You are here

5 things IT Ops can do about shadow IT on the cloud

public://pictures/Christopher-Null-CEO-Null-Media.png
Christopher Null, Freelance writer

A webmail service. A social network. Web-based file sharing. What's the harm in employees using a few cloud services at work?

IT departments are beginning to realize that the problem isn't when one worker signs up for a single service here or there—it's when a lot of people sign up for a lot of them.

According to the Cloud Adoption & Risk Report Q2 2015 from Skyhigh Networks, a shadow-IT focused cloud security company, the average organization now has employees using a whopping 1,083 different cloud services, many of which have been installed on the sly without being vetted by IT. In many cases, sensitive corporate data is uploaded to these services, putting the enterprise at risk of a data breach.

The numbers are alarming and rapidly climbing. In the second quarter of 2014, there were only 738 different cloud services in use at the typical company. That means that over the past year, a new cloud service was put into operation somewhere at the average enterprise nearly every day.

Dealing with so-called shadow IT is hardly a new challenge, but preventing a user from installing a new hard drive on their computer is one thing—preventing them from using an online word processor via a website is another. How does a modern enterprise manage this rising tide? Here are five potential solutions to consider.

[ Digital transformation can be a costly failure without proper controls. Find out how IT4IT value streams can help in this Webinar. ]

1. Lock down the network...

The first option, and some would argue the least effective, is to tighten the screws on your network security. Services like those offered by Skyhigh Networks let you uncover the identities of the cloud services that are in use at the company, quantify their risk, and identify potential security breaches through the use of unauthorized and/or insecure cloud services. From there, a policy-based system allows you to set security policies that can include blocking certain services from use on the corporate network. Of course, if history has taught us anything, where users have a will, they'll find a way to use a service whether it's authorized or not.

[ Looking to bring innovation into your enterprise? Learn from others' Enterprise Service Management (ESM) implementations—and get recommendations for deployment. ]

2. ...or lock down the data

The biggest risk with unauthorized cloud services isn't necessarily the service itself but rather the likelihood that corporate data will end up on the public web. Many cloud services aren't secured with strong encryption, and some users may inadvertently share data with unauthorized users through the services.

An alternative solution to the tip above is to use tech tools, not to restrict the way the network is used, but to restrict the way corporate data is accessed by putting it on its own private cloud service. Accellion is a company that operates private cloud services and can restrict the way data is transferred, even allowing for "self-destructing" information. If files can't leave this sandbox, they can't make their way to unauthorized cloud services.

3. Understand why users are going rogue and adapt

Chalk this one up to the old adage, "if you can't beat 'em, join 'em." Secure file sharing company SmartFile's Digital Marketing Manager Curtis Peterson notes that users turn to unauthorized cloud services because companies aren't offering them a working solution to their problems. "People go rogue because—quite frankly—your solution sucks. It's too burdensome or doesn't work. Remember, what might be easy for you to use could be really hard for the end user," he says.

In other words, if users are turning to Google Drive to collaborate on files, it's important to find out what's lacking in your authorized document-sharing strategy. Can your corporate solution be made more user friendly? Do users simply require training on it? Or can a user's preferred solution be adapted and secured in such a way as to make it acceptable at the enterprise level?

4. Attack through the wallet

Once clever strategy to deal with shadow IT cloud services is to simply tighten your governance over expense reports. While some of these cloud services are free, many require a fee to operate, particularly at the class of use that would make them attractive to an enterprise-level customer.

When an enterprise user signs up for a rogue Salesforce account, they'll often do so with a personal credit card. "This kind of activity," says Sarah Lahav, CEO of SysAid Technologies, "which is commonly done with the best of intentions, can cause serious issues in terms of corporate governance, exposing the business to serious risk if corporate data is insecure. Businesses can manage this two ways... enforce a finance and management policy to refuse personal or corporate expenses related to cloud services paid for outside of the corporate IT budget. Instead, insist that they are funded by a cloud services budget such that IT has a modicum of input to requirements, security, service levels, costs, and support."

In other words, retrain users by simply refusing to cover their shadow IT expenses.

5. Don't ban anything—make users partners of IT

Is the battle already lost? Is it one worth fighting at all? Many enterprises confess that, for now, they've washed their hands of the problem and are simply giving users permission to use unauthorized cloud services, provided they follow corporate guidelines on proper treatment of confidential information, such as customer data. Hey, it's working fairly well with BYOD initiatives, isn't it?

Simon Bain, CEO of SearchYourCloud, says, "What IT departments are failing to recognize is that this is actually a new and improved way of working because it allows users and IT departments more freedom to work together in a more sustainable way. Shadow IT is growing and helping both organizations and the IT departments to save money and work more effectively. If IT departments become wise and don't ban external email use or cloud storage services, they will give users what they are looking for, and in turn, the IT department gets back control. They get the control of their budget back, as people will start to come back and ask for advice on which device and cloud service they should use rather than choosing one that is outside the organization's approved list."

Shadow IT is an increasingly common reality for enterprises of all sizes. You can choose to cooperate with users and find ways for them to use the cloud services they want to use, or you could take the alternative approach and attempt to crush shadow IT like a bug. The important thing is that you acknowledge that shadow IT exists and that you come up with a plan to ensure you don't accidentally expose sensitive information.

[ Get Report: The Top 20 Continuous Application Performance Management Companies ]