April 22, 2015 | Written by: Staff Writer
Share this post:
Easy steps for embracing, and benefiting from, rogue IT
Shadow or rogue IT has long been a worry to IT departments. The prevalence of the cloud takes that shadow activity, and the accompanying anxiety, to a whole new level.
Even so, savvy IT executives can leverage the shadow cloud as an important window into users’ needs and priorities, and convert management of the shadow cloud into an opportunity to collaborate with business groups. To do that, IT must understand exactly which services these shadowy users are embracing, choose the level of acceptance that will be granted to each, and educate users about those choices.
“IT needs to change, and to admit that they no longer know best what users need to do their jobs,” says John Pescatore, a director at the Bethesda, Md-based SANS Institute, the world’s largest source of information security training. “IT’s role needs to move from dictating the technology portfolio to managing the portfolio.”
The cloud has made that immensely more complicated, significantly accelerating the growth of shadow IT within organizations, says Kamal Shah, vice president of products and marketing at Skyhigh Networks, a Campbell, Calif.-based cloud security company.
In earlier forms of shadow IT, users had to at least go out and buy something to get around the IT department, says Shah. With the popularity of free or freemium software, that’s no longer true. And the rise of the iPhone and the app store means that many employees are using mobile devices that have the cloud built into them. Once those devices are used for work-related tasks, employees unwittingly drag the shadow cloud into the organization.
IT should begin by determining exactly which services employees are using. After conducting an automated audit, most organizations find that the shadow cloud is more varied, and more pervasive, than suspected. “IT may say, okay, people are using 50 to 100 services,” says Shah. “Actually, on average, we’ve found it’s 923.” The average employee, according to Skyhigh’s research, uses 28 cloud services, including three just for file sharing. The most popular consumer cloud services found in the enterprise are Facebook, Twitter, and YouTube, according to Skyhigh, but the top 20 also include Gmail, Dropbox, and SlideShare.
Shah stresses that employees are generally using cloud for the right reasons — because the cloud allows them to be more productive. Pescatore agrees, saying he was once approached by an IT manager within the HR function of a company whose email limit was too small to allow her to receive resumes, in bulk, from a recruiter. So she set up a Dropbox account.
“Here’s an IT manager bringing in shadow IT to her own organization,” says Pescatore. “They could have just had a bake sale for IT so they would have had the money to raise everyone’s email limit!”
IT’s next task is to proactively enable the services that are the most appropriate, and present them to users as desirable alternatives to less attractive candidates. Rather than banning file-sharing applications, for example, IT can choose one to standardize on, and explain to users why it was chosen (it may be the most secure, for example).
Pescatore says that IT can also tier the acceptable services to give users a range of choices. The first tier of services are those that IT chooses to fully support. When appropriate, the company will create and pay for a corporate account.
The next tier of services are those that IT acknowledges to be enterprise-class, but the helpdesk isn’t going to be fully trained on them. If a user can’t get the service to work, the IT department will try their best to help, but there are no guarantees. The business units will be charged back for support calls.
The last tier is simple: Users are on their own.
Of course, some apps aren’t put into tiers at all – they’re banned. “You have to hold the line at consumer data or at data that is covered by regulations,” says Pescatore. “There has to be an active effort to say this data cannot go out unapproved, or by unapproved means, and it is a firing offense, because of what the organization stands to lose if that data is exposed.”
He also urges the IT department to take a skeptical look at services that appear to be free or ad-supported. Software is often free, he says, because the maker of the software is monitoring where the user is going and is selling that information. “If IT can pay to remove those advertising hooks, that can be a pretty important way to protect data and knowledge of corporate emails,” says Pescatore.
It’s also important, Shah says, for users to understand why a certain service is suddenly off-limits. He suggests a pop-up that appears on screens as users attempt to access a banned service. In the case of a file-sharing service, the pop-up could state that the company has decided to standardize on a different file sharing service, because the one the employee has chosen does not offer appropriate encryption, and puts the business at risk. “The employee understands that. It makes sense,” says Shah. “We call it just-in-time education.” The shadow cloud gives IT departments an opportunity to get up to speed quickly, as well.