IT sprawl rarely occurs due to neglect or poor planning. It’s a natural byproduct of how we work and may seem functional on its surface. No single tool makes all your problems go away; an admin will instinctively install solutions that make life easier. That impulse makes it exceedingly easy to overbuy when challenges, such as thwarting modern cyberattackers or supporting remote/hybrid employees, seem insurmountable.
IT sprawl then occurs because every solution necessitates that additional resources be allocated to it, while unsupported solutions won’t ever perform as well as they’re intended and can lead to the purchase of even more technology to fill supposed gaps.
How Sprawl Happens
There are a few primary reasons why sprawl occurs, but the problems arise in the same way that grains of sand become a beach; individual tools and applications seem perfectly harmless, and small in scope… until enough of them come together to form a much larger, much more complicated mess.
-IT departments inherit legacy and legacy accumulates over time.
-The other main driver — shadow IT — is nothing more than people attempting to solve problems as their organizations grow. Employees acquire or create technology that’s outside of your visibility. It occurs organically when devices are unmanaged, identity and access management (IAM) is inadequate, and unknown assets aren’t accounted for. People will naturally solve problems using those tools most familiar to them. It sounds innocent enough, but risks (and potential costs) compound as time goes on.
Tool Sprawl Is a Slippery Slope
A small to medium-sized enterprise (SME) can purchase the elements of a Security Operations Center (SOC), but the mere presence of those solutions won’t guarantee your security. SOCs are multi-million dollar investments in people, processes, and systems. Just purchasing more “stuff” makes managing and supporting systems more difficult, unless you’re able to make that scale of investment into security. It may seem prudent to buy all security solutions possible, but it’s a guaranteed path to sprawl “darkside.”
The Negative Impact of IT Tool Sprawl
IT sprawl is costly, negatively affects security and compliance, dampens operational resilience, increases management overhead, and leaves gaps in the user experience. The dangers are generally spread out and may not be felt until it’s too late, such as data compliance sanctions.
Cost Issues
IT can be a fountainhead of costs, especially if you overbuy, but being strategic also presents an opportunity to make your accounting department happy. Every system that you purchase must be supported and will add to your IT management overhead. Sprawl can also misallocate your budget against priorities.
Total cost of ownership (TCO) is the only way to accurately assess the true lifetime value of your technology. Failing to factor TCO into your decisions or basing decisions off of inaccurate TCO calculations can hamper your company’s success and hurt your personal performance.
Licensing Costs and Over-Buying
Licensing costs are cumulative and can become complex. Your organization could face legal exposure or fines when licensing isn’t satisfactory. IT admins are all too familiar with the Client Access License (CAL) audit shakedown.
Overbuying is another phenomenon that happens when solutions are prescribed by outside consultants or there’s an impulse to spend to solve problems instead of thinking inside of the box and expertly using what you already have.
It’s not your money to spend and the budget could be used more effectively elsewhere, such as training and certifying your team members to develop a competency to address the very problem you were trying to solve.
Support Costs
Having to support many things, some of which could inadvertently be outside of their product life cycles, creates risks. Your team can only be pulled in so many directions, and specialized knowledge creates silos of expertise. That’s risky should that person ever depart your team. Hoarding knowledge (or expertise) isn’t something that should ever be encouraged in IT.
Operational Costs
Productivity is lost and compliance and security risks rise when IT has too much to do, along with too little focus. You may also be failing to utilize existing investments in SaaS environments with duplicate accounts, and lose out on resources because of decentralized IT budgets. Failure to properly budget also risks losing out on tax incentives and opportunities for your organization to reduce its tax burden. Smart budgeting aligns spending with your priorities.
Proactive Budgeting
IT administrators wear many hats: help desk hero, network engineer, database administrator, and even budget manager. Budgeting can be as simple as having a lunchtime conversation and using common sense if you’re a small organization, or you may have an operations-driven CEO and growing employee roles. A budget, in any case, isn’t an afterthought, and should reflect your priorities. It’s an opportunity to rationalize spending and make better decisions about IT resources and teams that also has a positive impact on the well-being and effectiveness of your staff.
Difficulty Modernizing
As noted, accumulating “stuff” doesn’t automatically translate to good outcomes. Having a set of well understood, well-integrated systems and processes, is preferable and makes life easier for everyone. Overbuying and allocating too much time toward administrative overhead also makes it more difficult to modernize in support of business growth.
