There has been a lot of hand-wringing in the past year or so about the threat of Shadow IT. By its very name, it sums up images of darkness, subterfuge, and illegality. But what exactly is meant by Shadow IT, and is it the threat we are led to believe?
References to Shadow IT grew out of widely adopted SaaS tech and the BYOD movement. Now that a reliable high-speed internet connection is more or less a given, online services like Salesforce, Office 365, Dropbox, and Google Apps are accessible pretty much all of the time. Because these services are web-based, users don’t need administrative permissions to use them: they just go to the web page, log in, and start to work.
The constant talk of BYOD lent further credence to the notion that a wave of user-defined IT was just around the corner. Surveys have shown that possibly up to 80% of business users admit to using software or services not sanctioned or signed off on by their employers.
So, are we really riding a wave of risk? Are company employees who use unsanctioned SaaS exposing their employers to liability under the Data Protection Act and making it easier for competitors to gain access to company financials and future roadmaps? Are they chancing massive customer backlash, legal wrangles, and negative publicity if personal data is compromised, and possibly demonstrating PCI non-compliance?
Or is it all simply a load of FUD?
The first question to ask is whether the concept of Shadow IT is only a product of the wide availability of SaaS applications. Whereas SaaS has definitely broadened the reach of Shadow IT, it could be argued that before SaaS was even conceived, there were examples of users who had put together business-critical functions that flew right under the radar of their IT departments. The classic example is Access databases. Many IT departments have struggled to accommodate Access databases that have been created by users and somehow grown to be business-critical, to the extent that I have seen IT staff doing aggressive scans for .mdb files and exporting them rapidly into the (managed) SQL infrastructure.
But that raises another point: the real threat of Shadow IT is data loss, which is generally more of a risk when the data is cloud-based. The definition of Shadow IT as simply unmanaged or unsanctioned applications is probably too broad. Whilst unsanctioned applications can bring security risks and vulnerabilities, typically users don’t have the rights to install software, and if they do, they generally know better than to abuse those rights, if only because their IT departments will refuse to support them. There has to be a cloud-based side to the Shadow IT coin before it starts to become threatening.
The main problem with these cloud services (as an example, out of all the file-syncing services out there, only one, Box, was certified as “enterprise ready”) is that it is stunningly easy for users to get involved with them and start effectively circumventing their IT departments. Users aren’t, to be fair, engaged in active rebellion; they just want the quickest, easiest, and most productive way of getting their work done. And if they find an easier way, you can bet they will tell the people around them.
Of course, companies have corporate policies and web filters that should actively restrict or discourage users from doing this—but herein lies another problem with Shadow IT. If, for example, USB drives are restricted, email attachments stripped, and most cloud services blocked, then if users find a service that isn’t blocked, they may well assume that it is, by definition, permissible to use.
Another problem that may drive users toward usage of unsanctioned cloud services is that sometimes IT departments can be monolithic, rigid, and inflexible. Long-winded justification processes for new software and a lack of resources for providing decent alternatives can force users with deadlines to meet to adopt their own solutions. IT security can often come at the cost of agility, but when end users are under pressure, they may be tempted to risk violating security policy to get their jobs done.
So, keeping all this in mind, is the problem as widespread as many surveys and articles would have us believe? Let’s not forget there is now a market for tools that can scan for and identify your Shadow IT usage, so a certain amount of FUD around the subject is to be expected.
Based on my experience, I would conclude that Shadow IT in this context is not as widespread as has been insinuated. I would say that the problem exists only in those enterprises where IT is still self-serving and utterly inflexible. The old adage of “business is not there for IT; IT is there for the business” should be very applicable to this subject. These days, many departments have control over the procurement of their own software, and IT should exist to accommodate this, rather than try to insist on the use of specific tools and hardware. There must be compromises in this. It is not good practice for a company to invest heavily in, for instance, Mac hardware if it has no skills to support it; however, IT departments should be pouring their energies into embracing and supporting the things that allow users to get their jobs done most effectively. Technologies now exist that provide on-premises services similar to the cloud-based ones that users gravitate to, offering the mobility and productivity that pushes users to Shadow IT in the first place, whilst maintaining better security.
Of course, this creates a challenge for a number of stuck-in-their-ways IT departments—a challenge to adapt their working practices according to the needs of users and to help improve the overall experience that users have when at work. But faced with the alternative—users dropping enterprise data willy-nilly into unsanctioned and often exploitable cloud services—surely they have no choice at all but to adapt?