Unintended consequences — that’s what happens when employees use unauthorized external IT resources without IT’s knowledge.
It’s not that IT won’t allow it; heck, they might have a better option available…but neither will know without mutual awareness.
Shadow IT is a growing problem for organizations of all sizes and types.
So do yourself and your company a favor: get approval first!
Emphasis in red added by me.
Brian Wood, VP Marketing
The Growing Risks of Shadow IT within Organizations
In an organization “there are typically 5-10 times more cloud services being used than are known by IT,” according to Cisco Services senior director Robert Dimicco. These cloud services are brought into organizations without the IT department’s knowledge or approval.
But this tends not to be an act of intentional disobedience or rebellion. Staff bring in cloud services that help them and their teams solve problems, unaware that these applications could cause security risks.
These applications that exist within an organization and aren’t known by IT staff are known as “Shadow IT”, and they are an increasing cause for concern.
In a recent blog post, Dimicco drew upon his experience meeting with Cisco clients to identify some major risks related to Shadow IT.
To begin with, data security requires strong processes and controls that enable IT to track how information is being shared in the cloud. It’s even harder when IT doesn’t know what applications have access to data, making it more difficult to keep information safe.
Once breached, a company having its information stolen or sensitive information accidentally shared with people who shouldn’t have access, can ruin a brand’s competitive advantage, seriously hurt their reputation, and perhaps even put customers in danger.
Additionally, regulations in industries such as healthcare, finance and the public sector around data controls, retainment, and privacy can be hard to enforce without understanding how individuals and applications interact with data. Again, not even knowing what services have access to data leaves IT unable to implement data control policies that keep data safe and compliant with regulations.
Another risk is that certain services that comprise Shadow IT could vanish by going out of business, being purchased, or undergo a fundamental change to their service. Smart IT providers know to choose services that are likely to be around in the foreseeable future, or have contingency plans in case one service falls through. If a service suddenly stops, the company risks losing data, but also the functionality provided by these Shadow IT services.
Finally, there are financial risks – or more accurately, inefficiencies – given the amount of money staff could be spending on Shadow IT. For instance, Dimicco said he knew of one company that spent nearly a million dollars annually on Shadow IT. By buying services on an individual basis, companies are wasting money by purchasing duplicate cloud services, and losing out on being able to negotiate bulk contracts.
This all shapes up to make Shadow IT seem like a major hurdle for organizations. Even ones that are not implementing cloud computing are increasingly being forced to deal with many of the security implications because of their staff’s use of cloud services.
Implementing strict policies around what applications employees can use is one method of dealing with Shadow IT, but this authoritarian approach doesn’t sit well with many employees who are simply trying to be productive employees. Part of the solution should be to provide staff with the cloud services they need, but from approved vendors with the necessary controls.
Consultancy services such as Cisco’s Data Center Assessment for Cloud Consumption can help identify Shadow IT and areas where cloud services can be implemented securely and cost-effectively.
There are also software solutions from providers such as Skyhigh, FireLayers, and SkyFence that provide network security visibility needed to identify Shadow IT applications and set an appropriate course of action.
Shadow IT seems almost inevitable in most organizations as it becomes increasingly easy to deploy applications, and staff continue to want to do more. As IT service providers, it’s important to realize that these applications have the power to cause organizations harm.
Users often only resort to Shadow IT because they aren’t given the right approved tools, so it’s important for IT departments to work with help provide these solutions – often as a Software-as-a-Service applications – so that they don’t have to resort to other potentially dangerous services.
Beyond Data Security…Five Biggest Risks of Shadow Cloud IT Services
About two years ago, I went into a customer workshop on private cloud. As we were introducing ourselves around the table, the CIO turned to me with a pained expression and said, “Bob I have a different problem. My CFO and CEO just asked me if I knew how many of our users were accessing cloud services. They asked me if I knew how much we were spending or if there were any risks.” He said, “I don’t know the answers, and I don’t have a plan.”
