A company IT infrastructure consists of hardware, servers, operating systems, software and applications. The hardware division may be managed by system and network administrators while project managers for software applications may be in charge of specific divisions and projects. With each division having separate heads to manage the operations, an additional hardware, software application or devices are added only on approval of IT departments.
However, with the advent of the web and several software service providers giving an option to use software and applications with free downloads or access to cloud, many employees may have downloaded or accessed software on subscription basis for various purposes. Such applications which are installed or used without the knowledge of the IT administrators form part of Shadow IT.
With the increasing popularity of the cloud and Software-as-a-Service (SaaS), many managers may have the tendency to go the easy route of using Shadow IT rather than create a ticket within the organization for the IT department to respond, assess and implement.
Here are the dangers associated with using Shadow IT and some steps to be taken to help in enterprise performance.
Lack of modernization and slow implementation
If more managers and departments are utilizing Shadow IT, it may be a reflection on the lack of efficiency of IT departments withint the organization. Or the IT team itself may respond slowly to a ticket (issue or problem) raised by the departments. In some cases, it may take weeks and months to deliver a solution. This may result in more employees seeking cloud services to get their work done.
Marketing cloud apps such as Netsuite, SalesForce, Drop Box, Google Docs for file sharing, Yammer, Asana for work and project collaboration have all dynamically evolved to provide both web-based and mobile services which can be accessed on the smart phone.
It is easy to blame the IT department for slow implementation or lack of innovative spirit but blindly adding on more cloud based application silos in each department is not surely an answer to this issue. Each department head or leader should hold an open dialogue with the concerned IT manager or leader to redress the issue. If each department uses Shadow IT that doesn’t collaborate outside of its department that could have larger implications on efficiency of the organization. Moreover, having a dialogue with IT department heads would help the top management know about the need for more investment perhaps in getting talent or better tools to create new software solutions.
In short, with lack of centralization of IT initiatives, organisational silos multiply leading to lack of control and collaboration between departments. This is something companies need to tackle despite some short term benefits gained from use of Shadow IT – lower IT costs, more flexibility, quick completion of tasks and implementation of apps.
Shadow IT creates increased security risks
With no centralized control and more deployment of Shadow IT, the organization is under increased security threats. Even file sharing apps such as Dropbox could involve the proprietary data or intellectual property (IP) of the organization being shared outside the company or falling into wrong hands.
Such application silos fall outside the ambit of internal firewalls thereby exposing it to hacking. If their customer data is shared without proper controls and in case of security breach, heavy fines from regulators for issues related to data compliance, regulatory strictures could happen leading to consumer distrust and loss of satisfaction. Hence, the managers and team leaders in various departments should be made aware of the increased risks in the use of third party software and inform the IT department of the use of such apps.
In some industries such as finance, health services, investment and banking, failure on regulatory compliance can prove costly and limit the ability of the organisation to grow. It exposes the organization to vulnerabilities and potential loss of data.
Similarly, some employees may be prone to use passwords that can be easily guessed or use same password for multiple applications exposing the organization to threat. When cyber criminals manage to enter one such application it is easier for them to intrude the entire network.
According to an IBM Security Study if cybercriminals attack third party cloud applications, they can steal value corporate data and credentials getting direct access to a company’s network. Moreover, they may be difficult to trace as they have come through a third-party system and not directly into the company’s network.
Duplication of apps and lack of internal support
When departments rely on more cloud apps, it could lead to duplication of apps by different groups having separate administrators (admins). This leads to increased costs and lack of collaboration. This can be prevented if apps commonly used by various departments were implemented under a group plan. When too many cloud apps are used in a decentralized manner, they could face problems if timely support is not provided by the service providers. Morever, internal team may be lacking in skills to address the problems related to it. Therefore, it is better to have dialogue with the IT department and get suggestions regarding the apps that best integrate with the existing infrastructure and also has better service support.
Review of existing tools and policies
At the outset it was mentioned that increased use of Shadow IT reflected on the lack of efficiency of the internal IT departments. One way to improve the existing IT systems is to find out the pain points for the employees and holes in the system that prompts them to look for cloud based alternatives. If a simpler alternative can be developed in house which can be managed internally, it may be the first step in managing unsanctioned apps and tools.
Effective communication is important than policing
There is a compelling incentive for departments and key team players to opt for Shadow IT apps. Instead of penalizing them for using it or passing strictures, managements should encourage dialogue between IT departments and concerned non-IT departments. They can be made aware of the security threats involved in using cloud services, collaboration problems, and ask them to be transparent about the use of such apps. Shadow IT should emerge from the shadows and be acceptable for both IT and non-IT departments.
