The term “Shadow IT” can conjure up visions of overwhelmed CIOs frantically trying to keep information repositories secure from online attacks, while their own employees compromise security by brazenly using personal devices and consumer cloud services without IT’s permission or even IT’s knowledge.
The term can also portray IT vendors as complicit actors who enable the employees to circumvent policy, uncaring toward the CIO’s plight. But actually, the opposite appears to be true. Google’s recent announcement of new features for its Android for Work initiative is just the latest example of a vendor working to help IT regain control without limiting employees to using only approved technologies.
Taking this initiative is not just good corporate citizenship; it’s becoming a necessary business strategy, particularly for companies like Facebook that have designs on breaking into the enterprise services market.
“Shadow IT” is now a well-established phenomenon, the offspring of the broader “consumerization of IT” trend. What may still surprise even the savviest CIO is just how many employees are self-selecting applications, particularly those that are cloud-based, and how extensive the selection has become.
In February 2015, Cloud security platform developer CipherCloud issued the findings of a year-long study that examined cloud usage. A couple of the more startling findings from the “Cloud Adoption and Risk Report in North America and Europe – 2014 Trends” report include:
- Enterprises vastly underestimate the extent to which shadow IT cloud applications are used by their organizations. Eighty-six percent of the cloud applications that employees admit to using are not sanctioned by IT.
- One major U.S. enterprise estimated that 10 to 15 file-sharing applications were in use but then discovered that number was almost 70.
Seventy applications is nothing compared to the number you will find in Skyhigh Networks’ quarterly report on cloud adoption. The company’s “Cloud Adoption and Risk Report Q4 2014” states that the average number of cloud services in use at each company in Q4 2014 grew to 897! That’s a 43 percent increase from Q4 2013. The report adds, “That number is 10 to 20 times higher than what IT executives expect; especially considering that many of these cloud services are adopted by employees acting on their own, without the knowledge of the IT department.”
Perhaps it’s not surprising, then, that the term “shadow cloud” replaces “shadow IT” in PricewaterhouseCoopers’ 2014 report “Managing the Shadow Cloud,” which states, “Shadow IT is not a new concept, but its recent increase has been dramatic. The culture of consumerization within the enterprise . . . coupled with aging technologies and outdated IT models, has propelled cloud computing into favor with business units and individual users.”
Although shadow IT may not be a foreign concept to IT departments, there remain serious risks to giving up control of the applications and services that employees use to access IT systems and to manage or share sensitive business information. Doing so undermines information security efforts, can lead to compliance violations, and can add redundant services that create inefficiencies with those already implemented and overseen by IT.
Being able to answer the question “What’s going on across my network?” is critically important, as an increasing number of data centers today have adopted a hybrid enterprise model, with one foot on-premises and one in the cloud. Networks are going hybrid too, with private multiprotocol label switching (MPLS) links for mission-critical applications and the public Internet for noncritical traffic.
The companies that not only manage all this new complexity but leverage it to make their applications perform at their peaks, will gain a competitive advantage in this new hybrid world. To achieve this, CIOs need visibility, control, and optimization across hybrid clouds and networks to ensure that all on-premises, cloud, and SaaS applications perform to the service-level agreements determined by the business. CIOs cannot achieve that level of visibility and control if they are unaware of the dozens, even hundreds, of unsanctioned cloud services and devices employees may be using on their own.
Despite these risks, I agree with those who advise CIOs against trying to regain control by the outright banning of any services except for those that IT implements.
Ojas Rege, vice president of strategy at MobileIron, sums up this view in his recent opinion piece “Why You Need to Learn to Love Shadow IT” for ITProPortal: “CIOs would be well advised to adopt a more progressive approach. Shadow IT highlights those areas in which IT is falling short of the needs of the employee. It should be viewed as a valuable asset, not as a threat. With a more progressive approach, CIOs could implement regulations that actually support shadow IT initiatives, helping them to understand employee grievances to achieve the right solutions.”
The PwC report I cited earlier, “Managing the Shadow Cloud,” provides CIOs with similar guidance, and adds that “the days of ‘big IT’ are gone, but successful IT departments will be those that work with the business to solve the organization’s most important problems. IT will move from a centralized authority to an advisor, broker, and orchestrator of business services.”
What do both of these recommendations have in common? CIOs should listen to their user communities. Shadow IT exists because people need to get work done and “official” IT isn’t responsive enough, or because it lacks the necessary tools. This drives people to find an adequate collaboration platform on their own — and they won’t care about security. Useful enterprise collaboration should be high on all IT priority lists.
Additionally, the distinction between work and non-work is quickly evaporating, and policies towards device and software capabilities should reflect this. Employees will likely reject the notion of IT controlling personal devices but will generally accept control of corporate information on those devices. Therefore, IT should look for mobile applications and management tools that offer greater flexibility.
Another key to showing employees that IT is working with and not against them is to move quickly to standardize a few services. Ideal early candidates include file-sharing and instant messaging. It’s easier to rein in data from five services than from 30, or from 20 users as opposed to 2,000. Simplify access — if it’s TLS-based (and can integrate with your corporate directory), users won’t need to connect to the VPN first. Try to make official IT as easy and responsive as shadow IT while still asserting appropriate control over corporate intellectual property.
Finally, reach out proactively to the shadow IT vendors and suggest that they work with the IT team directly over letting employees or individual business units implement their services on an ad hoc basis. This will not only help IT maintain control and visibility; it will help the vendor establish a more long-term and profitable relationship with the company.
We learned this lesson first-hand a few years ago, although in our case, the credit for the proactive outreach goes to the vendor. Dropbox alerted us to the fact that a number of our employees were using the cloud storage service and offered to help us establish a Dropbox for Business account. Good salesmanship, to be sure, but it also helped us create and implement policies and best practices for identifying and implementing, or at least permitting, the use of applications that employees feel can improve their productivity.
Dropbox and Google are certainly not the only examples of vendors trying to help CIOs and IT walk the line between achieving the network visibility and security they require while still permitting employees to use their preferred devices and services. Blackberry has long offered the ability to partition its smartphones to keep personal and work applications and information separate. Apple and IBM have started rolling out made-for-business applications and supporting cloud services that incorporate IBM’s big data and analytics capabilities to iPhone and iPad users. The list is long and growing.
To me, the next wave of new shadow IT services is coming from companies working to develop communications and collaboration platforms that aim to replace, or at least augment, email. The category is growing rapidly and includes established vendors like Microsoft and Facebook, and startups such as Slack and Huddle.
I encourage these companies to work directly with companies’ IT administrators and CIOs whenever possible rather than only enabling individuals to create user accounts without the knowledge of IT. The same advice applies to IT; trying to lock out all shadow IT services is essentially tilting at windmills. Work collaboratively and often with employees, as well as with the vendors whose services a majority of employees want to use (or may have already started using), and move quickly to implement some on at least a trial basis. Keep the lines of communication open so that employees are able to provide their feedback and, just as importantly, so that you are able to explain why a specific service may not be appropriate after all, because security or compliance risks cannot be overcome.
Steve Riley is Technical Director, Office of the CTO, at Riverbed Technology.