Shadow IT is an explosion of cloud computing adoption for business use by employees and groups with no IT involvement. Shadow IT can lead to unintended and undesirable security risks, compliance concerns and hidden costs. But through collaborative IT governance processes, it can also be made beneficial.
How Much Shadow IT is There?
According to a study by Cisco: “IT departments estimate their companies are using an average of 51 cloud services, when the reality is that 730 cloud services are being used. And this challenge is only going to grow. One year ago, the multiple was seven times, six months ago it was 10 times, today it is 15 times and given the exponential growth of cloud we predict that by the end of this calendar year it will be 20 times or more than 1,000 external cloud services per company.”
Also according to the Cisco study, there is almost no difference in the multiples by industry or by geography. This may be the case because the majority of significant IT innovation among infrastructure, platforms and software is taking place in the public cloud, and business units have need for this technology (most of which cannot be duplicated internally). Shadow IT results when an IT organization is not able to procure, or deliver, these same cloud services or an adequate substitute in a way that satisfies business needs.
If business units are getting what they need in a manner that is quick, cost-effective and/or convenient, then what is wrong with shadow IT anyway? The problem is that although services unsanctioned by IT may satisfy an immediate need from one part of the business, they are not optimized to the all the needs – or risks – of the business.
Left unchecked, shadow IT can lead to higher costs and rising risks. Research from the Cisco study cited earlier shows that the true cost of public cloud can ultimately become 4 to 8 times higher than the cost from a cloud provider as the IT organization or the business units struggle with integration, security and other issues in the wake of the initial acquisitions.
CASBs and Discovery Tools
Cloud access security broker (CASB) vendors offer tools to discover and control shadow IT. Vendors such as Bitglass, Bluecoat (acquired Elastica), CloudLock, Imperva (Skyfrence), Microsoft (Adallom), Netskoke, Palo Alto Networks (CirroSecure), Skyhigh Networks and others provide visibility, data loss prevention and application control over shadow IT.
At the low end, some of these vendors offer clients a free Shadow IT discovery service. Such an engagement may be as simple as scanning network logs to report all cloud usage going through the firewalls. To get the full perspective on shadow IT, however, touching the endpoints outside the firewall via agents, scans or VPN backhauling will be necessary. Control can also be applied via proxies or API mode CASBs.
Although Shadow IT discovery is a great step forward, control must be tempered with collaboration among IT, business users and the workgroups. Here’s why.
The Deeper Dynamic
Some Gartner research (purchase required) asserts that all forms of IT (not just cloud) within business units will increase as technologies become more deeply embedded in their business activities and ecosystems. According to Gartner, the proportion of IT spending attributable to the business unit level is rising and may even reach 50% within a few years.
Yet many IT organizations remain wedded to centralized models and don’t have a strategy to influence independently-funded business units. Without coordination, IT systems developed or used at the business unit level may duplicate one another, or not integrate well when the time comes to share data or applications.
Gardening Shadow IT: A Collaborative Approach
As one participant in an online discussion put it: “Cultivating and managing ShadowIT is a lot like gardening. It takes a green thumb, careful weeding, and balancing out the ecosystem.”
The gardening metaphor can also fit well with the bimodal IT model wherein IT development is consciously divided into two tracks: one characterized by tight project management and waterfall methodologies, the other by more flexible agile methodologies to promote innovation. Risk and assurance criteria associated with particular data and applications can be part of the criteria used to decide on which track a project should run. Shadow IT projects would tend to run on the agile track of the bimodal model.
On both tracks, shared IT organizations continue to play a vital role. Enterprise architecture, project management, and procurement processes coordinate business unit projects with central IT projects. IT promotes shared services or sanctioned cloud services to the business units to lessen the need for shadow IT. When a business unit moves forward on its own with a shadow IT initiative, it should still have the opportunity to receive guidance, for example, on information security. The best of what grows from shadow IT initiatives should later be cultivated to itself become a shared service available to other business units.
Conclusion
Whether mode 2 shadow IT projects become poisonous weeds or nutritious crops is up to risk management – yet another potentially collaborative process. Businesses that can put the pieces together – architecture, project management, procurement, risk management and the cloud – may be able to convert shadow IT into a healthy and manageable phenomena that contributes to operational effectiveness and competitive advantage.
The post Shadow IT: Cultivating the Garden appeared first on Security Architects Partners.