and work with tech sprawl.

Make Sure Endpoint Detection and Response (EDR) is Installed and Required

The worst-case scenario is when a new tool, service or device accesses your networks and data with malicious intent. An essential baseline protection against this is to prevent any system that does not have EDR be allowed on your network. This is true even in cases of a Zero Trust security model. Mandatory EDR policies are even more critical in remote situations where employees cannot walk down to IT to get their laptops updated. Mandatory EDR policies also condition the organization to understand that certain protections must be in place for them to proceed to do anything on company networks and systems. Mandatory EDR is also part of most compliance processes and certifications, including SOC2. EDR may also head off technology sprawl at the pass and blunt the greatest risks by precluding unprotected devices from participating in any meaningful way. With SaaS tools, enforcing EDR is next to impossible and IT teams should recognize this from the start. That said, this is a good prompt to bias towards combined SaaS and local tools like Adobe Creative Cloud and Office365 which may require local installation for full functionality. These tools are getting better and better and are a happy hybrid.

Set Up A Clear Approval Policy for Remote Work Tools and Devices

A clear policy to help employees understand what tools are approved and how to request that new tools be approved by IT is essential to getting employee buy-in. IT teams are there to facilitate work, including remote work -- not stop it. For adding new devices, make it clear what needs to be installed on these devices and how they can be used. (BYOD has made this challenging, naturally). When a critical mass of workers says they need a new tool, it is almost always a good idea for IT to explore whether onboarding that tool is possible. Some teams may want to use Sketch for design while others may want to use Figma. Some DevOps teams may use Jenkins while others use Ansible or Puppet or Chef. A good IT team can direct the process and create clear rules that mandate a minimum of demand (e.g. - at least 10 potential users or at least two teams) to kick off exploration and potential adoption. In tightly regulated industries, employees understand that adding new tools and devices may require more oversight and approval. Always assume your employees are smart enough to understand the challenges you face but give them clear guidance and a clear process on how to ask for new things.

Acknowledge Reality and Construct Solutions to the Most Obvious Remote Work Conflicts

Rather than make impossible asks like “Don’t send personal emails from your work laptop”, set up conditions where it is easier for them to do so without violating compliance. Perhaps allow them to use cloud-based email services but block the use of attachments (to give one example). Or set up browser policies so that personal email must be opened in a different user profile on the machine. Only in the most strictly regulated industries can Draconian mandates on usage be enforced, so the alternative and far more successful path is to acknowledge common use cases that compromise basic compliance and find a way to solve that conflict that still works for employees.

Closely Monitor Services and Systems on Your Networks

This is mandatory and part of a “Trust but Verify” approach to technology sprawl. Cloud Service Brokers like Skyhigh Networks and Netskope can and should be deployed to help IT understand what services are in use. Likewise, network scans for connected devices are a basic part of security and should be expected. Rogue elements appearing on your networks should be treated as potential security breaches. Employees should understand this part of basic security hygiene and that if they elect not to keep IT in the loop, then they force the security team to treat their productivity apps or any other deviation with greater suspicion. To be clear, security and IT teams need to be smart about this and prioritize tech sprawl violations within the greater scheme of problems they must deal with. Badgering an internal team about using unauthorized AWS accounts for development is a lot less critical than ensuring that sanctioned S3 buckets holding key shared JavaScript elements deployed to public-facing web properties are fully secured with a WAF.

Choose a Unified ITAM with Agent-less Unified Autodiscovery

Your ITAM should be your single source of truth for your IT estate. This includes devices, software, SaaS, and cloud / hybrid infrastructure. The only way for this to work, at scale, is if one system automatically pulls in all asset information across these silos, cleans the data to create a single validated view, and constantly polls these sources to create an accurate audit of all attached and accessed systems and software. Asking an IT team to comb through multiple siloed systems and clean the data can suck up a big portion of their time each quarter. Manual methods preclude real-time discovery, an increasingly crucial attribute in an era when the window from vulnerability to attack has shrunk substantially.

Autodiscovery and creating a single, accurate database also enables a frequently updated and automatically verified interface for teams to monitor remote work technology sprawl as part of ongoing operations without requiring additional headcount. In fact, when properly run, an ITAM with automated unified discovery can forecast how IT can get ahead of technology sprawl by identifying usage patterns and highlighting trends that point towards employee needs. This is the crux of the matter: the most effective way to deal with technology sprawl in a remote workforce is to see the future before it happens, anticipate employee needs, and make them feel awesome that you are paying attention. Aside from making employees happy and making IT teams look like rockstars, this results in better security, compliance, and productivity for remote teams in an era where “remote first” is the default setting.