What is Shadow IT? – and why you should care

“Shadow IT” is a name for the process that occurs when users self-select IT services, signing up for cloud-based services without the knowledge or approval of the IT organization. IT could take the attitude that Shadow IT is a good deal for them, since, on the surface it sounds like users are going to take care of their own problems; creating one less task for already busy administrators. But it’s not that simple. Shadow IT is full of risk. Organizations should be very concerned about leakage and data loss. We also find that most Shadow IT projects get thrown back over the wall to IT at some point and they end up supporting the initiative anyway.

Why Does Shadow IT Matter?

When it comes to data, IT has three responsibilities: make a copy of data in case of a storage failure; retain data as governed by company policy and make sure that data is only available to the people that need to access it. Shadow IT makes meeting any of these responsibilities almost impossible.

The big problem is data leakage, because these largely consumer services make it difficult to control who can access organizational data. A recent report by Frost & Sullivan indicated that 81 percent of employees admitted to using an unauthorized software service product. The number-one used solution was Dropbox’s file sync and share service. 38% of those employees reported that they used Dropbox without IT approval. Clearly, users feel there is a need to synchronize their data across their devices as well as share that data with outside organizations. The problem is that there is limited IT oversight. They can’t from a central console tell what devices and organizational data are being shared with whom or for how long. Most file sync and share tools also don’t have the ability to remotely wipe devices in the event of employee departure. This means that organizational data stays on that employee’s device when they leave the organization.

But the Shadow IT problem isn’t confined to file sync and share solutions. Users self-select backup solutions, archiving tools, project or sales management solutions and messaging tools. Many of these products also allow the attachment of files and the sharing of contact / project information with users outside of the organization. It is very easy for data to escape through these holes.

In addition to the security issues caused by data leakage, there is also the problem of data protection. In many cases data can go through its entire ‘lifecycle’ and never hit a company server. It can be created on the user’s device, be synced to the cloud, uploaded to a project management solution, shared with various users or suppliers and then purposely or accidentally deleted. The data protection and data retention processes never make a copy of the data because they don’t even know it exists in the first place.

Control Shadow IT Now

External online service providers can’t realistically be eliminated, they provide something that users obviously need. But their unauthorized use can. IT needs to make sure that when external services are used it can still meet the above requirements of protection, retention and security. Control requires that IT select one service per use case and then eliminate the use of other services. We’ve seen situations where 10 different file sync and share solutions were being used at the same time. But providing an IT approved service will mean that IT needs to find enterprise alternatives or find add-ons so that the original service can be managed and made more secure. Similar to a VDI project you have to meet the users’ expectations to gain acceptance, while finding a solution that provides IT control and oversight.

The next step, and the one that is often missed, is making sure that no other unauthorized solutions are in place. It’s almost impossible to discreetly block access to these services since new ones appear all the time. While blocking the major services will help, IT also needs to find a reporting tool that will identify the use of applications that seem to have Shadow IT traits, so they can investigate their use.

StorageSwiss Take

Shadow IT is something that can’t be ignored. All the assumptions that IT might make about its use are wrong. It seldom lightens the IT workload, most of the time increasing it. And it puts organizational data at risk to either leakage or loss. But the services that users are selecting are clearly services they think they will need, since in many cases they are willing to spend their own money for them.

The good news is that there are a variety of enterprise alternatives for almost every available online service. Again, IT needs to approach these projects similar to how they approach a VDI project. They need to select products that users will like and use while still meeting IT objectives. Finally, once the alternative is in place IT needs to strictly monitor the use of other services and shut them down as quickly as possible.

Twelve years ago George Crump founded Storage Switzerland with one simple goal; to educate IT professionals about all aspects of data center storage. He is the primary contributor to Storage Switzerland and is a heavily sought after public speaker. With over 25 years of experience designing storage solutions for data centers across the US, he has seen the birth of such technologies as RAID, NAS and SAN, Virtualization, Cloud and Enterprise Flash. Prior to founding Storage Switzerland he was CTO at one of the nation's largest storage integrators where he was in charge of technology testing, integration and product selection.

Tagged with: , , , , , , , , ,
Posted in Article
2 comments on “What is Shadow IT? – and why you should care
  1. Tim Wessels says:

    Well, IT didn’t see Shadow IT coming because they weren’t aware that SaaS apps could be delivered to anyone who had an Internet connection and a credit card. IT has been in a reactive posture ever since. After decades of telling users what was best for them, users adopted better, easier to use and cheaper IT solutions, even if they had to pay for them out of their own pockets. This reminds me of the early days of LANs when departments could go out and buy one with their budget funding without talking to IT. Suddenly they were able to share disk storage, apps and printers. Back then IT was stuck in their “glass box” making plans for everyone else and didn’t notice. The problem with IT and cloud computing is more psychological than technical. IT has had a hard time shifting from developing IT solutions users didn’t ask for to delivering the IT services that users want to do their jobs. We’re almost ten years into the modern era of cloud computing and it is time for IT to get over itself and do what needs to be done to support users and their business objectives. To paraphrase Lamont Cranston, who played The Shadow in a 1930s radio crime drama…Who knows what apps lurk in the hearts of users? Shadow IT knows!

Comments are closed.

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 22,209 other followers

Blog Stats
  • 1,529,107 views
%d bloggers like this: