by Raimund Genes
A study published by the Cloud Security Alliance recently found that more than half of IT professionals (54%) think they have 10 or fewer cloud-based apps running in their organisation. Some 87% said that they had 50 or fewer applications running in the cloud. Just one look at download figures from vendors shows the figure is in both cases massively underestimated by IT and probably sits in the low to mid-hundreds.
You can’t secure what you can’t see
The problem with this lack of visibility into what employees are using is that it could lead to serious security gaps. Many consumer-grade services are simply not up to matching corporate levels of data security and integrity and even those services that are may need bolstering with extra third party security tools. With 2014 fast becoming The Year of the Data Breach, threats to company systems have never been higher. So what’s to be done?
Well first up it’s important to remember that your employees aren’t using shadow IT to deliberately ruin your day or get the organization hacked. They’re doing it because IT-sanctioned tools aren’t able to do what they need them to do. More often than not an individual will get his or her credit card out to buy some Amazon instances or Salesforce.com subscriptions for an ad hoc project because the IT department has said “no”.
Change your tune
It’s time for IT to change this attitude. Shadow IT is happening up and down the country. You can’t turn the clock back, so let’s find ways to allow it in a secure, manageable way.
Here are a few more do’s and don’ts to help you formulate a strategy:
Do – use discovery tools to work out what’s being used in the organisation
Do – follow-up with interviews to help you understand why certain shadow IT services are favoured
Do – draw up a shortlist of providers of pre-vetted enterprise-grade Iaas, PaaS and SaaS services on the back of this
Don’t – even think about putting anything on that list that isn’t as good or better than the tools currently being used by staff
Don’t – put anything on that list that doesn’t meet your high standards around data security and service integrity
Do – block unsanctioned “shadown IT” services once you have in place these pre-approved alternatives