Shadow IT is a term that refers to all resources and applications, including but not limited to Cloud (SaaS, PaaS, IaaS), that are used in an organization without the approval of the organization’s IT department.
These can be productivity applications, personal purpose applications or simply applications/ content that the company does not want to have on its network.
Shadow IT is incredibly pervasive and found in nearly all organizations due to the proliferation of apps, tools, and websites that purport to solve a problem or provide value.
Why do users turn to Shadow IT?
When confronted with a problem or need that existing institutional structures cannot solve, or cannot solve with a reasonable amount of time and effort, it is within human nature to find a feasible solution.
The story typically goes something like this:
Step 1 – a given area of a company goes to the CIO asking for a solution or tool that allows accomplishing some given feature or task to optimize work activities or deliverables – and typically with the goal of increasing efficiency and saving time and resources.
Step 2 – corporate bureaucracy steps in with rules and regulations demanding a certain number of pre-requisites, and together these hurdles make it difficult to implement a solution in a reasonable amount of time and at a low cost to the requesting area.
Step 3 – the area manager still needs to deliver per plan and schedule, so she needs a solution, and … someone says that a colleague can do it in Access, Excel, or another approved platform not originally intended to solve the given problem, or … that there is a Cloud based app that does it all for just $9.95 per month.
Step 4 – the area manager goes ahead with the unapproved app, and for if productivity is per requirements (stable or even improved), everything is perfect.
Step 5 – one day, the CIO at that time, will have yet another headache and problem to be solved in her hands due to the new dependency on an unapproved application that hasn’t passed IT clearance.
Shadow IT is so common that in fact, it’s become common to have local teams, who have developed their own application software within the IT landscape of major companies without the CIO knowing about them. Over time most of these become business critical tools.
Shadow IT does not necessarily mean bad or malicious resources that will negatively impact the IT landscape (via security concerns or otherwise), but as these applications become business-critical they must be placed within the IT landscape roadmap to ensure their long-term viability and compliance.
How Should Organizations Deal with Shadow IT?
With regards to the external “menace” (meaning Cloud based apps), companies are installing so called CASBs (Cloud Access Security Broker), which regulate access to cloud based apps from either within the corporate network (connected to the external Firewall Gateways) or in the Cloud where they will connect via APIs with authorized Cloud resources and establish safe HTTPS channels from there to the corporate network.
Nevertheless, the point is that it is more of a human attitude problem than really a technologic topic.
Besides controlling and preventing access to those resources, proper corporate policies need to be established which foster continuous improvement momentum where everyone is welcome to contribute and see the results from such contribution while having to accept the consequences of non-compliance if such is the case. Plus, the company as an organization needs to understand the areas/ individual needs and quickly find affordable solutions.
Companies and executives need to realize that human nature commands the pursuit of the most effective path, so when some collaborators find an easy and effective way to overcome a critical obstacle, they will pursue it and the solution does not lay in unplugging the resource, yet on supporting a compliant equivalent solution.
Establishing Policies Around Shadow IT
One key factor to begin with for any organization to deal with the topic of Shadow IT is to clearly map their global IT landscape per the impact that each family/group or individual resources will potentially have on corporate core business.
The CIO needs to list and classify the known market available Shadow IT resources in three categories: Sanctioned; Authorized (not Sanctioned yet irrelevant); Prohibited (not sanctioned and dangerous).
This is a corporate matter that does not merely concern a technical perspective and therefore should be dealt with by the CIO. This is something that impacts people and their motivation as well as potentially some business-critical processes or information, so the policy should typically be defined and sponsored at the board level.
Some key items need to be leveraged like:
- Since by law some information on a collaborator’s workstation (like emails) may be that collaborator’s property, should the workstation environment also be classified by the company as such?
- Is a collaborator entitled to use any tools that he/she may find suitable to boost his/her productivity if they pose no risk for the corporation? If so what is the registry/ \approval process that needs to be followed?
- What shall be the impact and compliance probability from the collaborators towards prohibitions? Meaning it is pointless to have someone spending hours trying to find a way to break a prohibition in place instead of doing their work.
Critical Points and Risks Associated with Shadow IT
- Shadow IT is not a disease in need of being eradicated, instead it is a fact of modern corporate life that needs to be dealt with in an appropriately assertive manner.
- Controlling Shadow IT is not only about controlling the devices that connect to the LAN/WAN – it is about user management combined with collaborators management.
- BYOD – If companies ignore the trend and do not establish a proper BYOD policy, some user may bring his latest generation tablet to work, create a local WLAN for some colleagues to access some public resources and thereby create a server security breach that could expose the entire corporate network to a high degree security risk.
- At the end of the day, in fact, it is about financial hazard. It is easily understandable that having core business data stored on a cloud storage service, or documents with critical information saved on Google Drive, may prove to be a huge risk of losing business; now what about the cost of having the Internet access backbone completely bottle necked on Friday at 5 p.m. because employees are updating their Fantasy Football lineups, or having several employees using Facebook during work hours which occupies bandwidth therefore slowing down external access to corporate applications.
Advantages of Embracing Shadow IT
As crazy as it may seem, there are some potential advantages of resorting to common cloud-based applications at a corporate level (which at an initial stage are considered Shadow IT), if the support infrastructure fulfills the security, redundancy and availability requirements:
- Storage and Backups – Those will be assured by the provider, so the inherent services and operational costs are a fraction of on premise storage infrastructure.
- Data Ownership – On a cloud environment every file has an owner, as well as complete metadata about the user who shared it and from where, so accountability audit is assured.
- Data Retention – There is a complete track record concerning file creation and access.
- Data Classification – Most cloud-based services allow a wide range of classification tags.
- Access Control – Cloud environment allow by default the definition of user categories while enabling authentication methods.
- Mobile Device/application control – Typically “native” in Cloud environments.
- Encryption by default – Data is encrypted by default on the service provider’s side.
- Federation – It is possible to make the corporate SSO access option the only way to access the environment.