What is shadow IT? Answers to common questions
Shadow IT explained
Shadow IT is the use of IT hardware or software by an individual without the knowledge of IT within the organization.
With the rapid proliferation of mobile devices and cloud-based services, IT has moved from being a tightly controlled environment to being an open environment with a great deal of stakeholders and movement. Users have become comfortable downloading and using apps and services from the cloud to assist them in their work, and will do so with or without company approval.
According to Cisco in 2016, 80% of end users use software not cleared by IT, 83% of IT staff admit to using unsanctioned software or services, and only 8% of all enterprises actually know the scope of shadow IT within their organization. And shadow IT has only grown since then.
SaaS management software can help by providing both visibility and control of apps throughout the organization.
What are the problems with shadow IT?
Every new device and application added without IT’s knowledge runs the risk of creating a security gap. Additionally, redundant apps, lapsed subscriptions, siloed data, and collaboration inefficiencies are other common problems.
In a world where malware can take down systems in the blink of an eye, one wrong move can leave reams of data unsecured, and that can be a scary thought. A well intentioned-user can end up doing more harm than good and at the end of the day IT, and more specifically the CIO, will be on the hook.
But are there any benefits?
People use shadow IT for a reason: Flexibility. One of the more common motivators for a user of shadow IT to choose an “unapproved” app is because it is more efficient and effective than what the IT department has chosen, and chances are pretty good that the employee hired to play a specific role may know a bit more about the tools of their trade than IT.
Despite the security dangers, shadow IT gives users a way to quickly and easily get the tools they need to be more productive and interact smoothly with co-workers, customers, and partners.
Common types of shadow IT
Common shadow IT examples include:
- Productivity apps (Trello, Slack, Asana)
- Messaging apps on corporate-owned devices (Snapchat, WhatsApp)
- Physical devices (flash drives, external drives)
- Cloud storage (Dropbox, Google Drive)
- Communication apps (Skype, VOIP)
What is the risk of shadow IT?
With the spread of information technology into consumer hands, hundreds of these applications are in use at the typical enterprise. The opacity surrounding each one represents a security gap. Although some applications are harmless, others include functionality such as file sharing and storage, or collaboration, which can present big risks to an organization and its sensitive data. IT and security departments need to see what applications are being used and what risks they pose.
How to detect shadow IT
There are some technical steps you can take to sniff out shadow cloud and IT services, including:
- Firewall logs
- Web proxy logs
- Data loss prevention tools
- Network-aware monitoring tools
You can set up an automated process with any combination of these tools to alert admins about new cloud usage as soon as it is discovered. However, there might be areas where visibility is limited, and the setup process itself is a heavy lift.
Mobile creates an extra wrinkle, as SaaS applications do not necessarily travel through your business’s network.
How to prevent shadow IT
It’s not entirely preventable, but there are preventative steps you can take. A culture change to a collaborative environment lets IT and business teams share goals and stay aligned. Clear processes for requesting new apps and a quick turnaround time for new app requests keeps employees feeling listened to and productive. Training about internal processes and the risk involved with shadow IT, and transparency around what is in use by other teams will help employees feel empowered to go through the right channels rather than install their own apps.
SaaS management software such as Vendr can help by providing both visibility and control of software-as-a-service (SaaS) apps. Vendr allows users to see all SaaS apps in use and who is using them, optimize spending, manage vendors, and provides a central place for data security and compliance. See how Vendr can help.
Shadow IT: A brief history
Enterprise IT was traditionally highly structured, expensive, and limited to a known set of hardware and software vendors. Every project would take a long time (months/years) to implement, typically requiring a lot of custom development to make it all work.
With this history, it’s no surprise that a company’s internal IT function strove to reduce variables. It was hard enough to get the solution you paid for to work well. And as long as employees were using desktop computers connected to the corporate network, keeping tight control and reducing variables was relatively straight forward.
As the consumer computer industry grew and accelerated by the rise of the Internet, we began to see a “consumerization” of IT. Employees started using laptops, on home networks and on the road. They started using their own computers and phones for “company” work. This created a massive headache for the traditional IT world that sought control and elimination of variables.
To manage this changing landscape, IT began its long fight against any non-sanctioned technology products. They even created a disparaging term for these unofficial products: “shadow IT.” The traditional response to shadow IT was to eliminate it and return control to the centralized process. An entire sweet of tools was built to help manage and control shadow IT. Wikipedia lists out the typical “implications” of Shadow IT.
