It starts simply enough: An employee wants to access some work while spending a few days at the beach with the family. So he uploads a few files to an online storage service to work on over the weekend. Then one of his colleagues finds a great application that makes project management a breeze, so she invites the rest of her team to join up and use the platform to stay on top of their tasks. Next thing you know, there are literally dozens of applications being used — on the company networks — to store and transmit corporate data, all without the authorization or approval of IT.
Welcome to the world of shadow IT, the dark side of the consumerization of IT. Armed with credit cards (unless the service is free) and a Web browser, often on a personally owned and maintained device, employees are circumventing the sometimes onerous IT processes required to install and use new tools, and taking matters into their own hands. With the proliferations of Software as a Service (SaaS) providers using the cloud, an individual can often find a company that is willing and able to do what they need, from storing files to crunching numbers, in a fraction of the time it takes for the IT department to evaluate and procure the same service.
It might seem harmless — after all, what is wrong with employees being proactive with an eye toward improving productivity? — but as it turns out shadow IT can be very harmful, especially when it comes to compliance.
Compliance: Not Just a Buzzword
In many industries, compliance with industry and federal regulations is no laughing matter. Companies that accept credit card payments, for example, must adhere to the Payment Card Industry Data Security Standard, or risk sanctions, fines, and even total shutdowns — especially if there is a data breach. Health care organizations are bound to HIPPA regulations that protect patient information. In fact, some sort of regulation, with significant consequences for noncompliance, binds almost every industry and enterprise.
So what does shadow IT have to do with that? It causes problems in several areas:
1. When employees use unapproved SaaS or programs, the organization loses control over the data. There is no way for IT security to ensure that the providers security standards meet the requirements of the regulations in terms of encryption, backups, and access management, for example
2. Software installed without IT’s knowledge is not managed within the software asset manager, which monitors and controls software licenses to ensure compliance. The discovery of unlicensed or unreported software could lead to an audit, as well as fines and other sanctions.
Cloud-based SaaS providers, while convenient, may not meet compliance regulations in terms of system reliability or documentation. Should a breach occur because of data being transmitted via these services, the business could face stiffer penalties.
Welcome to the world of shadow IT, the dark side of the consumerization of IT. Armed with credit cards (unless the service is free) and a Web browser, often on a personally owned and maintained device, employees are circumventing the sometimes onerous IT processes required to install and use new tools, and taking matters into their own hands. With the proliferations of Software as a Service (SaaS) providers using the cloud, an individual can often find a company that is willing and able to do what they need, from storing files to crunching numbers, in a fraction of the time it takes for the IT department to evaluate and procure the same service.
It might seem harmless — after all, what is wrong with employees being proactive with an eye toward improving productivity? — but as it turns out shadow IT can be very harmful, especially when it comes to compliance.
Compliance: Not Just a Buzzword
In many industries, compliance with industry and federal regulations is no laughing matter. Companies that accept credit card payments, for example, must adhere to the Payment Card Industry Data Security Standard, or risk sanctions, fines, and even total shutdowns — especially if there is a data breach. Health care organizations are bound to HIPPA regulations that protect patient information. In fact, some sort of regulation, with significant consequences for noncompliance, binds almost every industry and enterprise.
So what does shadow IT have to do with that? It causes problems in several areas:
1. When employees use unapproved SaaS or programs, the organization loses control over the data. There is no way for IT security to ensure that the providers security standards meet the requirements of the regulations in terms of encryption, backups, and access management, for example
2. Software installed without IT’s knowledge is not managed within the software asset manager, which monitors and controls software licenses to ensure compliance. The discovery of unlicensed or unreported software could lead to an audit, as well as fines and other sanctions.
Cloud-based SaaS providers, while convenient, may not meet compliance regulations in terms of system reliability or documentation. Should a breach occur because of data being transmitted via these services, the business could face stiffer penalties.
Out of the Shadows
Cloud services that are being used “under the radar” may increase productivity and reduce costs (at least short term) but they are dangerous. Companies need to take steps to bring these practices out of the shadows and into the forefront. That usually begins with an extensive manual audit of the services being used on the network, and a comprehensive evaluation to determine which services are acceptable and which are banned from use for corporate data.
IT also needs to look into mobile device management programs to control shadow IT, since much of the activity is a result of BYOD and personal application use. As more people turn to their personal devices for work, and want to work anywhere, shadow IT will continue to expand and present problems. If you acknowledge the issue and take steps to prevent it, though, you can remain in compliance and better maintain your data security.
Cloud services that are being used “under the radar” may increase productivity and reduce costs (at least short term) but they are dangerous. Companies need to take steps to bring these practices out of the shadows and into the forefront. That usually begins with an extensive manual audit of the services being used on the network, and a comprehensive evaluation to determine which services are acceptable and which are banned from use for corporate data.
IT also needs to look into mobile device management programs to control shadow IT, since much of the activity is a result of BYOD and personal application use. As more people turn to their personal devices for work, and want to work anywhere, shadow IT will continue to expand and present problems. If you acknowledge the issue and take steps to prevent it, though, you can remain in compliance and better maintain your data security.