By Rajat Bhargava Posted September 28, 2015
Shadow IT is a top threat to IT security these days. It is increasingly prevalent in the modern office and caused by employees implementing or using IT systems, often unapproved SaaS solutions, without the IT department’s knowledge or explicit approval.
The worst part of Shadow IT is that the identities used to access online solutions or applications are not connected with the organization’s core directory. The problem is that this behavior circumvents the involvement of IT and puts the company at risk.
The root cause of Shadow IT
There are a variety of reasons for Shadow IT to exist within an organization, but perhaps the root cause is human impatience. If IT is thought to be too slow to respond to requests from the business or a department, the employee takes it upon themselves to implement easier tools and applications, particularly cloud-based ones. The advent of cloud infrastructure, including online solutions like AWS and Google Compute Engine as well as SaaS-based applications and mobile devices, have enabled employees to act independently of IT.
The #1 danger of Shadow IT
The downsides of Shadow IT can be significant. For organizations with any size and scale, the multiple IT infrastructures can cause significant issues. For starters, infrastructure and applications will not be consistently developed or maintained. It is likely there will be different processes across the various groups. But the number one danger of Shadow IT is how it impacts security. Often unbeknownst to others, security and compliance requirements play an instrumental role in IT admins’ decision making. What may be seen as being slow to respond to requests is, rather, a due diligence process that allows IT admins time to factor in the long-term maintenance of infrastructure and compatibility with the new solutions. A department making a purchase outside of IT and their compliance process may not be sensitive to security, compatibility or maintenance issues, since their motivation may be influenced by their own needs for flexibility and control. As a result of today’s cloud and SaaS solutions, the increased requirements faced by IT admins are viewed by others as slowing down their process and workflow. However, one thing remains irrefutable: Shadow IT purchases create tremendous downstream issues for any organization.
The obstacle to stopping Shadow IT
Perhaps the single greatest inhibitor of Shadow IT will be a company’s culture. While an IT team is viewed as progressive and agile, other departments in the same organization will become an obstacle in stopping Shadow IT unless they view IT as a business partner, rather than an impediment. The best thing IT can do is build a strong identity management platform within the organization and implement protocols for employees to follow. IT will need to enforce these protocols, even when faced with resistance, because the long-term benefit to an employee is advantageous to everyone: An employee learns they can leverage one set of credentials to access virtually all of their resources, and the IT department is able to control user access and decrease instances of Shadow IT.
The solution that controls Shadow IT
Of course the challenge for IT is to be able to provide a strong, robust identity management service that will enable connections to virtually all of the various online solutions and resources. This is not an easy task. Legacy on-premises directory services, such as Microsoft® Active Directory® and OpenLDAP™, often fall short due to their focus on a particular type of device or application. Many progressive IT organizations are turning to a cross-platform, location-agnostic solution like a cloud-based directory service. Known as Directory-as-a-Service® within the Identity-as-a-Service category, these cloud-based solutions can integrate with a wide variety of device platforms, cloud-based infrastructure, SaaS-based applications, and networks. The flexibility enables IT to more readily meet the needs of the business at a quicker speed, thus reducing the instances of Shadow IT.
If you’re worried about Shadow IT at your organization, drop us a note – we’d be happy to chat with you about what we’ve seen in the field and how your organization can mitigate the risk.