Getting IT Done in the Shadows
Understanding Shadow IT
Thanks to increased adoption of SaaS, Cloud infrastructure and Cloud platforms, many business units within organizations are able to innovate at a faster rate than before. This also means avoiding IT as BU does not need IT to provision new infrastructure. This is often termed “Shadow IT” by industry vendors and analysts. Shadow IT can put IT audit and compliance teams in a tough spot as they can not assure the security and compliance posture of their organization. In many cases, the central IT may not even be aware of the existence of Shadow IT.
However, when talking about “Shadow IT”, it would be shortsighted to limit the discussion to just what employees are doing. While SaaS adoption is a major factor in creating Shadow IT, there is also increased adoption of Infrastructure as a Service (IAAS), integration with Cloud services through APIs. Other side of the equation is BU providing services to partners and customers without IT being aware of it.
Despite these risks, it is not recommended that IT take a control approach to Shadow IT. Such an approach often would backfire and business units would view IT as getting in the way of doing business.
Whatever you do, do not panic and shut down BU usage of cloud services.
Step 1 of a viable IT tactic to deal with the risk presented by the Shadow IT is to discover it. By using new tools provided by many vendors, IT can discover the Shadow IT in their organization. This is not a one-time exercise and has to become part of regular IT cadence.
Armed with this knowledge, IT should talk to business units that are doing Shadow IT to understand their requirements and how IT can supplement them to secure their usage of the cloud services. This should be done in a collaborative manner.
Once these cloud services that are at risk are identified and a business discussion has happened with business units, IT shall define security policies to enforce based on risk assessment for their organization. These security policies can be enforced with a cloud security gateway in the market.
In future posts, I will discuss some examples of discovering Cloud Services and example Cloud Security policies.