Shedding light on shadow IT

By: Josh Nelius


This article was co-authored by Hector Paz Soldan, Pedro Soares and Josh Nelius.

Global cloud adoption is in overdrive. According to Gartner, 60 percent of business users will be at least partially provisioned with capabilities from the public cloud. This is leading to a rise in risky practices that have been termed shadow IT.

According to industry expert Daniel Davis, shadow IT is defined as “people installing and using their own, non-company-sanctioned apps and software at work.” Why do they do this? Davis offers several possibilities: The employees may be unaware of or dissatisfied with company-approved options or simply prefer the apps they’re already using. It’s also possible that the company might not have a sanctioned solution for a specific task.

Many employees believe using their own apps is harmless, but shadow IT creates significant cost, security and compliance challenges for the business. The implications are compelling clients to find a solution now.

Detecting the problem

The following statistics from CipherCloud shed some light on the shadow IT movement:

  • 80 percent of employees admit to using unsanctioned software-as-a-service (SaaS).
  • The average global enterprise uses more than 1,100 cloud business applications.
  • European companies use 80 percent as many cloud apps as North American companies.
  • 70 percent of cloud apps used by European enterprises are not Safe Harbor-approved.

On top of it, 83 percent of support staff admit they use enterprise cloud business applications that are unsanctioned, according to Cisco.

Harness the full power of your core business applications

Defining the problem

Shadow IT has three main negative characteristics:

  • It’s costly. When employees or departments start their own procurement and provisioning of IT resources, regardless of the buying mechanism, chances are there will be some degree of duplication that isn’t centrally controlled and therefore not optimized.
  • It can compromise security. This is one of the main reasons shadow IT is an issue for most companies today. Again, it’s about control and accountability. Without proper compliance and security rules in place, there’s no process to ensure confidentiality of data, strict access policies or even trust and non-repudiation factors.
  • It goes against processes. Companies need to rely on many of their processes — which are usually controlled by their IT departments — to ensure their overall environment is consistent and resilient, and that business can flow without IT-related disruptions. This includes release and deployment management; incident, change and problem management; and many other operational processes and procedures that can be completely overlooked by shadow IT.

Recognizing the solution

A cloud broker — an individual or organization that mediates and facilitates a defined selection of IT resources — can eliminate the process violations committed by shadow IT while still enabling resource procurement.

Simply having a cloud broker or brokerage services team acting as a single marketplace for IT resources can resolve many of the shadow IT-related headaches. Not only does brokerage expose and consolidate the expenditures related to daily IT operations, but it also makes it possible to project future expenses from day to month, or even by quarter. This is called cost control.

More importantly, having individual IT staff members provision, monitor and maintain their own virtual machines without oversight from a broker can introduce security violations. You probably can’t even count how many times you’ve found a coworker using a personal cloud account with sensitive corporate data on it. You might even be guilty of it yourself.

Flipping the switch on shadow IT

Gaining necessary approvals and wading through corporate bureaucracy can be difficult and time-consuming. If it’s difficult to procure test or development instances, most IT staff members will simply find an easy way to get it. This is why cloud providers intentionally make it easy to consume resources.

With a broker as a central gatekeeper, adhering to security guidelines is simple as long as access and availability is easy to obtain. The purpose of a broker is to not only make it easy to provision necessary resources, but to also comply with your company’s existing processes. That way, daily business activities aren’t held up, but management can still get the paper trail and authorizations it’s looking for.

Is your company ready to tackle shadow IT?

Topics: , ,

About The Author

Josh Nelius

Cloud Customer Analyst, IBM

Josh Nelius is a recognized technology and cloud analyst. He has years of experience configuring and supporting various cloud service providers and specializes in the cloud matrix platform.