The Compliance Crunch
Let’s imagine having a short span of time to account for the maintenance of all of your systems when a compliance auditor starts asking for documentation. Compliance fines and a rush to take corrective action makes working less predictable and more stressful.
Start building a mental health roadmap to navigate the stress that comes with working in IT. Access 10 tips for improving your mental health, strategies for identifying burnout, and more.
A False Sense of Security
SMEs have limited capacity to build out mature and robust security operations, and security tool sprawl only complicates that task. More software also adds more risks, and you might not even be aware of what some are when unknown third-party components are introduced into the solutions that you buy.
Information Overload
Having too many security systems functioning in isolation and never “talking” to one another accomplishes very little as a whole. It will create “alert overload” where the influx of notifications from systems are usually disregarded (or turned off). This situation creates a poor user experience (UX) for admins and end users alike. Poor administrative experiences delay deployments, increase the time to resolve support tickets, and result in admins repeating processes from siloed locations. This is especially true in identity and access management as well as user onboarding.
Too Much to Support
Security risks spawn from having too many things to support, which invariably delays patching. Your team only has so many hours in the day and apps that are core to a department may only present small windows of opportunity to upgrade or take offline for maintenance. Many zero-day attacks occur when organizations fail to keep up with the pace of change and patch management controls. It may not seem like it’s a big deal, but patching is a critical activity.
Increased Cyberattack Surface Area
More stuff isn’t always better, and sometimes it can even be worse. Apps that have entitlements in core infrastructure and servers running on your network all serve to increase the footprinting activity for exploits that an attacker will conduct if he/she gains access within your perimeter. Also consider that many applications (not limited to security) are also siloed and aren’t fully integrated with your security controls nor visible to monitoring.
Verizon’s 2022 Data Breach Investigations Report uncovered that credential risks were the leading cause of unauthorized access of IT resources in your estate. Applications that exist outside of a universal IAM system, with Zero Trust security controls that interrogate users to prove they are who they are, place data and users at risk. Never underestimate the potential for human fallibility, or the effectiveness of techniques hackers use to obtain credentials. JumpCloud’s 2022 IT Trends Report found that the three biggest concerns involving security are software vulnerability exploits, password reuse, and unsecured network usage. Problems amplify when apps stray beyond your core stacks, asset auditing, and security controls.
Supply Chain Risks
Third-party components aren’t under your control. This problem received greater attention following several high-profile breaches. The Log4Shell vulnerability affected Apache’s Log4j and hundreds of downstream applications from vendors large and small, leading to a rush to patch and mass confusion. Every new third-party component introduces:
- A compromised supplier that becomes a force multiplier for threat actors.
- The potential for poor security and support practices.
- Poor software assurance and bad actors infiltrating source code and maintenance servers.
- Additional auditing and compliance lapses.
How to Fix Sprawl: IT Unification
IT unification helps IT teams do more by maximizing existing investments and plugging gaps that lead to higher costs, overspending, more work (and the consequences of burnout), and shadow IT. Unification is a deliberate strategy that maximizes what you’re already using, plugs the gaps in how those systems are managed, and permits you to streamline your infrastructure. Your department wins and your users win.
Benefits of IT Unification
This initiative could pay for itself. You get more out of what you have, improve security, and obtain more visibility and control into your environments. This first section focuses on what your managers will inevitably ask: “why would we spend time and money on unification?”, followed by analysis of the tangible “wins” that your department will gain.
Lower TCO
Streamline and integrate your infrastructure with a centralized core platform. No one vendor satisfies every single need that an SME has or has domain expertise in specialized industries. But a central platform to cover the core functionality you need to effectively run your department and support the business reduces the total cost of ownership environment-wide.
Improved Admin UX
A unified stack builds trust in IT and makes administration more efficient and easier to do. For example, advanced lifecycle management eliminates human error and streamlines onboarding. A better user experience translates to more productivity and higher satisfaction in IT that can be measured using Net Promoter Score (NPS) and other metrics that track IT quality. Don’t say that you’re doing your job well; show your executive team the positive sentiments from your users.
Security and Visibility
You can prevent data loss by blocking malicious or rogue applications. Rogue applications can exfiltrate company data, even if they’re installed on your users’ mobile devices for seemingly legitimate purposes. That dovetails into avoiding shadow IT. You can avoid shadow IT by delivering pre-approved apps that you’re confident in and have taken steps to validate through supply chain assessments. For instance, you may select vendors that follow an ISO standard (ISO/IEC 5962:2021) to label the components that are included within their products.
