Shadow IT – Where once there was darkness

Business IT. It’s a fast moving, ever evolving landscape which if cultivated correctly, will yield growth. And much like plants, your endpoint environment needs a number of different tenets to grow including, most importantly, light.

Shadow IT is defined as IT Systems, Solutions and Applications which are used inside organisations without corporate approval or knowledge. Traditionally this was always considered as the hardware you didn’t know about, but as endpoint management and network access solutions have been heavily adopted through the years, the focus of Shadow IT is now much more on software.

When Brocade commissioned a global survey of 200 CIOs it revealed that 83% of them had seen some form of unauthorised Software-as-a-Service (SaaS) usage internally. When you take this along with Cipher cloud’s data that 80% of employees and (according to Cisco) 83% of support staff themselves, were using unsanctioned cloud applications, we really begin to understand the extent of Shadow IT adoption.  

Shadow IT, as dark, ominous and foreboding as it sounds, raises another of urgent issues for businesses and their IT Teams, which I have helpfully used alliteration to highlight; Control, Cost, Compliance, Compromised Security and Customer Happiness.

• Control – How can IT Teams control the solutions and processes in place when they don’t know what is deployed within their environment? How useful is a test environment to an IT Team, if it doesn’t include applications which are being used in the live environment? Understanding one’s IT environment ensures change management is handled effectively in a resilient estate. If rogue applications are calling back to your server for information, how can IT Teams realistically be expected to know where business data is moving to.
• Cost – Duplication is expensive. If you don’t know your license counts and usage, you aren’t able to ensure that economies of scale in procurement is taken advantage of. Needless spend is an easy issue to get under control with the adoption of appropriate toolsets and with these in place, you can reduce the cost implications of falling foul of the ICO or FTC, which Gartner predicted in 2016 would account for 35% of total IT expenditures.
• Compliance – There is no way the IT environment is license compliant if the IT team doesn’t even know what software is in use. One stray, unapproved or incorrect license can be all it takes for vendors to mandate a full infrastructure audit of your environment. Not only does that take up time and money in terms of staffing and downtime, but you could be left with a heavy bill for the license you haven’t yet paid for.
• Compromised Security – One of Gartner’s top predictions for IT in 2016 was that through to 2020, 95% of cloud security failures will be the customers fault. Controlling and mitigating that risk, through the use of Cloud Access Security Brokers (CASBs) and thorough Inventory tools for instance, can help to avoid this pitfall, but without that knowledge you are a target. Uncontrolled applications can also have implications and negate the governance and standards you have invested in (PCI DSS/Cyber Essentials etc), as these only stand based on an accurate representation of your IT environment.

Customer Happiness – One of the main rises for Shadow IT is due to user happiness and flexibility. As a result of Covid-19, businesses were forced to enable their users to work from home on a grand scale, some of whom had never done so before. When you take away their ability to use what makes them productive and content, you have an unhappy customer. At the same time, if you have lack of support for said application, you have an unhappy customer. If you deploy a change in the environment which, as a result of the unknown applications in use, makes the endpoint unusable, you have a very unhappy customer. Knowledge and control of what Shadow Applications customers are using ensures IT Teams can keep them happy and ultimately makes supporting them easier.

So what actions can actually be undertaken? I believe there are 3 simple steps to ensuring Shadow IT doesn’t become the Achilles' heel in your otherwise robust IT infrastructure:

1. Uncover – Shining a light on your environment is the first step to combat the shadows. The manual approach of going endpoint to endpoint is somewhat archaic at this point, and frankly untenable so looking to implement appropriate toolsets is key. There are innovative analytical tools that can be deployed, used in the monitoring of your endpoint environment silently, but there is no one tool that ticks all of these boxes of course as different parts of IT. Infrastructures are as unique as fingerprints and will have unique challenges. At the very least, thorough inspection from good Inventory tools will help to efficiently control the environment and eliminate a great deal of the Shadow IT issues. The use of analytics will further give you a clearer picture of what is being utilised so that a comprehensive plan of attack can be formulated.
2. Take Control – Taking back control of the IT environment can be in many forms. Software Asset Management (SAM), Mobile Device Management (MDM) and Endpoint Management (UEM) are going to be key here to give IT teams full command, as they will have the ability not only to identify what is being used, but uninstall, reinstall, update and patch as required to remain compliant. Once you have control, remove local admin rights and dependent on your level of flexibility, perhaps looking at security functions like application whitelisting to reduce the introduction of new applications or executables into the environment. Investments in CASBs will be crucial going forward as cloud adoption in various forms continues to grow. This provides enterprises with cloud security in four areas: visibility, compliance, data security and threat protection. It is definitely a growth area in the IT world and a "need to have" for any corporate environment investing in SaaS
3. Manage – Utilise these tools further to ensure the version types are controlled, patches deployed, vulnerabilities detected and endpoints continually managed. Adoption of automation for software deployment is great here to standardise rollouts and the implementation of self service areas for end users gives the freedom and choice they grave, within a controlled environment, whilst also removing the need for IT Teams to roll out all requests from end users. Management of the IT Environment is a never ending task that requires refining and monitoring as you go to ensure the processes you employ best suit your needs and restrictions.

The end user is becoming more independent and knowledgeable with the IT they have at their disposal and concepts like BYOD and SMAC continue to be key drivers in corporate IT Innovation, as such, Shadow IT will be ever present. Companies who embrace this fact and act accordingly will be able to effectively control any issues associated and reap the potential rewards that new applications and processes which cultivate efficient and smart work practices can bring. Alternatively, those who bury their heads in the sand, blind to the problems continuing to grow around them, are simply waiting for the fall. Be the former and ensure that where once there was darkness, now there is light.