One of the most pressing security and risk issues facing enterprise IT these days is also one of the most difficult to address. Shadow IT — as it’s been called — describes the practice of employees and/or departments self-provisioning cloud applications for improved productivity, collaboration or reduced costs. So whether it’s a single employee uploading work documents to a file sync and share service or an entire line of business adopting a cloud CRM app, shadow IT exists in virtually every organization today — and it isn’t going away anytime soon.
Here are three reasons why, and what organizations can do to mitigate the visibility and loss of control they face.
1. SHADOW IT IS EASY.
The thing about the cloud apps that employees and line of business departments appreciate is that they are easy to adopt. They are simple to setup, easy to navigate, and easy to use. It’s that ease of use that draws users in and keeps them coming back for more. In the case of many organizations, in-house apps are significantly more difficult to access and navigate. They may require a VPN connection or have a hard to learn user interface, making them a chore to use and a hindrance to productivity. When faced with an immediate alternative, it’s all too easy for individual employees and business leaders to choose the easier route of approving the use of a cloud application that provides instant productivity.
2. SHADOW IT IS CHEAP.
In most cases, cloud apps are quite affordable. “But wait,” you might be thinking, “the IT-approved equivalent is even better! It’s free for the business and employees to use!” Things are not quite so simple. What often gives rise to shadow IT problems is the fact that employees aren’t only using their devices for work. They may have personal projects or interests that they’re pursuing, and once they’ve adopted a cloud app to store their personal files or to keep track of their personal projects, it becomes all too tempting to migrate their work projects into those apps as well, for simplicity’s sake and to more effectively manage their time. Unfortunately, this can lead to the comingling of corporate data with personal data, creating new visibility and control issues of which IT is unaware.
3. SHADOW IT IS EVERYWHERE.
Business conditions are constantly changing and new needs emerging—often too fast for IT to keep up with. No sooner does IT get control over cloud file sync and share than a department decides to adopt a cloud-based invoicing or project management app. An employee on the road may find his usual conferencing app inaccessible and choose to interface with clients using a completely different service. And so it goes. Shadow IT is a moving target, sometimes a game of “whack a mole” (see related post – “Cloud Application ‘Whack-a-Mole’ – How Does it Start?”) for the IT department. There will always be a new app that seems better to users than what the enterprise currently offers, or just as likely IT does not provide an alternative.
AND HERE LIES THE PROBLEM…THESE CLOUD APPS CAN HAVE INCONSISTENT OR INSUFFICIENT SECURITY CONTROLS, INTRODUCING RISKS THAT BUSINESSES AREN’T EVEN AWARE OF.
And here lies the problem…these cloud apps can have inconsistent or insufficient security controls, introducing risks that businesses aren’t even aware of.
Addressing these risks will require vigilance. Organizations must continuously discover new cloud apps and assess their risks, using a solution such as CipherCloud for Cloud Discovery, to understand what shadow IT apps employees are accessing and what factors may make them risky. An official cloud app can then be selected that keeps users happy while ensuring cloud monitoring, visibility, and data protection where needed.
This is where IT comes in. Shadow IT doesn’t have to be a bad thing. In fact, IT departments don’t need to match cloud providers when it comes to rapid provisioning of resources. Shadow IT can be something of a boon to enterprise agility and business responsiveness. IT’s role is changing from technology provider and gatekeeper to risk manager and provider of governance and protection for approved clouds. IT need not compete with shadow IT—in some ways, that’s impossible—but rather bring it into the light so that it can be managed to ensure security, compliance and industry competitiveness.
What solutions are you considering to solve the problem of shadow IT? Tell us your thoughts in the comments.