Welcome to the world of shadow IT, the dark side of the consumerization of IT. Armed with credit cards (unless the service is free) and a Web browser, often on a personally owned and maintained device, employees are circumventing the sometimes onerous IT processes required to install and use new tools, and taking matters into their own hands. With the proliferations of Software as a Service (SaaS) providers using the cloud, an individual can often find a company that is willing and able to do what they need, from storing files to crunching numbers, in a fraction of the time it takes for the IT department to evaluate and procure the same service.
It might seem harmless — after all, what is wrong with employees being proactive with an eye toward improving productivity? — but as it turns out shadow IT can be very harmful, especially when it comes to compliance.
Compliance: Not Just a Buzzword
In many industries, compliance with industry and federal regulations is no laughing matter. Companies that accept credit card payments, for example, must adhere to the Payment Card Industry Data Security Standard, or risk sanctions, fines, and even total shutdowns — especially if there is a data breach. Health care organizations are bound to HIPPA regulations that protect patient information. In fact, some sort of regulation, with significant consequences for noncompliance, binds almost every industry and enterprise.
So what does shadow IT have to do with that? It causes problems in several areas:
1. When employees use unapproved SaaS or programs, the organization loses control over the data. There is no way for IT security to ensure that the providers security standards meet the requirements of the regulations in terms of encryption, backups, and access management, for example
2. Software installed without IT’s knowledge is not managed within the software asset manager, which monitors and controls software licenses to ensure compliance. The discovery of unlicensed or unreported software could lead to an audit, as well as fines and other sanctions.
Cloud-based SaaS providers, while convenient, may not meet compliance regulations in terms of system reliability or documentation. Should a breach occur because of data being transmitted via these services, the business could face stiffer penalties.
Cloud services that are being used “under the radar” may increase productivity and reduce costs (at least short term) but they are dangerous. Companies need to take steps to bring these practices out of the shadows and into the forefront. That usually begins with an extensive manual audit of the services being used on the network, and a comprehensive evaluation to determine which services are acceptable and which are banned from use for corporate data.
IT also needs to look into mobile device management programs to control shadow IT, since much of the activity is a result of BYOD and personal application use. As more people turn to their personal devices for work, and want to work anywhere, shadow IT will continue to expand and present problems. If you acknowledge the issue and take steps to prevent it, though, you can remain in compliance and better maintain your data security.