The very term "Shadow IT" seems to suggest something terrifying and mysterious, lurking and waiting until one day it destroys your business. While the reality isn't quite that dramatic, shadow IT still represents a significant concern and challenge for companies who seek to use cloud services. So, what is it, and how can you best address it at your organization?
What Is Shadow IT?
"Shadow IT" refers to the tools, technologies and devices that are used at a company without the explicit permission or knowledge of the IT department. In an era when many employees are allowed to "bring your own device" (BYOD) to work, and when results-driven startups encourage workers to use any means necessary to solve a problem, shadow IT has become an all-too-common solution to the common frustrations of using officially sanctioned IT tools.
Although Shadow IT has always presented a problem for companies whose own employees are leaving them in the dark, the risks have been heightened by the recent popularity of hybrid cloud solutions. Many companies choose a hybrid solution because compliance and security policies require them to keep sensitive data on premises. However, Shadow IT violates the assumptions that this information will be kept in a controlled environment and increases the chances of a data leak, whether intentional or unintentional.
How Can You Deal with Shadow IT?
Shadow IT presents new challenges for your company, but there are methods and strategies to combat it.
- First, realize that the presence of shadow IT is like an iceberg, a problem on the surface that hides a larger concern beneath. Find out why your employees felt it necessary to bypass the IT department in the first place and come up with solutions to these underlying issues. Was it the slowness and bureaucracy in your company? Are your employees' current tools and devices insufficient for their jobs?
- Second, monitor your network to identify new and unknown devices that may be hinting at the presence of Shadow IT. Often, this can be done with your current security setup, including firewalls, proxies, and security information and event management (SIEM) software. These tools can provide you with valuable information, such as the cloud services being used at your company, who uses them and how much data is being uploaded and downloaded.
- Third, be willing to be flexible. Although there are certain situations where Shadow IT presents an unacceptable risk to your company's sensitive data, other instances of Shadow IT are simply employees trying to stay ahead of the technological curve. If you discover shadow IT in your midst, you might wish to permit it in the short term depending on the circumstances. This lets your business continue as normal and lets you explore adding these verboten tools to your company's officially approved toolbox. In addition, if your employees are trying to make their files available outside of work, consider building a mobile-accessible solution that allows them to work remotely while keeping your data secure.
Shadow IT, or any other potential complications of cloud computing, shouldn't make you run screaming from hybrid cloud. Embrace the many benefits that cloud services can bring your company, but be mindful of shadow IT and the need for proper governance. If you're not sure how to start addressing the problem of Shadow IT at your organization, try a Cloud Consumption Assessment.