Cloud computing has made it easier for IT users to bypass IT procurement protocols and access the solutions they need to fulfil their job requirements. From a user perspective, the oversight of IT departments and stringent governance policies are often designed to protect the organization – not necessarily to address the challenges associated with the intended job functionality of IT users at the workplace. The result is the practice of bypassing these limitations and accessing the required IT solutions without knowledge of the appropriate IT department.
Shadow IT refers to IT technologies, solutions, services, projects and infrastructure utilized and managed without formal approval and support of internal IT departments. Shadow IT technologies may not align with the organizational requirements and policies pertaining to compliance, security, cost, documentation, SLA, reliability and other key factors that determine the formal support of an IT system by appropriate decision makers in the organization. As such, users of Shadow IT systems bypass the approval and provisioning process and utilize the unauthorized technology without knowledge of their IT department.
Why do users turn to Shadow IT?
IT users adopt Shadow IT practices only to fulfill their job requirements in ways that make their life easier. Part of the problem lies with the organizations that do not offer adequate support for technologies that IT users require, or make the governance, approval and provisioning process too slow and ineffective.
Especially for DevOps-driven organizations focused on continuous innovation and rapid software development and release cycles, the need for new tooling can arise with little warning for IT departments to identify, vet and approve the products at the pace of DevOps. Inadequate communication and collaboration between Devs and IT departments further bottleneck the speed and flexibility of IT support required to approve the necessary technologies. At the same time, inadequate security capabilities tend to prevent organizations from approving new technologies even when they want to support Devs with the latest and greatest solutions available in the industry.
Risks Associated with Shadow IT
While employees are able to conveniently complete the job tasks using Shadow IT systems, the technology introduces unprecedented risks, inefficiencies and cost to the organization, including:
- The organization loses control and visibility into the data migrated to Shadow IT systems. The risks include security and regulatory noncompliance, data leaks and inability to perform disaster recovery measures involving data in Shadow IT systems when required.
- System inefficiencies arise when data is stored and used in multiple infrastructure locations. If the organization isn’t informed of the data flows, IT departments cannot plan for capacity, system architecture, security and performance across data in disparate and siloed Shadow IT apps.
- Once a Shadow IT system becomes a critical part of the project and IT users need to scale the resources, the cost incurred by the organization to continue using the service may be unjustified. This is a common concern with SaaS applications such as cloud storage.
- For organizations subject to stringent compliance regulations, the risk of Shadow IT can have far-reaching consequences. For instance, if IT users at a healthcare institution store sensitive patient data in Shadow IT cloud storage solutions, they may be required to audit, identify and disclose the scope and impact of this incident. In addition to exposing privacy-sensitive information to cyber-attacks, the organization may also face costly lawsuit for noncompliance that may damage its brand reputation and business.
How to Respond to Shadow IT
Shadow IT is inevitable. Gartner research finds that an average of 30 to 40 percent of the purchases in the enterprise involve Shadow IT spending. A research by Everest Group found these figures are closer to 50 percent. As a result, organizations must take strategic measures to both reduce the need and the risk associated with Shadow IT solutions:
- Communication and Collaboration: Discover the needs of IT users. Break the silos. Enable easy, convenient and effective communication between IT departments and IT users, in order to understand the true needs, experience and feedback of end-users on existing and new required technologies.
- Education and Training: Inform users regarding the risks associated with Shadow IT and how the organization can assist in fulfilling the technology requirements without having to bypass the standard governance protocols. Security-aware employees that share the organization’s vision toward IT security are more likely to understand the risks associated with Shadow IT and will be encouraged to find appropriate solutions to address their technology needs.
- Streamline Governance: Develop an IT governance structure that facilitates innovation through the use of new technologies identified, vetted, available and provisioned for IT users at rapid pace. Develop user-centric policies and anticipate their requirements. Balance policy enforcement with the flexibility to evolve and respond to changing IT needs of end-users.
- Use Technology to Discover Shadow IT: Deploy technology solutions to monitor anomalous network activities, unexpected purchases, data and workload migrations, IT usage patterns and other indicators of Shadow IT practices. Proactive discovery can allow organizations to mitigate the risks of Shadow IT faster.
- Assess and Mitigate the Risks: Not all Shadow IT technologies pose the same threat. Continuous assessment of technologies in use at the workplace can allow organizations to strategize risk mitigation activities based on the risk-sensitivity of every Shadow IT technology.
Establishing Policies Around Shadow IT
A critical first step for dealing with Shadow IT is to clearly map an organization’s global IT landscape per the impact that each family/group or individual resources will potentially have on corporate core business.
The CIO needs to list and classify the known market available Shadow IT resources in three categories: Sanctioned; Authorized (not Sanctioned yet irrelevant); Prohibited (not sanctioned and dangerous).
This is a corporate matter that does not merely concern a technical perspective and therefore should be dealt with by the CIO. This is something that impacts people and their motivation as well as potentially some business-critical processes or information, so the policy should typically be defined and sponsored at the board level.
Some key items need to be leveraged like:
- Since by law some information on a collaborator’s workstation (like emails) may be that collaborator’s property, should the workstation environment also be classified by the company as such?
- Is a collaborator entitled to use any tools that he/she may find suitable to boost his/her productivity if they pose no risk for the corporation? If so what is the registry/ \approval process that needs to be followed?
- What shall be the impact and compliance probability from the collaborators towards prohibitions? Meaning it is pointless to have someone spending hours trying to find a way to break a prohibition in place instead of doing their work.
Advantages of Embracing Shadow IT
There are some instances where the potential advantages of resorting to common cloud-based applications at a corporate level (which at an initial stage are considered Shadow IT) are greater than the associated risks, if the support infrastructure fulfills the security, redundancy and availability requirements:
Storage and Backups – Those will be assured by the provider, so the inherent services and operational costs are a fraction of on premise storage infrastructure.
Data Ownership – On a cloud environment every file has an owner, as well as complete metadata about the user who shared it and from where, so accountability audit is assured.
Data Retention – There is a complete track record concerning file creation and access.
Data Classification – Most cloud-based services allow a wide range of classification tags.
Access Control – Cloud environment allow by default the definition of user categories while enabling authentication methods.
Mobile Device/application control – Typically “native” in Cloud environments.
Encryption by default – Data is encrypted by default on the service provider’s side.
Federation – It is possible to make the corporate SSO access option the only way to access the environment.
By understanding Shadow IT, the needs and expectations of IT users, and the risks associated with the practice, organizations can transform Shadow IT into a safe and useful arsenal of tooling that drive disruptive innovation. But before that happens, organizations need to devise strategies that work toward the collective goals of employees, IT departments and the business. Done correctly, support for new technologies can create new opportunities for organizations to deliver better products into the market, faster and through convenient efforts on part of IT users at the workplace.