Modern Authentication
Extending the capabilities of your stack with IAM, mobile device management (MDM), and Zero Trust security to regulate user identities and devices centralizes resource management. Access to your most sensitive resources becomes more confidential, secure, and is easier to monitor. Modern authentication, such as conditional access and passwordless authentication, prevents unauthorized and unmanaged access to IT resources (with greater control over the authentication chain). Only managed devices should have access to your most sensitive resources. If you can log into a mission-critical system from your kid’s gaming PC, ask yourself: “Is that something that’s desirable?” Access control bolsters existing investments in Endpoint Detection and Response (EDR) and other security systems by ensuring that gaps don’t exist in your security controls.
There are several additional benefits:
- Gaining more granular control with automation of groups and entitlements
- Auditing assets for unauthorized applications
- Reducing the likelihood of phishing attempts by making apps and connections to resources available through a user control instead of a web browser. Browser login pages can be mimicked with the look and feel of a vendor’s official site.
- Modern authentication also helps prevent end users from falling for multi-factor authentication (MFA) fatigue attacks.
Visibility Streamlines Compliance
Having a full accounting of your assets also means that audits and compliances go more smoothly, and don’t become a rush to assemble information from many places. Ask anyone who’s been through a PCI DSS audit: it’s difficult and stressful to account for and document everywhere within a short timeframe, even when audits are an annual occurrence.
Regain Confidence in Your Stack
IT unification helps transition services for mergers and acquisitions to operate more efficiently. For example, one of the most difficult aspects of a corporate buyout is uncertainty, but changes in ownership are commonplace. The difficulty occurs when your team lacks full visibility into all of its IT assets with the occurrence of shadow IT or poor auditing practices. You can at least be certain that you’ll have a full accounting of your assets when the principle of IT unification is your standard operating procedure.
The Steps to Unification
There’s some upfront work involved that will pay dividends later. You’ll begin by rationalizing what you need from your tech stack and how it all can work better together once it’s unified. You’ll then be able to reduce waste and eliminate systems that aren’t serving your mission.
Identify Your Core Stack
This phase is the process when you assess your entire IT environment and determine the core platform(s) that will help you deliver the services and support you need in the most efficient way. Don’t worry… it doesn’t have to be an extensive audit, but rather a high-level review of what you need to do (and want to do), and what technologies you need to accomplish your objectives. Once you know this, you can begin to find a platform that best suits your needs.
Integrate Your Core Stack
Next, incorporate your new core stack into areas where there are unmet needs or underperforming solutions. Listen to your users: they’ll tell you where those problems exist. Let’s explore an example of what that looks like when using JumpCloud’s Open Directory Platform. Your objective is to protect access to Wi-Fi and VPN connections. JumpCloud makes it easier to configure a RADIUS server and layer MFA on top without disrupting any other solutions that you already have in place for IAM or device management. Or, you may be required to protect network hardware such as switches with MFA. JumpCloud fills that gap.
JumpCloud is an open directory platform that unifies identity, access, and device management capabilities, regardless of the underlying authentication method or device ecosystem. JumpCloud authenticates users whether they use biometrics, digital certificates, passwords, or SSH keys. Whether it’s JumpCloud or a different solution, always use a directory that enables you to securely connect to and manage all of your assets.
Core IAM Capabilities
Single sign-on (SSO) and MFA should work everywhere you want them to and for every protocol or standardized way you connect to resources, ranging from LDAP, to RADIUS, to OpenID, to SAML SSO. Any platform that restricts what resources you can connect to introduces operational and security gaps. Standards weren’t created to obstruct freedom of choice or to be left out of the inclusion of additional authentication factors. The inclusion of MFA to IAM configurations adheres to the cybersecurity requirements that are issued by international standards bodies such as ISACA, ISO/IEC, NIST, and PCI SSC. These standards exist to safeguard confidential and private information, protecting your users, customers, and reputation. SMEs are in the midst of identity transformation where protecting your assets through strong access control is as vital as managing the shift to remote work.
Integrate the Systems That Orbit IT
Eliminate manual work by automating user provisioning and access control using attributes for authorization and smart group management to assign apps. An open directory platform pulls information from authoritative sources such as HR systems. Automating group memberships and automated auditing delivers a mature approach to entitlement management and reduces the likelihood of unauthorized access. Once more, there’s a cost to inaction.
