When frustrated end users circumvent the IT department and start using SaaS applications without permission, IT pros complain about the plague they call "shadow IT.” But it seems that some IT professionals are also operating in the shadow according to a recent report entitled “The Hidden Truth behind Shadow IT,” which is the result of collaboration between Frost & Sullivan and McAfee. The survey asked 300 IT professionals and 300 line-of-business employees whether they used SaaS applications in their jobs without official approval. Eighty percent admitted they did, with only 19% of the business employees and 17% of IT claiming to be innocent.
In fact, despite the barriers to cloud computing, 93 percent of business units—from sales to operations to marketing and more— say they are leveraging the cloud for services they need to conduct business, according to another survey by cloud IT operations specialist 2nd Watch. "What really surprised us was how much shadow IT was going on," says Matt Gerber, executive vice president of 2nd Watch. "It's more than we thought, and there's less involvement from central IT than we thought." 2nd Watch conducted its 2013 Cloud Services Adoption Rate Survey in December 2013. It surveyed 133 U.S.-based respondents from organizations of all sizes, all with titles of CIO, executive vice president, IT manager or developer. The respondents represented a wide range of industries, with the highest percentage in high tech (37 percent). The survey found that just 43 percent of IT departments plan to develop a cloud services brokerage model to keep up with demand. Those IT departments planning to deploy a cloud services brokerage model want to deliver between 75 percent and 100 percent of cloud services to their enterprise business units by 2016.
The favorite types of non-approved SaaS applications for all 600 who responded to the Frost & Sullivan and McAfee survey were related to business productivity, social media, file-sharing, storage and back-up. The most popular non-approved SaaS applications included Microsoft Office 365, Google Apps, Dropbox and Apple iCloud. The report also indicates that these employees readily acknowledge the risks and liability in what they are doing. “More than 80% of respondents presumably feel justified in continuing to use non-approved services without ensuring that protective IT policies are applied,” the survey report states. There’s the sense that “the end justifies the means,” the report notes.
The idea of the threat of “shadow IT” has grown with the expanded use of cloud-based applications that can easily and often cheaply be brought into use without the IT department knowing about it. For the IT department, the reaction has often been, “Oh poor IT, if we could only stop the employees from doing this,” says Jennifer Geisler, senior director in McAfee’s network security division.
What can be done about “shadow IT,” especially since IT employees as much as any others may be implicated in it all? Geisler says the first step is nailing down policies, with the chief information security officer setting the tone in terms of confronting the need to use SaaS in a way that satisfies compliance and security requirements. Technologies for monitoring and controlling SaaS can also be applied, but trying to shut down SaaS entirely is hardly feasible. SaaS is often a creative way to do business, especially with younger employees, the report notes. But those in charge of IT security have to set up viable ways to control passwords, identity and access management, encryption, and data-loss prevention, for example, as part of SaaS usage. With IT personnel confessing they are part of the “shadow IT” problem, Geisler suggests, the IT department “can no longer just point the finger” at the rest of the company.
2nd Watch's offers a similar opinion, That is a compliance and governance framework. If IT can't provision cloud services at the speed the business demands, at least it can provide a list of sanctioned reference architectures that business units can choose from when selecting services. That way, even if you can't provision the services, you can at least ensure a certain level of reliability, availability and security in the cloud services the business units procure.