The term “Shadow IT” screams spy stories: secret agents chasing each other through the streets of Munich and mysterious organizations disrupting global data flows.
Well, the second image may be true. But it’s not the meaning behind Shadow IT, which refers to computing hardware and software that are outside the bounds of IT control or even awareness.
It’s a big issue. McAfee sponsored a survey about Shadow IT and security issues in the cloud. They found that non-IT employees acquired 40% of public cloud services, that IT has only 47% visibility into cloud applications being run in the business, and that 75% of the IT respondents believed that Shadow IT is compromising cloud security.
The Shadow IT phenomenon is not new. For decades, employees brought their own disks or CDs and installed software onto company desktops or laptops. And every department had its resident “computer guy” who was not IT staff but had a flair for computers.
All of which was a minor headache for IT. Consequences were usually limited to the occasional computer guy call to the Help Desk or discovering that an employee was running Ultima on her laptop.
But now Shadow IT has grown into a big issue for IT. Users see it as an opportunity given the easy availability of cloud applications and cloud data storage, which may benefit the business. The problem is that the same untrammeled access poses dangerous threats to security and data availability.
We are not talking about deliberate malfeasance by any means. Shadow IT does not come from malicious motives, but from an employee’s motivation to do better work by using the right tools. And the employee wants to be the judge of what the right tools are.
Good motivation aside, it’s a big risk.
The Business at Risk
When a company loses or exposes sensitive data, consequences are severe. Loss of reputation and embarrassing PR is just the start; judgments and fines are also on the menu. Even with IT-sanctioned technology, data protection and security are not easy. It’s a never-ending process of optimizing, upgrading, monitoring, verifying, and refreshing data protection platforms and security frameworks.
But managers and employees who do end-runs around IT are not likely to verify even the most basic security and data protection measures in the cloud. For example, it’s extremely common for end-users to believe that their cloud provider backs up the data in their SaaS application, so what harm could there be?
The harm is that cloud providers rarely run traditional backup and recovery on customer data. They replicate data, but unless the customer takes deliberate steps there is no backing up and restoring data copies. Data loss has no solution, and if an employee leaves the company, the business may or may not be able to access the ex-employee’s data that is in an unknown cloud.
They don’t know to ask this or other key questions like:
1. Does my SaaS application provide regular backup? (A lot of end-users think it does but that is rarely the case.)
2. What restoration guarantees do I have, and can I customize my SLA to provide better data protection?
3. Are my provider’s data centers geographically separate for safer replication?
4. Does my backup method include 3-2-1 data protection?
5. Does my provider protect user credentials, and are mine strong enough?
6. Are my provider’s data centers digitally and physical secure?
7. Can my cloud provider access my private data encryption keys?
Without the right answers to these questions, IT loses direct control over applications, not to mention over data in the cloud and support expenses. Shadow IT’s systems and applications are at risk without corporate data protection, DR and security.
A Way Forward?
Shadow IT is here to stay, so there needs to be a way for IT to directly administer backup and security across application portfolios.
Outside of highly regulated or military networks, simply stating that unauthorized software is grounds for dismissal rarely works. (It’s debatable how often it works in these environments.) Even if IT constantly monitored servers and edge devices for unapproved software and immediately lodged complaints against the erring employee, managers have zero interest in losing key employees to angry IT staff. Not to mention that it’s entirely possible that the whole department subscribed to an unapproved software on the manager’s say-so.
At the same time, the business cannot expect IT to simply lay down and offer to support the new software. If it was not in the budget, IT will not have the staff or expertise to do it. Chargebacks can help in this situation, but many organizations are reluctant to make that change.
Some businesses are going farther and considering the benefits of Shadow IT: flexibility, agility, and employee field testing of business applications. In this scenario, IT as a Service (ITaaS) becomes a service broker that presents a portfolio of approved applications and providers to users. They chargeback expenses to the Lines of Business (LoB). IT is still responsible for protecting data against loss and intrusion, but since they control the portfolio they also set policies around data protection, compliance, and security.
ITaaS has the capacity to put the advantages of Shadow IT to work for the company without betting on its data. But this is a long-term change in the way IT staffs, spends, and operates in the business. Shadow IT is active right now and IT needs a way to protect company data anyway.
Lighting Up Shadow IT with BDR and Security
Data Protection and DR
Since Shadow IT often occurs company-wide, one of IT’s best defenses is a company-wide cloud backup and DR platform. IT can internally deploy and manage data protection hardware and software, but fast-growing data and remote sites makes for high capital and operational expenses.
The better bet is to go with Backup and DR as a Service (BaaS and DRaaS) via an experienced MSP. You need a service that automatically backs up and restores all types of protected data: on-premises, in the cloud, and on mobile endpoints. As always, IT should carry out due diligence around the MSP’s experience, longevity, and customer service.
Best practice is to choose qualifying MSPs by the Continuous Data Protection (CDP) software they use, principally vendors like Veeam and Asigra who manage data on endpoints, networks, cloud storage, and SaaS environments.
Also be sure to vet your MSP to be sure that they are partnered with a Cloud Service Provider (CSP) that doesn’t charge additional data egress fees and can customize backup software solutions, data protection strategies, and SLAs. For example, KeepItSafe offers cloud-based backup and robust data protection security options for companies in need of meeting compliance regulations and IT hyper-resiliency for mixed application workloads.
With this mix of integrated software and services, IT admins can easily recover accidentally deleted data and protect SaaS data, which requires additional backup measures. And if IT is backing up all cloud-based data to custom CSPs like KeepItSafe, they can retain data even if its creator leaves. (Or worse, deletes data on the way out.)
To secure your network against threats from unauthorized downloads, look at security software that discovers networked edge devices. Create identity policies to protect user credentials and write security policies that block end-user downloads of unauthorized software until IT and the manager review and approve it.
Software from companies like Cisco and Vipre enables this level of security. Cisco Software-Defined Access (SD-Access) applies security policies to users, applications and devices to control data sources and downloads. For example, SD-Access automatically segments user devices and constrains them to approved data sources. No more automatic sign-up with Dropbox (or torrent sites for that matter).
Cloud-based solutions like Vipre provide endpoint detection and response services to protect servers, desktops, and edge devices against malware and viruses, as well as protecting email and generating threat analysis reports. IT can also use tools like Vipre Firewall to block application connections to the Internet with policies to enable default connections with trusted sites.
IT doesn’t have to give up control or wait to evolve into IT as a Service. You can help your users to responsibly experiment with promising applications while protecting the business from the data loss, exposure, or costly regulatory fines.