Before the proliferation of the cloud, organizations didn’t even think twice about their employees signing up to purchase an application or tool for their own use. Traditionally, to implement new software was a process that required buy-in and then permission from the IT department. It required access to resources to free up storage and set up network configurations before a new installation could take place.
But the cloud and SaaS movement over the last decade has made it incredibly easy and affordable for employees to bring new applications into a business environment without the consent from corporate IT. Users today can simply sign up for a free trial, enter their credit card number and just like that ... they have a usable product.
If you're lucky, it's a well-established application, one with top-notch security. But realistically it could also be an application hosted in someone’s basement or overseas with inadequate security.
This concept of using unapproved tools and apps is what we refer to as "Shadow IT". Examples of Shadow IT include cloud storage such as Dropbox and Google Drive, personal email accounts being used to conduct business, unsanctioned Bring-Your-Own-Devices (BYOD) or, as mentioned above, third-party Software-as-a-Service (SaaS) applications.
When it comes to Shadow IT, what you don’t know CAN hurt you. IT is fighting a constant battle of user experience and security. As organizations grow, the number of applications that lurk in the shadows can balloon quickly. Traditional IT methods are not fast enough to keep up.
Shadow IT can create holes in your network and cloud security, and potentially lead to compromises, such as data loss, unauthorized access to data, increased exposure to malware infections and violation of compliance regulations when these apps are not recognized by IT.
In most cases, employees do not have ill-intentions, they just want to meet their goals. Users today are willing to go outside the scope of IT to get the apps they need to work productively—jeopardizing security and corporate compliance in the process.
So, what can be done?
Effectively monitoring both outgoing and incoming traffic is a technology challenge because of the sheer volume of information that must be evaluated. Many familiar security tools, such as signature analysis to identify malware, are not suited to the task.
Automated tools are necessary to give an actionable view into outgoing traffic, but developing a policy to govern the proliferating cloud and web connections that comprise Shadow IT is the essential piece of the puzzle that often goes missing.
With the continued consumerization of enterprise software apps and services—particularly in the realms of team collaboration and productivity—there is a continued need for technologists to become strategists.
IT leaders need to be the eyes and ears on the technology front to review and approve the use of apps and other software. Today, it’s not just enough to make the purchasing decisions or troubleshoot a software problem. The future of IT lies in providing strategic advice to decision-makers to help employees get the tools and support they need (that adhere to the guidelines of the company’s IT policies) to do their jobs better.