Despite the steady stream of innovation that has transformed software development and IT infrastructure management over the last decade, security vulnerabilities persist and breaches remain a constant threat. 2019 was no exception, with high-profile incidents–such as the Capital One data breach that exposed 100 million customer records and the opportunistic attack on the Disney+ launch that saw thousands of accounts being sold on the dark web–leading the headlines.
Protecting your organisation’s IT infrastructure is challenging enough when you have a clear picture of what belongs to that infrastructure. It becomes infinitely more challenging, especially in a world of cloud computing, when internal users have added to that infrastructure without letting you know. According to Gartner, this is a real problem. In fact, by their estimates, one-third of enterprise cyberattacks will be on so-called “shadow IT” and Internet of Things resources as we enter 2020. Security threats aside, shadow IT is also a nightmare for anyone working in heavily regulated industries like healthcare, where compliance is critical and patient data stored on or moving through shadow resources is a HIPAA violation waiting to happen.
Hidden risks are still real risks
Shadow IT is defined as “hardware or software within an enterprise that is not supported by the organisation’s central IT department.” There are two sides to this coin. If the technology is not supported by IT, it definitely means it’s not explicitly approved by IT. At the same time, if it’s not supported, it means that IT may not even be aware of its use. The reality of shadow IT poses some key challenges. On the one hand, how can you protect assets if you don’t even know they exist? On the other hand, if there are unprotected assets in your organisation, how can you ensure the overall security of the organisation?
The answer to both questions is the same: “You can’t.” In other words, if IT is going to properly secure the enterprise, IT needs to rein in shadow IT. The good news is there are a few key steps that IT can take to accomplish this.
Begin with education
The users in your organisation generally have the best intentions. When they use their credit card to spin up test servers on AWS, they aren’t trying to create a hole in the security perimeter. They’re simply trying to get their job done. Educating the organisation on the risks of “going rogue,” as well as clearly defining the resources, applications and devices that are supported and approved by IT, is a good starting point. Of course, you also need to make sure everyone understands the proper workflows for accessing or requesting the resources they need. Organisation-wide clarity around these issues can go a long way.
Give people what they need
No matter how much clarity your educational efforts create, if developers and other stakeholders can’t get what they want in a timely fashion, they’ll circumvent IT and get it themselves. Frankly, frustration with today’s slow provisioning processes, whether it’s waiting for virtual machines or storage, is a driving force behind the growth of shadow IT. No amount of education will make people happy with a bad process.
To streamline provisioning and enable easy access to cloud resources, focus on developing a self-service delivery model. By providing developers with a self-service portal that allows them to get what they want when they want, it eliminates the frustration that breeds shadow IT.
Provide access but retain control
Giving people what they need doesn’t mean giving up control. In fact, what makes the self-service model so powerful is that it allows IT teams to maintain a lot of control over user permissions, configurations, and usage rates. One way to do this is through the use of blueprints or templates for specific resources. Since these templates are created by IT, no one has to worry about compliance or governance risk. Guardrails--for instance, determining which groups can provision hybrid cloud resources, what they’re allowed to provision, and their quotas--are ideally built in. Ideally, these blueprints will cover the full range of services that developers use everyday, whether that’s commodity compute, networking, and storage, to DevOps-specific applications like Jenkins or even complex multi-tier application stacks.
One thing to note is that, although we have focused on issues around governance and security surrounding shadow IT, it also brings with it massive cost implications. Gartner estimates that shadow IT accounts for 30-40 per cent of all IT spend in large organisations. The Everest Group puts it even higher at 50 per cent.
For example, shadow IT often drives up costs when virtual machines and other test/demo environments are left running after DevOps teams are finished with them. By building in controls, such as power scheduling and expiration dates, IT can ensure that provisioned resources are turned off when no longer needed. In other words, guardrails within blueprints not only help you maintain good governance, they also help you manage costs, which is always top of mind for business leaders.
Reining in the shadow IT is a win-win for IT and DevOps
When companies are small, well-defined processes, explicit expectations for employees, a proper list of approved devices, and cross-departmental collaboration can ensure that shadow IT is kept in check.
However, as companies scale and increasingly adopt cloud computing, the emergence of shadow IT becomes harder to prevent. As your organisation grows, and as the business continues to place agility demands on IT, teams won’t put up with slow, inefficient governance, approval and provisioning processes. And developers won’t hesitate to circumvent protocol if they feel it will get them what they need more quickly. In this case, IT must be proactive and provide the organisation with a self-service option featuring automated guardrails and repeatable, sanctioned blueprints.
Seen from this perspective, reining in shadow IT represents an opportunity for IT to reduce the barriers to–and complexities of–provisioning resources. Self-service is the way to do this, and, when done right, it can and should be as easy as ordering a book online. Of course, the tools and platforms that devs need access to continue to evolve. This means that, if you don’t want to see the return of shadow IT, your infrastructure management platform needs to be able to adapt to new technologies and incorporate them into the self-service portal.
And if you can do that consistently, growing with the agility demands of the organisation, the darkness looming over your organisation--that of shadow IT--is reined in as a shadow of the past.
Grant Ho, Chief Marketing Officer, CloudBolt