Skip to main content

The biggest risks of shadow IT, and three steps to control it

(Image credit: Image source: Shutterstock/Kzenon)

There was a time, not long ago, when central IT departments had nearly full control over the infrastructure and IT spending of a company. Hardware and software alike had to be sanctioned by IT. With the advent and proliferation of SaaS and cloud infrastructure and services, those days are gone. Today, IT teams and CIOs are grappling with the explosion, and ramifications, of shadow IT - IT solutions that are being used without the approval of, and often even without the knowledge of, corporate IT organisations.

Studies from both Gartner and Everest Group have estimated that 50 per cent or more of IT spending in large enterprises is occurring outside the control of IT. Worse still, CIOs are largely not aware of the extent to which this is happening in their own companies. A Cisco survey of CIOs revealed that, on average, CIOs estimated their organisations were running 51 cloud services when in fact they were each running 730. Furthermore, Cisco found between 17 and 20 times more cloud applications running in companies than their IT departments had estimated.

The good, the bad of Shadow IT

How did shadow IT become so prevalent so fast? Like most things these days, we can find the answer in the cloud. Cloud infrastructure and the technologies it has enabled (like SaaS) have changed the way we work, making it far easier for teams to use and deploy applications. In other words, we’re seeing IT become consumerised. This is a revelation for development teams, enabling the productivity and breakneck speed that is expected of them. The cloud relieves a dependence that once slowed down development. When the pressure is on to build and share quickly, the development teams can skip the steps of IT procurement, provisioning, testing, and security. Today, anyone with a credit card can buy subscription licenses for software that they see as beneficial to their job and productivity. And, equally, anyone inclined can provision infrastructure on the cloud - all without the consent, involvement, or often knowledge of IT.

For all its speed, this wild west world of procuring software and provisioning servers without IT, comes with significant risks--not the least of which is data security. When IT has no control of an application, they have no control over the security of or access to that application either. Gartner predicted that by 2020, “a third of successful attacks experienced by enterprises will be on their shadow IT resources.” Strict controls over who can access and modify data and accounts is important for data protection. Monitoring access logs regularly can help identify a breach. Backup and recovery procedures can prevent critical data loss in the case of any incident. Patching vulnerabilities that arise or applying updates can prevent applications from being hacked. IT teams are generally responsible for all of these steps and more, but when they have no knowledge of applications, it is up to the team running those resources to ensure security. Those who don’t are putting the entire organisation at risk.

Compliance is another concern for enterprises with shadow IT. In regulated industries like healthcare or finance, regulations have long required companies to protect their customers’ data, and agencies can audit the IT systems to ensure these regulations are being met. Those obligations are now being extended to organisations in other industries through new regulations like GDPR in Europe. Enterprise IT will often have a SAM (software asset management) process in place in the case of an audit. That process is difficult enough on its own, but shadow IT makes it impossible to be accurate. Failed audits could result in large, time-intensive, and costly compliance efforts, huge fines to the company, and in the worst cases firing or even jail time for IT leadership.

Without the ability to control or even see provisioning and usage of systems, enterprises are seeing their IT costs explode. Individuals and teams may not follow best practices in provisioning instances of the right size, leasing them for the right amount of time, consuming the appropriate services, or decommissioning unused resources in order to control costs efficiently. In fact, armed with the perception of lower costs in the cloud and ease of access to those resources, developers often consume more than they otherwise would have. That’s why over 50 per cent of companies who have migrated to the cloud say that runaway cloud costs are their biggest IT pain point, according to 451 Research studies.

To be clear, direct access to cloud-enabled technologies and services is not inherently bad. Companies adopting cloud have seen massive upticks in productivity along with droves of other benefits, including ease in adopting new SaaS solutions, greater application availability and better customer experiences, increased mobility, and improved collaboration. Still, the aforementioned risks and others surrounding testing, configuration, change and lifecycle management, make it important to be able to identify and manage shadow IT.

How to identify and manage shadow IT

  • The first step to managing anything is visibility. Central IT needs first to identify all the systems that are currently being used. For SaaS, that might mean software surveys, finance and budget audits, or even manual system audits. For cloud infrastructure and services, some solutions will provide mechanisms that automate the discovery of resources being used per account. From this discovery stage, IT can begin to set a reasonable and responsible cloud strategy moving forward.
  • Avoid bottlenecks by adopting software-defined governance. Some organisations have adopted an approach that forces development and DevOps teams to request or approve cloud resources through corporate IT, much the way they did before cloud resources were an option. But the bottleneck effect that it has on teams waiting for approval and resources exacerbates the shadow IT problem. In better cases, cloud governance boards establish policies that enable IT to set up a catalogue of pre-approved cloud services, which development teams can simply select from for faster provisioning. These options are common within solutions like traditional cloud management platforms. However, advanced users have found gaps here too, wherein catalogues are not comprehensive enough and exceptions must be requested, ultimately slowing down provisioning times again.
    The best solutions embrace software-defined governance - where policies are set based on the user’s role, the environment, the team, and the purpose of the application. These solutions provide simple catalogue items for users who don’t need the complexity, and allow flexible “guardrails” for experienced users who need more advanced applications. That flexibility will be key in avoiding shadow IT.
  • Establish hierarchical policy management. While IT should set cloud usage rules at the corporate level, certain policies are best left up to the business units or teams themselves, who are often more familiar with the purpose of and regulations surrounding the applications they are building. This also provides more flexibility to teams, decreasing the likelihood of shadow IT. In the best cases, corporate IT can set policies that apply to the entire enterprise, while business units can set additional policies that apply to their teams.

As expectations for development teams continue to surge, the temptation of shadow IT will remain strong. Corporate IT teams can mitigate the risks of shadow IT by understanding the challenges of the business and offering solutions that will solve them. Business users have been clear - they need autonomy, flexibility, choice, and productivity. When IT can deliver those things, it will win against its toughest competition.

Evan Klein, product marketing manager, Scalr
Image source: Shutterstock/Kzenon

Evan Klein is product marketing manager at Scalr, a hybrid cloud management solution provider. Scalr makes it easy for enterprises to achieve cost-effective, automated and standardised application deployments.