Casting Light On Shadow IT

Shadow IT

The business challenges of shadow IT have emerged from the darkness in recent years and are now firmly in the spotlight. With PwC estimating that shadow IT accounts for between 15 and 30 percent of IT spending outside of the IT enterprise budget, it not only presents a real blind spot for enterprises, but has a significant impact upon the security and integrity of company information, and in turn, customer confidence.

IT departments no longer have control over all IT solutions, with many taking the approach of trying to lock down their infrastructures to prevent shadow IT purchases from occurring. The balance however has been tipped too far and by bringing it out of the shadows and into plain sight, enterprise IT Directors will be able to regain control and ensure their entire infrastructure – wherever it is – is transparent and compliant.

The Rise Of Shadow IT

In its simplest sense, shadow IT has been facilitated by the availability of public cloud services and the ease with which every single employee has the potential to act independently from the IT department and consume cloud infrastructure, business applications and utility software either via a free trial or paid for by their credit card.

Use of such services, and their costs, have not been approved by those that hold the purse strings and so easily slip under the radar with huge implications for information security and customer confidence, should data become lost or compromised. With Gartner predicting that by 2016, 35 per cent of enterprise IT expenditure will go to shadow IT resources, the scale of the problem is clear to see.

Understanding The Challenges

Instead of burying their heads in the sand, enterprises need to understand that shadow IT is here to stay, giving their business agility and speed. So rather than the traditional approach of ‘shut it down’, CIOs should instead focus on future proofing their organisation by embracing shadow IT, offering access to flexible, on-demand resources with a hybrid cloud portal. This gives employees the flexibility they desire, but in a structured and secure manner, providing CIOs with the opportunity to regain control over the entire IT environment

The following nine points outline the key challenges that shadow IT presents and how a hybrid cloud architecture, supported by a comprehensive cloud management platform, can provide CIOs and IT departments with the most viable solution to their existing and emerging IT woes.

1. Meeting Data Protection & Privacy Needs

Customers need to know where their data is held and when handing it over, expect the holder to be compliant with the appropriate data protection legislations. The unintentional exporting of data via unauthorised shadow IT applications can impact upon a provider’s reputation and credibility. By adopting a hybrid cloud infrastructure, enterprises can mitigate this risk by providing flexibility and options for each business unit to select a provider of choice – whether via public or private cloud – which can be managed centrally for no nasty surprises.

2. Auditing & Compliance

Most businesses require their partners to meet industry standards and will conduct an audit of their IT environment to ensure compliance. Shadow IT applications add a layer of complexity into this process if more formal compliance audits need to happen. By bringing all cloud services under one management layer, enterprises can support compliance needs by providing full event logs.

3. Viruses & Back Doors

Public cloud services often come with a huge library of templates for virtual machines, which sounds great in practice, but can be a risky option as some will have back door access, Trojan horse software, fail to identify viruses or create insecure default configurations. Users of these templates could unwittingly be putting their data and platform security at risk, which can cause problems for future upgrades and application performance.

4. Security Of Data

In a well-managed development process, extensive testing against a variety of data is mandatory. However it can be hard to generate realistic data so developers often use production data and anonymise it in some way. Keeping the test data in a controlled environment and knowing where it is, is essential to keeping it secure. Any breaches via a public cloud application can have a detrimental effect on reputation and future operations.

5. Staff Turnover

When employees have created their own public cloud accounts which hold test or production systems, this presents a huge business risk when those employees leave. Under normal circumstances, IT departments liaise with HR to revoke system access, return laptops and mobile phones, to minimise risk to data or systems. When that data and systems are outside of the company’s direct control however, there may be access issues fort he business.

6. New Systems Roll-Out

Systems that are being tested or trialled by users in public cloud environments can become production systems almost without a formal roll-out. This has implications for SLAs and with a history of long outages for some key providers, this may impact internal and external customers. One way to keep test and development systems “sandboxed” and away from production users is to keep them on a separate network.

7. Security Of IP

When developers use public cloud services such as Pastebin, Github, RubyForge and StackOverflow to share code with each other, there is a risk to your intellectual property. This challenge can be partly met by having control over which templates can be used and providing your teams with a viable alternative by selecting appropriate software, building a template and making it available as a shared template in your application library.

8. Cost Control

The availability of cloud computing has meant that the normal IT approval and procurement process is often shortened. A need is identified and cloud resources are purchased, often on company or personal credit cards, and then expensed. Sometimes free trial accounts are used which shortens the process even more. This results in confusion, wasted time trying to figure out the process, and spiralling costs. By conducting a review of expense claims to look for cloud services, enterprises can get a good idea of the scale of spending.

9. Getting Locked Into The Cloud

It may seem counter-intuitive that the public cloud can lock you in. With many cloud providers, you can’t export your VM image or even “clones” of those images in private template libraries. Selecting your cloud provider based on your future need means that planning is essential, and the shadow IT approach clearly bypasses that vital step.

Enterprises can mitigate the challenges highlighted above by adopting a hybrid cloud architecture. This provides more flexibility, while also being structured and secure, maintaining control and assuring data governance. As enterprise IT evaluates the best technical approach for hybrid IT management, it’s vitally important that the speed, flexibility and agility drawing end users to public clouds in the first place be preserved in the hybrid model.

The most successful models involve enterprise IT as a service provider for public cloud resources, delivering effective on boarding, training, management tools and guidance to the business units who want to take advantage of public cloud services. If end users feel that these new IT processes are heavy-handed and restrictive, the IT department will be ignored or rejected altogether – driving shadow IT deeper underground.

Ian Finlay is VP of Products at Abiquo, specifically focussing on product development and management. He brings unique insight to Abiquo having implemented the software whilst at Claranet, where he held the role of Chief Information Officer, Claranet Group – Western Europe’s largest independent Managed services provider. Prior to joining Claranet, Ian was CTO of ControlCircle, leading a team of 50 to design, develop, deliver and support a range of networking and managed hosting services and maintaining data centre facilities across Europe and in Singapore, and before that, he held the position of Vice President of IT and Business Systems at Interoute Communications.