Perhaps, devoting a small team to study the cloud apps requirements of departments and work on the best cloud apps may be the right way to integrate cloud with their internal systems. The role of Chief Information Officer (CIO) would be to act as an intermediary between the apps and the users.
Putting stricter rules on use of cloud services may result in lesser efficiency and lack of trust among employees in the long run. It has been reported that some companies have resorted to ban on Evernote, Dropbox and iPhones to prevent use of cloud services, but it is also a fact that such services can dramatically increase the productivity of employees. So the solution to this problem does not live with effective policing but more internal communication and dialogue.
IT departments need to monitor outbound traffic
There are firewalls to protect inbound traffic but outbound traffic needs to be monitored so that employees seeking cloud applications can be found out. The firewall can be automated to identify outbound traffic and keep a log of sites being monitored. This can help detect people using such apps and a dialogue can be initiated with them.
Tracking the cloud apps used by employees also enables the organization to assess the threats associated with it. If the internal IT departments are unable to assess the threats fully, there are organisations such as CipherCloud, whose Risk Intelligence Lab has assessed millions of cloud applications regarding their compliance with such regulations as HIPAA, PCI and EU Safe Harbor.
The risks associated with employees using cloud apps for personal use and undertaking outside apps cannot be ruled out. When employees undertake such work, it could seriously have implications on employee productivity and corporate results.
Similarly, it was found that many employees use personal email id to register for cloud apps and upload data, updates on it to be accessible on mobile and other devices. It is convenient and does improve productivity, however, the risk associated with the person leaving the organization and sharing such data with the competitors. Without an proper controls, the employee leaving the organization would still have access to the data on the cloud apps, as the login was created using their personal id’s and not company ids.
Software upgrades can cause system failure
With cloud applications, the responsibility for upgradation rests with the service provider. However, such upgradations could have impact on the functioning or integration of the systems within the organisations. It is therefore taxing to manage the change related to upgradation and third party support is required for it.
If the IT department is involved with the installation and management of cloud apps, such problems can be averted as they can work with the service providers to ensure smooth integration and collaboration. It could prevent any breakdown due to software upgrades, analysts said.
Build a framework to bring tools inhouse
Without putting a ban on outside tools and apps, productivity can be improved if right framework for deployment of technology is established which will also promote innovation within the organization. Implementing a hybrid cloud is one way of tackling the problem by providing a platform ideal for workgroup applications of departments. This framework will enable the employees to have the tools to build solutions that are required for the business.
With businesses becoming global and employs travelling for work and working while one travel, it makes sense to allow the best of technologies to be used that can be integrated with desktop, laptop and the mobile. The Chief Information Officers (CIO) and Chief Technology Officers (CTOs) need to exercise control on the use of cloud apps even as they don’t restrict its use inhibiting innovation. IT departments should enable an environment of innovating together rather than working as water tighter compartments as in the past.
Now Cloud App Security released by Microsoft may help IT teams to keep track of cloud apps used by the employees which may have gone undetected previously. It not only identifies the apps but provides risk score, real time risk assessment and analytics. It will also enable IT administrators to authorize only select cloud apps, set controls, data sharing policies, customize them for the requirements of the firm.
IT majors are working closely with cloud apps providers to make their offerings secure and accepted by enterprises. IBM Cloud Security Enforcer would help service providers assess the risks and threats in cloud based services. It is working closely with Drop Box and other leading unregulated vendors to.
A recent study by CISCO and NTT Communications Corporation revealed that use of Shadow IT is increasing across the industry. About 77% decision makers in the NTT survey had used cloud applications devised third part service providers and they expect their use to grow. Many respondents in the survey didn’t know in which country the cloud based data was stored.
Many employees are prone to use unregulated, free cloud software such as Drop Box or Google Drive. According to Microsoft which has come out with Cloud App Security, each employee on an average uses 17 cloud apps which are not authorized by the IT department or used without its knowledge. An average financial services organization uses 1004 cloud services and is much more than previously estimated, according to a report from Skyhigh. So far only 24% of the financial services have reported insider threats due to cloud services deployment but a majority indicated behavior which can be indicative of an insider threat.
With surveys pointing out some major flaws in mobile apps that put personal information and data at risk, companies need to take mobile security more seriously, analysts said. Organisations need to balance the risk and rewards associated with cloud services to come up with a management strategy to deal with it.
Here are some articles that will help you to get more detail about the Pitfalls of Shadow IT & Boost Performance so just go through the link.