Such procurement of technology solutions without engaging the internal technology specialists is widespread. In fact, Gartner estimates that Shadow IT may account for about 40% of technology spending, and a McAfee-sponsored survey found that IT departments have only 47% visibility into their companies’ own cloud applications.
For data centre managers who remember the good old days of tech teaching employees how to use email and navigate Wordperfect, Shadow IT feels like a coup. Employees now show up armed with devices, and some will sign up for nearly any cloud service they believe will help them do their jobs.
It can be hard to remember that tech savvy, solution-seeking, independent-minded employees are an asset—but they are. These individuals are a ticket to innovation and must be safely empowered, not stymied. But if employees are to gain greater support in selecting cloud services and other solutions from a variety of providers, data centre managers will need to confront the challenges of multi-cloud implementation head-on.
Shadow IT may be an indicator of positive characteristics in the employee base, but that doesn’t mean technologies should be deployed in this manner. There are serious issues with the use of unapproved, unvetted solutions that aren’t properly wired into the technology processes and infrastructure, including:
· General Data Protection Regulation penalties—These days, all roads seem to lead back to the GDPR. Enterprises are being more carefully scrutinised for their data handling. If a customer asks for their information to be purged from an email list, but an employee maintained a private copy on Dropbox that they later use, fines could follow.
· Security breaches—Many apps and especially consumer-oriented cloud services suffer shortcomings like weak encryption or internal access that puts customer data at the fingertips of their employees. This is a big deal. Gartner predicts that by 2020, one-third of all successful security attacks on companies will come through Shadow IT systems and resources.
· Lack of backups—Many apps replicate data, but they don’t enable corporate backup and restore. What’s more, if an employee with an account leaves the company, any data under their control could be lost to an inaccessible public cloud.
· Increased cost and inefficiency—Cloud sprawl is a continual challenge. Different lines of business may have duplicate services, negotiations and bundling discounts which probably aren’t being taken advantage of, and subscriptions can easily enter “zombie mode,” unused but auto-billed.
· Interoperability—The world of Shadow IT is often one of workarounds. Third party solutions store data in different formats, provide different export options, have different API capabilities, and so on. Employees may not recognise at the outset how the enterprise will want to reuse data later, possibly in ways not facilitated by the solution they’ve chosen.
· Governance and change management—We’ve talked about GDPR, but additional compliance requirements will frequently apply. Tech professionals also know the importance of change management, but it’s not something employees using the virtual equivalent of duct tape to connect disparate services will be aware of. This means that their ad hoc solutions can quickly become big troubleshooting problems.
For all the reasons outlined above, it’s understandable that Shadow IT can drive data centre staff up the proverbial tree. If only the lines of business would come to the tech organisation, they argue, IT managers and administrators could set them up with something more effective at a better price and with full view of the security, compliance, and interoperability complexities involved.
Why don’t employees tap the IT resources right there in house? One reason: it usually takes too long.
As frustrated as a data centre manager may be when yet another unauthorised piece of software or renegade cloud service adds to the day’s list of crises to be solved, a punitive approach won’t usually work in cutting off Shadow IT. This can even stifle progress which the business needs. There are many technologies for tracking cloud usage, stopping unauthorised downloads, and monitoring networks, but sometimes “full lockdown”—to the extent that’s possible—will only make the lines of business go to greater lengths to outsmart the system. We’ve heard of department managers repeating a 4G signal from a personal tablet to allow their employees access to an otherwise verboten capability, so the options are out there.
A mindset of “search and enable” instead of “search and destroy” can help IT pros use the tools at hand to identify unmet needs among the lines of business and then consult with them to help fulfill their demands in a safer, more effective manner. It can be helpful to think like an improv comic, who when presented with a situation by another actor, cannot say “no” during a performance, but can only say “yes, and…”. In other words, the IT department should be in the habit of saying “yes” to the lines of business, but data centre personnel can say “and,” adding requirements and controls for data protection, compliance, security, and so on.
Unfortunately, what we’re really talking about here is rapidly transitioning to IT-as-a-Service (ITaaS) – no small feat in itself – and doing so in the most challenging way possible, with multi-cloud issues already proliferating.
The ultimate goal is to beat Shadow IT at its own game. If the lines of business can access internal IT experts who will find the right solutions, negotiate the prices, manage the vendors, and integrate it all so that it works as expected and on time, why go anywhere else? Most of the requisite cultural shifts, reorganisational issues and budget allocation debates will fall to the CIO or equivalent executive, but there is an important role for data centre managers as well. DevSecOps can provide the agile, responsive, cross-functional team, integrating infrastructure and operations experts to manage the demands in a timely manner.
Various tools and approaches can also help data centre leaders identify, monitor, secure, and integrate this ad hoc, multi-cloud infrastructure that they didn’t select but will inevitably be asked to support and adjust. The process is usually not neat and tidy, so data centre managers will want to look toward a combination of tools like the following:
· Encryption—Investing in point-to-point data encryption and encrypting all data at rest can provide some protection against Shadow IT breaches.
· Data leak protection (DLP)—These solutions can help avoid and later track down leaks of highly sensitive information, which could be flowing out to any number of connected apps.
· Zero-trust networks—Network access controls and monitoring should assume every connected system, all the way to the edge, is potentially compromised, because that’s the Shadow IT reality.
· Software-defined security applications—Newer security applications write security policies to block unauthorised software downloads. Cisco’s Software-Defined Access (SD-Access) is a good example and cloud-based alternatives exist as well.
· IT asset management—ITAM is quite good at detecting Shadow IT by gathering hardware and software inventory information. The market now includes cloud-based ITAM for auditing cloud usage.
· Traffic analysis—These tools can help administrators search outbound traffic that could compromise data by uploading it to unsecured or inappropriate locations.
· Cloud access security brokers—CASBs provide semi-turnkey methods for regulating access to cloud-based apps and establishing safe channels connecting cloud resources to the corporate network.
· DPaaS—Data Protection-as-a-Service from a managed services provider can supply the expertise and solutions to protect the data across cloud, mobile, on-premises, and edge.
Data protections and backup solutions can help to ensure that whatever Shadow IT is happening unbeknownst to the tech pros, this is somewhat safer and that key data is locked down. Monitoring and detection solutions can flag Shadow IT activity for appropriate follow-up, whether this means denial of access, replacement with a better alternative, or integration into the growing multi-cloud landscape. If paired with a cultural shift that brings the lines of business to IT with their requests more often, Shadow IT can be buttoned down to a reasonable extent.
No process or toolset will avoid Shadow IT problems forever. Employees will inevitably find ways to access what they think they need. If the IT team isn’t a responsive partner in delivering the goods, they’ll eventually work around them, and given the profit available, plenty of third-party providers will facilitate.
Addressing Shadow IT is thus like managing a chronic disease. Current treatments may lose effectiveness over time. Data centre personnel will need to come back to the issue and apply new and emerging technologies to “search and enable” the next outbreak. Machine learning and behavioural analytics, for example, offer new possibilities for monitoring, threat detection, and response. Deployed within an IT culture that respects the need for innovation, they can be effective in leveraging the benefits of motivated, tech-savvy employees while mitigating the risks associated with Shadow IT.