One of the most serious security challenges for enterprises today is the ease with which users can sidestep IT for the apps and information services they need. The danger is especially high when these employees are also creating and accessing confidential or regulated information. It means this data is sprawling out to apps and clouds that may not have the necessary controls to keep all of this data safe.
What makes this condition worse is that many companies don’t even believe this is going on within their organizations until they are forced to actually see it happening. For instance, just a few weeks ago I was sitting in on a live demo of a network monitoring application at a local company. The CIO there was positive that there was not any “unsanctioned” cloud apps running on their network. I told him I found that hard to believe, but would be impressed if it was so.
It turns out that the CIO was practicing really wishful thinking. The monitoring tool found Dropbox – unsanctioned and in use. There was Evernote syncing employee note taking out to the cloud. Also unsanctioned. And there were these mysterious AWS services running that needed to be investigated. And the list went on.
It turned out workers at this place were not exactly thrilled with many of the apps the IT team developed for them to use – and they were voting with their feet not to use them. They also reported it took too long to get the servers and other infrastructure services they needed from the internal IT teams.
This is not an unfamiliar story
In cases like this organization, one can hardly blame employees and business managers for sidestepping enterprise-sanctioned apps - especially when those apps that IT provides stink.
One can blame IT and business managers, however, for not working together closely enough to understand that these alternative cloud apps are being used, and for failing to conduct a risk assessment on the data and users who use them. There’s also blame to be cast for not monitoring network traffic to have a constant understanding of the apps that are actually running in their environment and who is using them.
Some industry experts even argue that these “rogue” (I prefer shadow IT, there’s nothing “rogue” about users needing to be productive) services should be encouraged, as David Linthicum does in his post, Why CIOs should encourage rogue clouds.
Here, Linthicum sets the upsides of Shadow IT:
• The ability to get users excited by the use of cloud-based resources. Most of them don't understand what cloud computing is, what it does, and how they can benefit.
• The ability to better understand the true requirements of the business. Those who use cloud technology off the books are doing so because they have requirements that IT does not meet. Such usage pretty much defines those unmet requirements for IT.
• The ability to gather more data on cloud technology by seeing what's used in shadow IT. The information from those who use cloud technology will help CIOs determine what their strategic cloud direction should be.
There’s no doubt that these upsides all exist. But there’s the right way for the enterprises to reap these upsides. The security risks can be so serious - especially when regulated information or intellectual secrets find their way onto cloud services that don’t have the appropriate controls or safeguards.
Seize the educational moments
First, seize on one of the important educational moments these situations make possible when IT is made aware that shadow IT is in play. It’s a time to teach business users about the very real nature of the risks. These users are not being malicious when they turn to shadow IT. And they probably don’t really understand the extent of the risks they can be creating for their company. This is why most don’t think twice before sharing data on a cloud service - they just want to get their work done. They need to be taught and constantly reminded about the security, regulatory compliance, access control and monitoring requirements around some of the information they manage.
It’s also very important to understand that these are educational moments for IT teams too. By monitoring what apps users are reaching for, IT will learn what apps to either build and provide to users, or see the types of commercial apps that they need to go vet for suitable use in the enterprise.
That’s the best way to approach Rogue IT: as educational moments. Your business users aren’t always aware of the risks, and they need to be educated and reminded. But it’s also a very important educational moment for the IT team: not only does IT have a chance to step in before something unfortunate happens, but also learn what apps and services the business teams need and then provide them in a secure and compliant way.