Shadow IT: Controlling the Rogue Cloud
Depending who you ask, “shadow IT” is either the best way to instantly provision critical cloud applications, or it’s one of the biggest IT nightmares ever.
A proliferation of unapproved clouds and apps may be a sign that a CIO isn’t being adequately responsive to users. But the smart, ninja-skilled, CIO will let users go their own way – as long as their way is, shall we say, guided.
“Shadow IT” dates back to the beginning of personal computers, when employees or departments brought in unapproved computers and software. The trend accelerated over the years, as employees increasingly access business applications on personal mobile devices (“bring your own device,” or BYOD). The phenomenon has mushroomed with the rapid adoption of enterprise cloud computing.
Now, departments are buying their own clouds and apps – and not always letting corporate IT know.
Trying to limit SaaS usage is like shutting the barn door after the horse has escaped: It won’t help and you will just look foolish for trying.
Instead, companies should give employees the freedom to do their jobs better without compromising security. After all, employees don’t “go rogue” out of a desire to rebel. They are simply trying to gain access to the right tools quickly.
How does an organization strike the right balance between efficiency, availability and security? A Frost & Sullivan’s Stratecast survey, “The Hidden Truth Behind Shadow IT,” suggests these steps:
• Establish a SaaS policy that aligns with company objectives.
• Protect the enterprise in a way that is transparent and comprehensive.
• Be inclusive of secure access to a broad range of recognized SaaS options.
• Mitigate risks in commonly used applications.
• Make sure your business safeguards data and complies with privacy regulations.
• Implement identity and access protection.
• Communicate policies that balance employee freedom and corporate protection with employees and business leaders and gain their support.
Almost half of the line-of-business respondents in the Frost & Sullivan survey chose non-approved SaaS applications because they were “familiar with the non-approved software and therefore more comfortable using it.” Another 38% said the IT approval process for new software was too slow or cumbersome.
Frost & Sullivan make it clear that shadow IT isn’t going away. And the process is happening from the top down. In a survey of IT and line-of-business employees who identified themselves as “decision-makers,” or “influencers,” more than 80% admitted to using non-approved SaaS applications in their jobs.
In an average company that uses around 20 SaaS applications, more than seven are unapproved, the respondents said. “That means you can expect that upwards of 35% of all SaaS apps in your company are purchased and used without oversight,” Frost & Sullivan said.
Departmental and corporate policies are clashing, the report declared. And departments are winning.
NASA learned that it had a problem the hard way. An audit last July by NASA’s Inspector General discovered that the agency’s Office of the Chief Information Officer wasn’t aware of all the cloud services NASA organizations had acquired, or which service providers they used.
Moreover, just three of the 15 information officers surveyed said that coordination with the agency OCIO was even necessary before moving NASA systems and data onto public clouds.
That’s pretty ugly. But it’s not really the departments’ fault. A company’s leadership team bears responsibility for setting policies that balance employees’ desire to access the best tools for the job and IT’s need to maintain some semblance of order, the report said.
Banning “shadow IT” just won’t work; it never has. But the smart CIO sets the right rules and policies, makes sure they’re communicated, and gets ahead of the shadow into the light.
For more thought provoking cloud management insights visit vmware-erdos.com.