Mention shadow IT to most enterprise IT and security professionals, and you are likely to elicit a frown. It’s understandable. At its worse, shadow IT, such as an unsanctioned server or cloud storage service, operated (shall we say, less than ideally) by business managers, can place systems and data at serious risk.
However, there’s another side to shadow IT. Shadow IT allows staff to choose their cloud apps and services, which helps improve productivity and drive innovation. Not to mention increase employee happiness.
Still, shadow IT can and does pose significant risks to the organization, such as with the poorly managed server we mentioned. When users decide what cloud services they’re going to use themselves or how to collaborate with co-workers, IT loses visibility into these systems and data. Ultimately, what this means is enterprise data is scattered across multiple cloud services, and visibility into vitally important data is lost. Not good.
“ According to Gartner, shadow IT comprises roughly 40 percent of enterprise technology purchases. That is, business leaders decide, manage, and control nearly 40 percent of technology purchases. ”
After all, if IT doesn’t know a technology is in place, then it’s impossible to secure it or the data it holds. And it’s impossible to know who is accessing that data and why.
Regardless, shadow IT is a permanent part of the enterprise landscape and IT and security teams need to adapt. According to Gartner, shadow IT comprises roughly 40 percent of enterprise technology purchases. That is, business leaders decide, manage, and control nearly 40 percent of technology purchases.
That much technology and the data it holds can’t remain to lurk in the shadows.
We know why business users are so quick to embrace shadow IT. It can often take weeks or months for IT departments to deploy new servers or applications. But with only a credit card, business users can access cloud applications and services within minutes.
The question becomes, how do IT teams harness that innovation from their staff, while also ensuring their data is adequately secured and protected?
They need to bring it out of the shadows.
The first step is to assess what shadow applications and cloud services are in place so that there is an accurate baseline of the cloud applications and services in use.
There are a number of ways to achieve this, and the best method depends on the nature and size of your organization. You could start with a simple survey of the business groups to collect information on the applications they are using. Or you could begin by monitoring traffic and endpoints to see what applications are in use and where data is traveling.
However you establish your baseline, the important thing is to get started.
“ Now that you’ve identified shadow IT, whether it be cloud apps, storage or platforms, the goal shouldn’t be to reprimand or shut down these services. It should be to ensure the services that the staff has chosen are correctly managed and secured. ”
Now that you’ve identified shadow IT, whether it be cloud apps, storage or platforms, the goal shouldn’t be to reprimand or shut down these services. It should be to ensure the services that the staff has chosen are correctly managed and secured so that IT and security teams have adequate data visibility. That is, they can see what data is flowing to these services and ensure access to that data is controlled, and that the data is protected and recoverable.
This way, when that poorly managed server is uncovered, it can be an opportunity for an educational moment. Staff can be made aware (or reminded) of how vital patching and systems updates and properly monitoring systems and data are to the security of the organization. And rather than taking the server down, IT can then monitor and properly manage it. The same is true for all cloud services and applications. Rather than trying to ban them all, manage them.
One way to manage them is to use a solution like Code42 Next-Gen Data Loss Protection. It was built to collect information about every version of every file, giving businesses full visibility to where data lives and moves — from endpoints to the cloud. With that kind of oversight, security teams can monitor, investigate, preserve and ultimately recover their valuable IP without having to block data use or rely on the restrictive policies that are part of traditional data loss prevention (DLP). Instead of security teams working with limited visibility to a subset of files (when they need to gauge the risk of all their data) or hindering employee productivity, next-gen DLP helps them foster open, collaborative work environments.
When shadow IT is managed in this way, the organization derives some distinct advantages. IT and security teams become better business enablers and support the needs of staff and business users. They become a trusted advisor and facilitator that helps the organization go forward securely.