- Wasted time
- Inconsistent business logic
- Inconsistent approach
- Wasted investment
- Higher risk of data loss or leaks
- Barrier to enhancement
- Organizational dysfunction
- Effect on IT departments
Notice a common thread; they are all negative. This is not an accident. And this pejorative attitude towards shadow IT is pervasive to this day.
SaaS: Pandora’s box for shadow IT
While shadow IT was a problem before SaaS, the proliferation of free, freemium, and inexpensive per-seat SaaS offerings resulted in a massive explosion in shadow IT. This trend is exacerbated by shifting employee preferences. Employees are demanding to use their own devices (the massive BYOD trend).
They are demanding better products that are as usable as the consumer software they’re used to. They are demanding to be able to work from anywhere. When employees are off the corporate network and hardware, traditional tools for managing and fighting shadow IT (e.g. packet sniffing, computer agents) are rendered ineffective.
In fact, this desire for tight control has probably been counter-productive. As IT gets increasingly restrictive, employees simply go completely outside the view of traditional IT. This exacerbates shadow IT, resulting in a much larger surface area of company tech usage and data sharing that is invisible to IT.
Inverting shadow IT: Enlightened IT
The first step to effectively manage IT in today’s often SaaS first world is an inversion of the typical attitude towards shadow IT. Instead of focusing exclusively on its negative effects, we should also focus on the many benefits of this new world:
- Leveraging intelligence of the ENTIRE organization, not just IT / leadership
- Encouraging more experimentation leads to new product discover and quicker org-wide adoption of new tools.
- Organic adoption results in employees using the products they want
- Better product discovery as decisions get pushed to “users”
- Happier more productive employees
The way to do that is to invert the traditional attitude towards shadow IT. To start with permission and restrict if needed, vs to start with restriction and approve in a centralized process. To require products be blacklisted to prevent usage, rather than wait for them to be whitelisted before allowing usage.
We call this approach Enlightened IT. And it’s a great way to encourage bottoms up innovation and adoption in an organization. It’s also a better strategic approach to minimize downside risk by actually seeing everything, and reducing blind spots.
How to effectively manage enlightened IT
While it’s important to invert the traditional IT decision-making process, it’s even more important to do so in a smart, not reckless way. In addition to a new outlook, it requires a different set of tools.
To make this work, you need to be able to:
- Easily capture accurate information on products that employees are using, especially when outside company networks or company owned computers
- Discover product usage across the entire organization, not just traditional decision makers (everyone is a decision maker now)
- Be able and willing to promote and expand products that are working well and making employees happier and more productive
- Quickly find and address any security issues to minimize downside risk
- Be easily able to kill what’s not working or what’s not up to security or compliance guidelines
With that in place, you can begin a simple analysis of products that are discovered across the organization. They should fall into one of four buckets:
- Expand: Usage and adoption of products by teams and individuals can result in finding and choosing products that make the entire company happier and more productive. Products that meet both of these characteristics should be expanded to more users and teams, and even be brought into the core stack.
- Allow: A more open policy allows for many more products that may not necessarily need to be expanded, but serve a particular function for a particular team, and can go on doing so in a self-supported way. Plenty of department specific tools, such as marketing lead enrichment, will fall under this bucket.
- Research: This is the most important part of the Enlightened IT framework. Experimentation of new apps is great and should be allowed and encouraged, however, monitoring and research are still important. Products that have access to sensitive information, e.g. financial, contracts, PII (personally identifiable information), should be more closely vetted to make sure they meet your internal security requirements. After that initial research, you can choose to expand, allow, or restrict.
- Restrict: Certain apps may always be restricted by your particular organization. Due either to industry specific compliance needs, particular team sensitivities, or proactive decisions to consolidate on certain tools. The appropriate framework is to think of these restricted apps as a specific “Blacklist.” The default for a new app is to be able to test it, but certain products can be blacklisted.
Changing the culture of an organization to encourage bottoms up adoptions and more permissionless innovation will require buy-in from various teams, especially IT. If you can make this change, and start leveraging the product intelligence across the entire organization, you’ll likely have happier, more productive employees, and less worry about shadow IT.
Enter Vendr – Turning shadow IT into enlightened IT in a SaaS-first world
Vendr automatically detects all the tools in use in your organization, across devices, and across networks. This is increasingly necessary as work moves onto personal devices and non-office networks.
Keeping pulse of what the organization is using is the critical first step to making sure you make the best choices, keep employees happy and productive, and minimize security risk. Check out Vendr to see how we can help.