Whether you realize it or not, many companies contain workstations with software that is not approved by the information technology (IT) department; instead, it has been adopted and installed by individuals or even, in some cases, entire departments. We call this use of unapproved applications or third party cloud services ‘Shadow IT’ due to its clandestine or covert status.
More often than not, these activities are not malicious in nature: they are merely a means of maintaining productivity when IT response times to support requests are sadly lacking. One key – and often overlooked – aspect of shadow IT is found in development environments where some users/developers are using public clouds to do development work, or running their own open source software in a virtual machine (VM) on someone else’s cloud.
The dark side of shadow IT
Users and developers often don’t realize the ramifications of using shadow IT. For instance, they don’t consider the fact that shadow IT:
- Places development work outside their company’s firewalls, leaving company-sensitive data totally exposed.
- Can result in serious damages in the event of an e-discovery requirement if companies are unaware of all the locations their data resides.
- Sets the stage for asset management and software licensing issues.
This isn’t something to shrug off with the old quip “it’s easier to ask for forgiveness than permission.” There is a real reason why IT policy prohibits shadow IT activities.
A wake-up call for IT departments everywhere
Although users and developers are the ones gravitating toward shadow IT, they aren’t actually the source of the problem. In many ways, IT departments are causing their own security issues as inefficient response times force employees to find timely alternatives to maintain their own productivity goals.
IT needs to wake up and understand that business as usual – where the IT department receives a request and takes six weeks to complete it – is no longer acceptable. During those six weeks, rather than wait, employees are going to find their own solutions, which may include shadow IT implementation.
Locking down desktops or preventing access to the Web will not deter shadow IT, as employees will often find workarounds. Yes, we have to improve IT turnaround, but even an improvement of 50 percent would mean that requests would take three weeks, which is still too long. We need to find a better way.
Leveraging a new approach
IT therefore needs to think about doing business differently if they want to remove shadow IT and get rid of the security implications of putting corporate data on unsecured platforms on the Web. The ideal answer is to find a cloud provider with reasonable pricing where IT can lock that cloud down to their standards or, alternatively, to create their own internal cloud that is self-served, where they can charge back to the department or employees as resources are used.
The benefits of this approach are obvious:
- When a company has their own interface to an approved cloud, there is a measure of control that does not allow data loss in the same manner as experienced in the public cloud. In other words, the company gains control of its data, as it can only be shared with members of the same organization or even project team.
- Having a self-service cloud solution gives you the ability to specify how long a virtual machine will run. This is especially important in the development environment, where a specific platform may only be required for a few days.
- The self-service environment is ideal for training, with predefined training environments configured and installed in minutes.
- If you have a virtual machine in your own cloud, you can control the data that goes in and out and can also review traffic logs where necessary, i.e., in the event of a hack.
- In a self-service environment, if a developer requires an image for a particular operating system, licensing requirements are automatically catered for and charged to the relevant department. This may not be the case in a public environment, as users will tend to use whatever software installation disks are lying around, increasing the risk of noncompliance for software licensing. Therefore, with the elimination of shadow IT, asset management and software licensing becomes easier to manage.
- The final – and perhaps the most crucial – benefit to removing shadow IT is that it allows the IT department to focus on business critical processes, rather than endlessly supporting trivial requests from end-users.
If IT does not provide the tools necessary for development work, developers and other end-users will find solutions elsewhere. The onus is on IT to eliminate the situation by providing a software repository that meets all employee requirements, thereby preventing them from going outside the company to get their work done.
This article was previously published on Forbes.com.