“Shadow IT” is a name for the process that occurs when users self-select IT services, signing up for cloud-based services without the knowledge or approval of the IT organization. IT could take the attitude that Shadow IT is a good deal for them, since, on the surface it sounds like users are going to take care of their own problems; creating one less task for already busy administrators. But it’s not that simple. Shadow IT is full of risk. Organizations should be very concerned about leakage and data loss. We also find that most Shadow IT projects get thrown back over the wall to IT at some point and they end up supporting the initiative anyway.
Why Does Shadow IT Matter?
When it comes to data, IT has three responsibilities: make a copy of data in case of a storage failure; retain data as governed by company policy and make sure that data is only available to the people that need to access it. Shadow IT makes meeting any of these responsibilities almost impossible.
The big problem is data leakage, because these largely consumer services make it difficult to control who can access organizational data. A recent report by Frost & Sullivan indicated that 81 percent of employees admitted to using an unauthorized software service product. The number-one used solution was Dropbox’s file sync and share service. 38% of those employees reported that they used Dropbox without IT approval. Clearly, users feel there is a need to synchronize their data across their devices as well as share that data with outside organizations. The problem is that there is limited IT oversight. They can’t from a central console tell what devices and organizational data are being shared with whom or for how long. Most file sync and share tools also don’t have the ability to remotely wipe devices in the event of employee departure. This means that organizational data stays on that employee’s device when they leave the organization.
But the Shadow IT problem isn’t confined to file sync and share solutions. Users self-select backup solutions, archiving tools, project or sales management solutions and messaging tools. Many of these products also allow the attachment of files and the sharing of contact / project information with users outside of the organization. It is very easy for data to escape through these holes.
In addition to the security issues caused by data leakage, there is also the problem of data protection. In many cases data can go through its entire ‘lifecycle’ and never hit a company server. It can be created on the user’s device, be synced to the cloud, uploaded to a project management solution, shared with various users or suppliers and then purposely or accidentally deleted. The data protection and data retention processes never make a copy of the data because they don’t even know it exists in the first place.
Control Shadow IT Now
External online service providers can’t realistically be eliminated, they provide something that users obviously need. But their unauthorized use can. IT needs to make sure that when external services are used it can still meet the above requirements of protection, retention and security. Control requires that IT select one service per use case and then eliminate the use of other services. We’ve seen situations where 10 different file sync and share solutions were being used at the same time. But providing an IT approved service will mean that IT needs to find enterprise alternatives or find add-ons so that the original service can be managed and made more secure. Similar to a VDI project you have to meet the users’ expectations to gain acceptance, while finding a solution that provides IT control and oversight.
The next step, and the one that is often missed, is making sure that no other unauthorized solutions are in place. It’s almost impossible to discreetly block access to these services since new ones appear all the time. While blocking the major services will help, IT also needs to find a reporting tool that will identify the use of applications that seem to have Shadow IT traits, so they can investigate their use.
Shadow IT is something that can’t be ignored. All the assumptions that IT might make about its use are wrong. It seldom lightens the IT workload, most of the time increasing it. And it puts organizational data at risk to either leakage or loss. But the services that users are selecting are clearly services they think they will need, since in many cases they are willing to spend their own money for them.
The good news is that there are a variety of enterprise alternatives for almost every available online service. Again, IT needs to approach these projects similar to how they approach a VDI project. They need to select products that users will like and use while still meeting IT objectives. Finally, once the alternative is in place IT needs to strictly monitor the use of other services and shut them down as quickly as possible.