The tech industry – and especially info security– love their acronyms and buzzwords: cloud, APT, IDS/WIPs, DLP, NAC, blended threats, “You name it”-as-a-Service, and the list goes on. One of the reasons the terms that fade away do so is because there is a real-world issue and narrative behind the term. They are real, and the term survives. Those that are the fantasy of marketing teams tend to fade away. The term Shadow IT, sometimes called Rogue IT, is a buzzphrase that is real.
When the term Shadow IT surfaced a few years ago, it was a relatively small percentage of employees who were sidestepping corporate IT and finding their cloud services.
Today, it’s the majority of employees who find ways to work around IT to find the applications they need. It’s something we discussed recently in the Business Insights blog Shadow IT and Educational Moments. In that post, we talked about how easy it is for employees to go find whatever services they need and the obvious security and regulatory compliance risks, as well as policy violations, that result.
The reason Shadow IT is a problem
The drivers behind the Shadow IT trend have been underway for years now and are well known: it takes forever to get servers and infrastructure provisioned in the typical enterprise, and forever and a day to get a custom application built. While most cloud services are accessible within minutes with a credit card. Who needs any more hassle than that when trying to get their work done?
However, when the enterprise doesn’t know where its data reside, not only is there no way to secure, or even monitor it – it’s the kind of thing that keeps auditors up late into the night. And it’s not just direct security and compliance risks that are created. There are the not-so-obvious risks created in Business Continuity/Disaster Recovery (BC/DR) efforts. If IT isn’t aware of business critical apps and that enterprise data reside these systems there is no way to include them in BC/DR recovery plans. When disasters, or disruptions, do strike there will be many unwelcome surprises when trying to bring operations back up.
Unfortunately, those risks are not the only challenges associated with Shadow IT. There are many business costs. One problem that is coming up more and more in conversations with IT execs is that employees are turning to consumer apps to try to get enterprise level work done. That’s a bad turn. And when they reach out to these app providers with questions or need some level of support – they don’t get it. They then call IT for support – and the help desk doesn’t have a clue what application the employee is talking about nor do they have any way to provide support. There’s a lot of productivity lost here.
There’s also the loss of enterprise pricing advantages. If employees and lines of business are acquiring software services directly, the enterprise loses its quantity pricing leverage. Do the work benefits associated with Shadow IT negate the business risk? Many times they do. So it’s important to not try to shut down Shadow IT entirely, but for enterprises to provide viable options.
The fact is that shadow IT users are a growing constituency in the enterprise. Today, the majority of business managers squirrel aside part of their operations budgets to buy their own software services. According to Gigaom Research Shadow IT: data protection and cloud security (funded by security vendor CipherCloud): 81 percent of line-of-business employees reported using unauthorized SaaS applications, with 38 percent choosing to use unsanctioned apps because of the IT- approval process.
Managing Rogue IT out of the Shadows
While the answer to Shadow IT is relatively simple, it’s not necessarily easy. What is very clear is that the approach many IT departments take to fight these Shadow IT moves by business units simply isn’t working, and it’s probably futile to manage by policy and whip lashings. As I wrote in Shadow IT and Educational Moments - the reality is that without onerous monitoring and swift enforcement, such plans will never work. In fact, they are probably futile with those controls in place.
The best way to solve the Shadow IT dilemma is to both find the right third-party cloud services for your employees and business partners to use and, also develop, competing applications in-house. It’s important to provide both options in a centralized way. And internally developed apps need to be as good, if not better, than third-party options. If not, it’s crucial to find the best third-party options that meet the business needs and provide the security and compliance assurances you need.
This means IT needs to be enabling, not an obstruction. Make it known to business units that the IT department is available to consult on these questions, and make it easy for business departments to seek your advice. This will require some internal marketing, so that the units know of all of the IT services that are internally available – whether they be private cloud provisioning, help with virtualization efforts, or a trusted cloud platform-as-a-service or other cloud-based apps. If these offerings aren’t available internally, it’s time to turn to trusted cloud services providers.
A good option here is an App store. App stores are a proven way to provide centralized cloud services and internal custom app procurement. With an enterprise app store, employees and partners can pick and choose the apps and services they need. If what they need is not available, they should be able to easily make their needs known – and IT and security departments can quickly find the best options available.
Will all of this eliminate Shadow IT completely? Not a chance. But it will keep the IT and security departments relevant as trusted advisors, and the App Store can become the central place where users turn to first, and eventually where the vast majority of enterprise Apps are procured. That will make everyone’s job easier, and bring those so-called rogue users out of the shadows.
tags
George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.
View all postsDon’t miss out on exclusive content and exciting announcements!