The Importance of Onboarding Automation
Think about your first day on a new job. Was your PC ready to go and were resources available to work? You’d remember if they weren’t, which may have affected your impression of that employer. Likewise, you’d notice when things go smoothly. IT doesn’t have to miss the opportunity to start the user relationship off on the right foot, while making life easier for itself.
Automate the Identity Lifecycle
IT unification assists with managing the user lifecycle and makes core applications available for onboarding. An open directory that integrates with data sources provisions user access rights, which reduces onboarding errors that can be introduced through manual data entry. HR system integration eliminates identity sprawl and breaks down the silos that commonly surround HR. Coordinated provisioning between human resources and IT can help to ensure that onboardings go smoothly. If you haven’t begun before the start date, you’re behind. This approach leads to a standardized onboarding process throughout the organization, which doesn’t vary across departments. Unification makes onboarding smoother and more efficient.
Significant breaches have occurred because user accounts were forgotten
The Colonial Pipeline data breach disrupted the flow of energy resources throughout the United States, but it was easily preventable. Nearly USD $5 million was paid to criminals in bitcoin with only approximately half being recovered by civil authorities. Traditional directory systems such as Active Directory cannot readily accomplish this without adding layers of services (or integrations) that increase costs and complexity. Select a system that incorporates modern authentication and interrogates the privileges that permit access to your resources.
Consolidate and Eliminate Tools That Aren’t Necessary
You’ll gain deeper vendor relationships with the suppliers of your core stack and learn more about what’s possible from those systems after you reduce sprawl. Having too many systems to deploy or renew limits the time that’s available to understand what you’ve purchased. You also lose visibility, efficiency, and precious time. It’s okay to let go and move on from your “stuff.”
Unification Helps MSPs Succeed
It’s not only IT organizations that will benefit. Managed service providers (MSPs) face many of the same challenges as IT departments, but have to operate at scale and service many clients. MSPs gain higher productivity by supporting fewer solutions, and scale increases margins. You can eliminate shadow IT for clients through controlling the environment better, and reduce your internal tool sprawl. Using multiple monitoring tools that focus on a single aspect of the client’s environment can lead to alerts and warnings being missed. MSPs that deliver IT unification gain a competitive advantage and deliver greater value back to their clients.
Bringing some semblance of order to an ERP system gone rogue
In another real-world scenario, an IT administrator didn’t understand how their ERP system worked or what it was capable of. He turned to his trusty.NET development skills and duplicated its functionality. That led to unneeded applications that were unsupported (beyond one individual). The apps were being used in production for critical workflows. The IT team would have benefited from working more closely with the ERP vendor to better utilize its system. Afterall, they were paying a lot of money for it. There’s no such thing as a partial ERP implementation, and that holds true for every system that you adopt.
Unify Your Tech Stack with JumpCloud
IT unification is a prescription to solve sprawl while gaining more out of the solutions IT has invested in. It’s also possible to reduce management overhead and other costs while becoming more resilient and increasing the options you have within your technology stack. You’ll gain the benefit of higher TCO, security, visibility (for compliance), and a better end user experience by unifying your IT systems. The process of logging into resources will be standardized, using the credentials from the directory that you want to deploy and the best authentication method. Find out more about how JumpCloud makes it possible to connect to and manage access to your resources in whatever way that you want, on the devices you choose, without having to consolidate onto a single vendor’s platform.
Need to prove that unification will cut costs?
Try out JumpCloud’s TCO calculator — it’s a free tool that helps you estimate the total cost of your stack and compare it with the TCO of alternative options. It also generates great visuals that can bolster proposals to leadership. Prefer Google Sheets? We have that too.
Calculate Your IT TCO
JumpCloud helps IT teams Make Work Happen by centralizing management of user identities and devices, enabling small and medium-sized enterprises to adopt Zero Trust security models. JumpCloud has a global user base of more than 200,000 organizations, with more than 5,000 paying customers including Cars.com, GoFundMe, Grab, Class Pass, Uplight, Beyond Finance, and Foursquare. JumpCloud has raised over $400M from world-class investors including Sapphire Ventures, General Atlantic, Sands Capital, Atlassian, and CrowdStrike.
For more information on JumpCloud and how organizations everywhere are providing Secure, Frictionless Access to all their IT resources, visit jumpcloud.com/why.