carloscastilla - Fotolia
Published: 16 Feb 2017
Increasingly, corporate end users circumvent IT to deploy and maintain their own cloud-based software and services. The trend, termed shadow IT, is the result of a technologically savvy workforce unwilling to settle for sub-par application performance, device incompatibility or inadequate application features. For IT departments, the challenge is to better understand the draw of shadow IT and how best to provide tools that satisfy workers' appetite for productivity and performance. In the process, it will also mean jettisoning some traditional IT approaches.
Shadow IT risks in the enterprise
It's generally accepted that shadow IT is widespread across corporate environments and poses a number of hidden costs. According to Gartner, by 2020, one third of successful cyberattacks experienced by enterprises will be on their shadow IT resources. IT teams are at a distinct disadvantage when it comes to securing unsanctioned cloud services. For example, without clear IT oversight of service-level agreements, business data stored outside of a company's firewalls could be vulnerable in transit or at rest --with costly repercussions.
In addition, when lacking knowledge of new application adoption, IT departments are unable to screen for security risks or enforce the right procedures for software use. Moreover, the increased number of vulnerable access points can lead to expensive data breaches and costly malware infiltrations, threatening an entire organization.
There are also cost-related shadow IT risks. Individual cloud licenses purchased by end users with a corporate credit card are vastly more expensive than bulk, group-based services. These fees can quickly add up. In addition, since shadow IT happens in the dark, multiple departments could be wasting money through exclusive licensing that's essentially hidden from management, other departments and IT oversight.
Compliancy and regulations, particularly in finance and healthcare, represent critical areas where bypassing established protocols could harm a company. For example, in certain situations, using a fast yet unsecured FTP app would offer a quick way to relay data, but it could open up potential for a significant breach. During a crisis, a rogue implementation will leave IT teams scrambling to address myriad technical, governance and security issues.
Are there benefits to shadow IT?
Increasingly, organizations recognize the importance of adopting digital services and innovative technologies to gain a competitive edge, from mobile apps and cloud services to the internet of things. So, despite shadow IT risks, there are some potential benefits.
For example, many companies face the hurdle of convincing resistant members of their workforce to adopt new technologies. Proactive end users who already engage in shadow IT are clearly committed to embracing cloud computing innovations. They understand the clear advantage of using cloud tools.
In addition, shadow IT helps to vastly reduce the typical yearlong requirement cycles of department-managed software services. Gone are the traditional, time-consuming processes of budget requests, assigning an IT resource, spinning up new machines and installing software.
J.R. Santosexecutive vice president of global research at CSA
To more effectively incorporate and safeguard the adoption process, IT or security team members should be assigned to specific business units where they can learn about business needs. That's the approach encouraged by the Cloud Security Alliance (CSA), a nonprofit organization that promotes best practices.
"I see shadow IT as an opportunity to educate the IT, security and compliance teams," said J.R. Santos, executive vice president of global research at CSA. "By better understanding that process, IT can provide solutions that really meet end users' needs while also fulfilling compliance and security standards or internal IT policies," he said.
For most companies, the value of instantly scalable resources and cloud-accessible data is clear. Capitalizing on pre-existing shadow IT deployments offers one way to achieve those goals and helps to speed the trend toward increased digital enablement. To make seamless cloud adoption possible, however, IT must become both an enabling force as well as a consensus builder around organization-wide cloud use.
Embracing and managing shadow IT
Infrastructure tools can provide both visibility and optimization of cloud resources to monitor shadow IT in a comprehensive way. CloudHealth, for example, employs a combination of automated governance and budget monitoring to track cloud-based resources. The platform, from Boston-based CloudHealth Technologies, offers a set of dynamic policies to govern cloud usage and to ensure security.
"What we're seeing is a shift of IT departments to becoming more of a group for setting up policies that make sense. Then, they apply those policies and rules through a tool that everyone has access to," said Adam Abrevaya, vice president of engineering at CloudHealth Technologies.
It's become increasingly clear that battling shadow IT is costly -- and likely futile. What's more, it puts companies at a disadvantage. Instead of a laser focus on improving business processes, an already overburdened IT staff must contend with restricting cloud use instead of enabling end users. By contrast, once IT leaves behind its earlier role as simply a selector and purchaser of workplace technology, it can more efficiently support cloud computing innovations and help companies move toward increased digital services.
By putting the needs of users first, while clearly communicating shadow IT risks, administrators and their teams can attempt to manage shadow IT. Moreover, having in place an informed cloud strategy recognizes that cloud computing is fast becoming the new default model for purchasing and consuming IT services. Forging partnerships between IT and employees will help to create a culture of acceptance and protection.
In the process, IT can take on its true role as a broker for improved innovation and technologies that more effectively support an organization's business goals.
Bring shadow IT into the light
Minimize shadow IT risks with a security strategy
Why identity-based security fits the cloud
- A Computer Weekly Buyer's Guide to Public Cloud –ComputerWeekly.com
- CloudCheckr is the Engine Driving Cloud Governance at Siemens –Cloudcheckr
- CloudCheckr for Microsoft Azure –Cloudcheckr
- Symantec Guide to Operationalizing a Cloud Governance Strategy –Symantec