Several years back, organizations didn’t even think about users signing up for their own applications and tools. The fact that each application required access to resources that were beyond their control kept this problem bottled up. Storage, compute, and network configurations were all IT’s domain and so IT needed to be consulted before a new installation could take place.
Now however, users can simply enter their credit card number into an easy-to-use portal and almost instantly have a usable product. This may be a well-established application, one with security that surpasses your own data center. However, it could also be an application hosted in someone’s basement, a person who thinks “Security by Obscurity” is adequate protection.
Taken to the extreme, users could even spin up their own infrastructure to support nearly any in-house developed application!
Why do users feel the need to strike out on their own in search of applications?
IT departments are their own worst enemy. Long processes and hardline stances on policies discourage interaction. As a result, employees don’t communicate with their IT departments. To move faster and with less restriction, they create silos that contain their own internal experts who help them with IT problems. The responsibility rests on IT departments to bridge the gap, but many aren’t up to the task.
As organizations grow, the number of applications that lurk in the shadows can balloon quickly. Traditional IT methods are not fast enough to keep up.
So, what can be done?
IT departments need to reposition themselves.
Employees aren’t subverting the department out of malice, they just want to meet their goals. Instead of being a barrier for employees, they need to create value. IT departments should be there to help.
Change needs to happen to adapt to cloud use. While the process can be difficult, IT personnel need to monitor unsanctioned cloud use, address it with employees, and then listen to their responses. Approval processes need to become faster and more flexible. And finally, steps should be taken to ensure that these lines of communication remain open.
Cloud Access Security Broker (CASB)
One way to monitor what cloud-based apps, both sanctioned and not sanctioned are in use, is to deploy a Cloud Access Security Broker (CASB) solution. Cloud access security brokers (CASB) are on-premises or cloud-hosted software that sit between cloud service consumers and cloud service providers to enforce security, compliance, and governance policies for cloud applications.
Technologies for monitoring and controlling unsanctioned cloud use can be applied, but trying to shut down SaaS entirely isn’t feasible. IT departments should use Shadow IT monitoring to learn more about how to deliver value to each department and evolve with employees’ needs. Reverting back to “business as usual” is the easy thing to do, but it’s also risky. When IT departments lose touch with employees, they are complicit in creating security risks inherent in Shadow IT.
Do you have Shadow IT in your organization? How do you locate it and how do you manage unsanctioned apps?
Author Bio: Joe Goldberg is the Senior Cloud Program manager at CCSI. Over the past 15+ years, Joe has helped companies to design, build out, and optimize their network and data center infrastructure. As a result of his efforts, major gains in ROI have been realized through virtualization, WAN implementation, core network redesigns, and the adoption of cloud services. Joe is also ITIL certified.