If you don't think your organization has a shadow IT problem, you're in denial. And even if you think you know...
the extent of it, you won't be able to curb it with cloud security tools alone.
That's the message from IT pros who have uncovered nests of shadow IT within their companies and from vendors that sell cloud security tools.
Shadow IT in this context refers to cloud services deployed by end users within an organization without help or approval from corporate IT. The problem has become endemic to businesses, according to a survey of 133 IT pros conducted in December by cloud consultancy 2nd Watch Inc.
A majority of business units within companies -- 61% -- bypass IT to access cloud services, according to the survey. Moreover, while IT departments do experience some demand to deliver cloud services to business units, the 74% of respondents providing them are delivering only 37% of the total services the organizations uses.
Cloud security tools only go so far
Cloud security tools can come in handy for uncovering the use of services that may put corporate IT security at risk -- but they are not the only solution.
"We don't want to be the bottleneck or stop innovation," said Ignacio McBeatch, manager of operations for a financial services firm in New York. "But at the same time, we want to make sure there are enterprise-class services being used and security policies are being used."
McBeatch brought in products from Skyhigh Networks, a cloud security software provider based in Cupertino, Calif., to assess how many services were being used without IT's knowledge, and found a whopping 562 detections of unauthorized services.
We thought we had 17 apps in our environment … it turned out there were over 40 services in use.
Mike Kane, director of business development for Softchoice
These services included everything from personal apps, such as Gmail and Facebook, to Google Analytics, and Infrastructure as a Service offerings from Amazon Web Services, Internap Network Services Corp. and Rackspace Inc. There were "tons" of Software as a Service instances being run, McBeatch said.
Skyhigh's software suite also allows the firm to place a security framework around all services in the environment, whether or not IT curtails use completely.
Still, even experienced IT practitioners whose business is rooting out shadow IT found it a tough nut to crack with software or professional services engagements alone.
Softchoice Corp., which offers professional services to assess the presence of shadow IT within customer organizations, first turned its analytics on its own organization shortly after launching its assessment service in July 2012.
"We thought we had 17 apps in our environment, and we thought we had a pretty good idea [of what was running]," said Mike Kane, director of business development for Chicago-based Softchoice. "After we ran the assessment for two weeks, it turned out there were over 40 services in use."
Even after that assessment, which led Softchoice to bring the disparate apps into a centrally managed and secured portal, months later the company found that certain departments within the organization were still purchasing apps outside of IT's knowledge.
And it's not just carelessness or a simple desire for convenience among end users that leads to shadow IT; some cloud services vendors are also actively selling to business units that bypass corporate IT departments.
"We're able to sell larger systems to IT, but we have smaller systems where we can get smaller footprints by going around IT and working with the business units," said Rick Clarkson, vice president of product management at Signiant Inc., a file-sharing service provider based in Burlington, Mass. Slow sales cycles in IT often drive business units to look elsewhere, he added.
"We have had customers purchase our product because they've been waiting for two years for IT to deliver something," he said.
Mitigating shadow IT requires salesmanship
To get at the root of shadow IT, corporate IT must make itself more appealing to business units and beat cloud service providers at their own game.
"It's really about communication and training," said Softchoice's Kane. "In many cases, that's not really in the wheelhouse of an IT person's skill set. But that can certainly change."
Softchoice learned through its experience that it had to do a much better job of offering training on applications, and more importantly, communicating the reasons for security and compliance policies that it had put in place, Kane said.
"We also say that by bringing in these applications to our portal, you're going to have a better end-user experience," Kane said. "We want to highlight all the benefits -- we don't want it to just be a slap on the hand."
Single sign-on through a centrally secured and managed portal is one example of a feature that can be offered up to users to entice them to enlist corporate IT in deploying new apps, he said.