What Is IT Sprawl?

And How To Handle It

Written by David Worthington on June 6, 2023

Share This Article

IT sprawl is a natural byproduct of the role tech plays in modern organizations. It’s understandable, because it’s natural to seek solutions for the seemingly endless challenges you face. IT sprawl presents hidden costs and risks that can outweigh (or even contribute to) the problems all of those solutions seek to resolve. In contrast, a strategy of IT unification streamlines infrastructure by eliminating waste and integrating your investments, and can help to rein in any excesses. This blog prescribes how to eliminate sprawl using a deliberate IT unification strategy that’s centered around identity and access management (IAM).

Why Sprawl Occurs

Every admin encounters pressure to overbuy and purchase more “stuff” in response to the “probleme de jour.” Conversely, refusing to buy stuff could result in employees effectively taking IT into their own hands by introducing unmanaged technologies into your environment. You might even face resistance to change and be stuck with legacy solutions that are costly to support. Sprawl begins with the impulse to purchase your way around problems.


There’s always the temptation to acquire the latest and greatest solution to resolve problems, and there’s no shortage of problems that an IT department could encounter. This perpetual sense of urgency can easily lead to overbuying. Overbuying generates challenges ranging from higher costs and greater management overhead to unknown security risks. Solutions start to overlap, aren’t fully utilized to their potential, and vendor relationships become weaker.

You can’t purchase good cybersecurity, for example. A small to medium-sized enterprise (SME) can purchase the elements of a Security Operations Center (SOC), but the presence of those solutions won’t guarantee your security. SOCs are multimillion-dollar investments in people, processes, and systems. Just purchasing more “stuff” makes managing and supporting systems more difficult, unless you’re able to make that scale of investment into security. It may seem prudent to buy all security solutions possible, but it’s a guaranteed path to sprawl “darkside.” 

What happens when you ignore every warning from a SIEM and don’t perform threat hunting on a data lake? You could get breached right underneath your nose. An excess of security tools will generate the most incredible post-mortem analysis … if that’s any consolation for a breach.

Shadow IT

Shadow IT, or the use of tools that don’t have explicit approval, is another way IT sprawl happens. It’s not a malicious act: users will naturally seek to bypass tools that are inadequate for their role by introducing an unapproved application. This occurs when departments seek their own solutions and devices/identities are left unmanaged by IT. Shadow IT can stealthily creep into your environment, circumvent security controls, and introduce unknown risks. Departments may even come to rely on an application that exists in its own silo so much that, when it’s discovered, IT must find a way to incorporate it (regardless of the effort involved).

Loads of Legacy

Not every organization is universally tech-savvy. Many people just “know what they know” and tech literacy varies; changing how things are done isn’t always accepted. IT admins understand the struggle of convincing users to let go of legacy (or familiar) apps to obtain buy-in for preferred systems/workflows. That’s often why legacy lingers: it’s easier to let it be than to actively convince people that change is necessary and important for the organization.

It can be difficult to get rid of old apps, even if they’re outside of their lifecycle. You might inherit a legacy environment and have no choice but to do your best. Budget doesn’t always exist to find replacements, or there may be proprietary pride like that siloed server from 2006 that’s sitting in a closet somewhere running payroll. The rationale is that it “works perfectly fine,” and shouldn’t be cause for concern. Security, management overhead, and costs are concerning.

Impacts of IT Sprawl

Sprawl can determine the course of your IT department’s day-to-day work and lead to higher costs. Effort is sunk into activities that don’t deliver payback or help to achieve priorities. 

TCO Will Rise

As an IT professional, it may not feel like financial projection falls under your scope of work, but IT decisions that don’t account for total cost can drive you to commit to projects your company can’t support and eat up your budget while doubling down on ineffective initiatives. In addition, you may not have the right tools in place to fully understand (and communicate) the total cost of ownership (TCO) of your existing environment. 

Use this TCO calculator to reduce the cost of your stack.

Let’s face it: some things sit on the shelf as licenses gather dust and waste budget that would be better spent on something else. Several solutions may overlap and do the exact same thing. That’s especially true in the realm of security software where something you’ve already bought might do exactly what you need.

Admins’ Lives Becomes More Difficult

Having many consoles and many things to learn and train for creates a poor user experience (UX) for admins. Wasted time and management overhead will negatively impact your ability to modernize.

Shadow IT Raises Risks

Shadow IT breaks down the environment you’ve carefully constructed, circumventing prescribed systems and reducing visibility and control of infrastructure. The potential for misconfiguration, the usage of default administrative credentials, and other problems slowly rise. Rogue applications are also unvetted for supply chain risks and/or compliance. Every new application is a potential attack surface area for cyber criminals to exploit.

Failure to account for vital line of business applications makes disaster recovery planning exceedingly difficult and calculations such as maximum tolerable downtime wholly inaccurate. It cascades from there, with known unknowns for metrics such as Mean Time to Repair and Mean Time between Failures being completely unaccounted for. That’s not to mention potential data loss, or even the mishandling of data that could be company confidential or private. Always keep in mind that data compliance fines can cost you.

How to Reverse Sprawl

It may feel like the path to reducing and managing IT sprawl is bigger, and riskier, then maintaining the course of your current strategy. Or, you want to make a change, but it’s difficult to get the proper buy-in you need to do so. This is because the negative impact of IT sprawl can be a bit deceiving, especially when the TCO of your stack isn’t fully accounted for.

It’s beneficial (and better UX) to strategically integrate your systems, which can become “smarter” from the inclusion of salient information about user identities and when the user lifecycle begins and ends. You can also make your life easier through IT automation.

Steps for reversing sprawl include:

  • Designating the core platforms that will help you deliver the services and support you need in the most efficient way. 
  • Implementing mature IAM capabilities that treat identities as the perimeter and devices as gateways to resources
  • Integrating your systems
  • Automating the identity lifecycle to manage authorizations and making core applications readily available for onboarding

Interested in learning more? This free eBook provides a simple, prescriptive strategy to reverse IT sprawl.

JumpCloud Helps to Unify Your Stack

JumpCloud is an open directory platform that unifies identity, access, and device management capabilities, regardless of the underlying authentication method or device ecosystem. JumpCloud authenticates users whether they use biometrics, digital certificates, passwords, or SSH keys. Secure, frictionless access is fundamental for IT organizations, and is why JumpCloud ensures that every resource has a best way to connect to it.

JumpCloud is free to use for 10 users and devices with 10 days of premium chat support. JumpCloud also offers a variety of Professional Services to help ease the load your employees face. Learn more or schedule a free 30-minute technical consultation.

David Worthington

I'm the JumpCloud Champion for Product, Security. JumpCloud and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.

Continue Learning with our Newsletter