In the months that followed, I would have countless other conversations with CIOs, that highlighted an emerging challenge—shadow IT. Shadow IT turns up when business groups implement a public cloud service without the knowledge of IT. In working with our customers, we have found that there are typically 5-10 times more cloud services being used than are known by IT.
The conversations I had with customers highlighted that shadow IT was creating several challenges—from monitoring cloud costs to managing service providers. One of the significant challenges with shadow IT is risk to the business. Specifically, we have seen five categories of risk arise:
#1 Data Security Risks
Company information being shared externally due to a cloud service breach is among our customers’ worst nightmares. Cloud vendors work hard to protect customers’ data. However, it falls to the business to know where their information lives and to protect it.
A security officer of a global non-profit organization recently shared with me that his organization wanted to use cloud services to help connect with donors and manage operations. However, they weren’t set up to govern providers and have no idea how donor information was being shared with cloud vendors. Many of our customers tell us they don’t have strong processes to manage cloud vendors, can’t track how their information is being shared, and often don’t know how vendors are keeping their information safe.
#2 Brand Risks
Brand risk goes hand-in-hand with a potential data security breach. If company information is stolen, or shared inappropriately, the consequences to an organization’s brand is immeasurable. Not only can a breach lead to negative press and customer backlash, but can also result in financial damages.
#3 Compliance Risks
Globally, organizations face evolving and expanding regulations that require them to retain information, maintain privacy, give people the ‘right to be forgotten,’ and more. As cloud services are used across all business functions, companies face the risk of falling out of compliance. Our customers tell us that violations are becoming more frequent as those responsible for enforcing compliance become less aware of what services are being used. Also, employees often don’t understand when using a cloud service can trigger compliance issues.
#4 Business Continuity Risks
Businesses need to ensure that cloud vendors they are using have strong business fundamentals or risk losing valuable corporate information if a vendor goes out of business or is purchased. Last year, a cloud storage provider Nirvanix went out of business and gave customers less than one month to move their data or risk losing it forever. These types of abrupt changes can lead to significant challenges in maintaining business continuity.
#5 Financial Risks
Recently, we helped a global equipment manufacturer discover that their employees were using over 630 cloud services, 90 percent of which were unknown to IT. These unknown services cost them nearly a million dollars annually. Costs are spiraling as businesses unknowingly purchase duplicate cloud services and lose their power to negotiate bulk contracts.
Identifying Cloud Risks With Cisco Cloud Consumption Services
The first step to managing the risks of shadow IT is to identify where you might face exposure. To help customers with this challenge, Cisco has introduced a new service designed to identify the business risks and costs resulting from shadow IT.
With Cisco Cloud Consumption Services, customers can know which public cloud services are being used in their business, become more agile, reduce risks, and optimize public cloud costs.
Using collection tools in the network, we help customers find out what cloud services are being used by employees across their entire organization. Our cloud experts then help customers identify and manage cloud security risks and compliance issues. Using a proprietary database of cloud vendors, we help companies identify the risk profile of services they are using and provide recommendations for managing these risks with stronger cloud service provider governance. The service also helps customers determine what they are really spending on cloud and find ways to save money.
Additionally, Cisco Cloud Consumption Services helps companies develop new processes for managing cloud vendors, from onboarding to termination. We help customers to proactively manage risks and deliver new services faster by establishing stronger cloud service management practices.
You can learn more about how we can help you understand your cloud usage and identify risks to your business at www.cisco.com/go/cloudconsumption
Many leaders that I speak with feel like they do not have a shadow IT problem, citing that their security protocols were set up to protect them. Think this is you? Think again! Recently we worked with a provincial government and discovered that they had over 650 public cloud services being used by their organization, despite blocking 90 percent of internet traffic. Simply put, if your employees have access to the internet, you have a shadow IT challenge.
I’d be interested to hear from you as to whether you feel you have challenges with shadow IT and what the risks could be. I look forward to your comments!