Shadow IT refers to information technology software that is procured by employees without the blessing or awareness of the IT department. When it comes to the cloud, shadow IT services are those cloud apps that employees use, such as Evernote, without consulting the IT department.
And while Shadow IT may seem like a pressing problem, before you fight against it, you need to understand the reasons behind it. Although data loss from shadow IT could prove costly, learning about these cloud applications and fine-tuning your IT department's response to it is the best way to combat the problem.
Understand the Growth of Shadow IT
File sharing apps, social media, and collaboration tools created a new industry for shadow IT. Personal Dropbox accounts considered a shadow app even though Dropbox also sells a business version of it, can significantly increase employee productivity and efficiency. Employees can use their personal Dropbox account to share and collaborate with co-workers and partners. They can also access their work-related files from anywhere at any time.
In this way, shadow IT is a good thing. However, while IT security professionals are no longer responsible for the infrastructure or management of applications that run in the public cloud, they are still responsible for security and compliance. Therefore, IT departments should understand the extent to which shadow cloud applications are being used, and block the riskiest ones while permitting those that meet certain security and compliance requirements.
In order to do so, IT departments not only need to know the total number of cloud services being used at their company, they're also required to understand the security risks of each cloud app in use. This is easier said than done. What IT professionals need is a tool that can shed light on the unknown number of cloud apps in use.
One such security technology that has emerged over the last few years is a cloud access security broker (CASB), defined as a control point for cloud security. There are two key capabilities of a CASB that assist in understanding and controlling cloud-based shadow IT:
- An exhaustive registry of cloud services that is updated on a regular basis to add newly released cloud apps
- Security risk rating for each cloud application, derived from the security capabilities and practices of the given app.
With these two capabilities, an organization who uses a CASB can greatly accelerate both the discovery and the security assessment phase of controlling shadow IT sprawl. More importantly, the security team can direct the CASB to allow or block any cloud application in use based on the security risk rating given to it. This means that the IT professional doesn't have to investigate the capabilities of a given cloud service themselves; all that is done by the CASB.
The only thing needed from the IT security professional is a set of policy rules and remediation actions. As an example, the rule can state that if a cloud service lacks the ability to encrypt data at rest, or if the cloud app doesn't offer multi-factor authentication, then disallow employees from using that app.
Don't Merely Cope with Shadow IT
Unfortunately, most IT departments can be slow to adopt innovative technology. Cloud computing makes installing new apps simple. But the solution to shadow IT use lies in changing the IT department and ending the need for shadow apps.
Many employees feel that IT departments are dinosaurs. Duplicated technologies, inefficiencies, and a lack of expansion and forward movement hamper employee productivity. Some IT departments may place new software at the bottom of the evaluation list.
Instead, IT staff should make technology adoption a priority. Shadow IT usually occurs because it offers a faster solution to a problem. If IT speeds the evaluation processes and solutions appear quickly, one doesn't need to use a form of shadow IT.
Stay Up-to-Date on Technology
New technology can catch some IT departments off guard. While people read about innovations, the department itself can fall behind. Make sure your IT professionals keep on top of all the trends by sending at least one IT professional to new technology conferences. Knowing what's ahead and planning for it reduces the need for employees to come up with their own solutions.
Rework IT budgets to allow funds for emerging technology. With funding, IT staff can become much more open to current ideas. Companies don't budget funds for shadow IT. Embrace the latest forms of technology and let the IT staff lead the way.
Offer to Help Your IT Department
Previously, IT department existed only to help employees understand how to use company computers and software. Today, employees themselves are more apt to keep up-to-date on current technology and issues. Let employees volunteer and help your IT department understand the needs they face. If your IT managers welcome suggestions, fewer issues can occur behind the backs of IT department staff.
Don't fear shadow IT. Instead, understand the needs of employees and allow IT department staff to find solutions quickly. Doing so can create a better workplace for everyone.