The term “Shadow IT” refers to IT devices, software and services outside the ownership or control of IT organizations. And, although the terminology makes it sound kind of “shadowy” or illicit in nature, Shadow IT has grown out of necessity. With the advent of Software-as-a-Service (SaaS) applications and the increasing acceptance of Bring Your Own Device (BYOD) to the office, employees are looking to get their work done in ways that seem easiest and most effective to them.
Yet, there are real risks involved. At times, certain protections and safeguards will be forfeited with Shadow IT, even though the users themselves don’t realize it. Much of today’s advice to IT departments for handling Shadow IT is to learn how to deal with it and coexist, rather than trying to shut it down, as outlined in this article Shadow IT: 8 Ways to Cope in InformationWeek. Clearly, a strategy that lets employees be effective, but also affords the necessary protections is needed.
This post will discuss the immense scope of the Shadow IT issue, the risks inherent with unauthorized software, and the instances where it is essential to enforce IT policies in order to enable protection strategies.
How widespread is Shadow IT?
“Armed only with a credit card and a browser, anyone can purchase low-cost subscription licenses and have a new application up and running in no time at all,” explains the article Managing Shadow IT in ComputerWeekly.com. Even importing corporate data and integrating with other enterprise applications can be achieved, without IT having any involvement or even awareness of new systems.
As of August 2015, in a study of large enterprise customers, Cisco determined “IT departments estimate their companies are using an average of 51 cloud services, when the reality is that 730 cloud services are being used. And this challenge is only going to grow.” They expect that this 15x multiplier will continue to grow as well. Cisco points out the hidden costs of Shadow IT – including greater business risk – are 4 to 8 times higher than the costs from the cloud provider.
Another study titled “The Hidden Truth behind Shadow IT,” conducted by Frost & Sullivan and sponsored by McAfee, found that more than 80 percent of the 600 respondents used non-approved SaaS applications in their jobs – and IT employees were the worst offenders. By their figures, the average company utilizes around 20 SaaS applications; and of these, more than seven are non-approved. “With over 80 percent of employees admitting to using non-approved SaaS in their jobs, businesses clearly need to protect themselves while still enabling access to applications that help employees be more productive,” said Pat Calhoun, general manager of network security at McAfee.
Where are Employees turning to Shadow IT the Most?
The Frost & Sullivan survey says non-approved SaaS encompasses every category. Business productivity (e.g., word processing, spreadsheets) is the top category, with 15% of all employees admitting to utilizing applications such as Microsoft Office 365 and Google Apps. Social media applications, led by LinkedIn and Facebook, are used by 12% of respondents, without official approval; and File Sharing, Storage, and Backup applications (including Dropbox and Apple iCloud) follow at 11%.
So … What’s the Risk?
Employees who deploy SaaS applications can put their organization at serious security risk of data loss, breaches, or attacks. Interestingly, approximately 40% of both IT and line-of-business respondents realize that sensitive corporate and personal data could be accessed or stolen by malicious actors or exposed to unauthorized users. About 15% of participants have either experienced or perceived a security incident—malware infection, data loss, unauthorized or blocked access—associated with using a particular SaaS application, as shown in this figure from the Frost & Sullivan survey:
From a broad perspective, the ComputerWeekly.com article outlines the four key risk of Shadow IT as:
- Software Asset Management (SAM) Compliance
- Governance and Standards
- Lack of testing and change control
- Configuration Management
Elastica, a Blue Coat Company, has published a report on “Shadow Data” which they define as all potentially risky data exposures lurking in cloud apps, due to lack of knowledge of the type of data being uploaded and how it is being shared. They report that of all the documents the average user stored in the cloud, 25% were broadly shared and of those, and 12.5% contained compliance-related data and source code.
Are your Mission-Critical Applications Protected?
Of course, this leads us to think about how the widespread use Shadow IT means that traditional forms of software protection, such as technology escrow, will often be bypassed when IT and procurement departments are not involved in SaaS subscriptions, and they are handled directly by employees.
Without the oversight of IT, certain protections aren’t put into place, and this is particularly important for the mission-critical applications that have a significant impact on your business.
What would happen if the SaaS provider went out of business, was acquired, or failed to support your SaaS application? When an application was subscribed to by an employee acting on their own, you’re out of luck. You face loss of productivity due to application downtime, loss of revenue, data loss, and potential brand damage.
On the other hand, when a mission-critical SaaS application is acquired through the IT department, a protection strategy such as SaaSProtect from Iron Mountain – a special form of technology escrow protection for SaaS applications and data – is often put into place. SaaSProtect ensures you will have access to your data and the application itself even if something were to happen to the software or the company hosting it. It gives you a way to make sure that you stay in control of what is yours.
In summary, the existence of Shadow IT points to systemic issues between IT departments and employees that are still being ironed out. The excellent articles and studies cited in this post point to suggestions of how IT and lines of business within an organization can work together to let employees get their jobs done and maintain the necessary safeguards.
The Forbes article “Why CIOs Should be Happy about Shadow IT” suggests that Shadow IT should be rebranded as “dispersed IT” to bring it out of the shadows, make it transparent, and provide services to support it. This way IT can successfully act as an intermediary and handle security, compliance and overall alignment with business strategy.
Sounds like a good solution. Let us know what you think in the comments section below.