Comment: Securely Embracing ‘Shadow-IT’ – the Apps an IT Department Can’t Control

Simon Bain discusses how IT departments can embrace Shadow-IT
Simon Bain discusses how IT departments can embrace Shadow-IT

For what seems like an eternity, IT departments have been worried about overspending, projects running late and even website frailties and attacks – all of which are laudable concerns and ones that should be kept in mind. But today there is an even larger concern, and it’s called ‘Shadow-IT.’

Shadow-IT is cases where users decide they need a service, one that the IT department will not, or cannot, provide to them in a timely manner. In other words, the hardware or software adopts ‘a life in the shadows’ as opposed to being sanctioned and supported by the CIO and corporate IT departments. In the past shadow IT included smartphones, portable USB drives and tablet computers on the hardware side and applications such as Gmail, instant messaging services and Skype. The newest Shadow-IT now encompasses cloud storage, cloud address books, cloud popup notes, and so on.

Shadow IT brings with it bandwidth and protocol support issues, not to mention security and compliance risks. In simple terms, who needs external hackers when you have internal users, plastering the internet with all of your sales records, or internal spread sheets, in an unprotected and insecure way.

Of course, users want these services. After all, Dropbox, Sky Drive, G-Drive, Evernote and all of the other cloud-based services do a great job of helping us as users access and share our information. They are simple to use, universally compatible applications, unlike some clunky corporate IT systems. But this is where the partnership can fall down. These services, as good as they are, have been designed for consumer use, not for use in an environment required to keep an organization’s information and customer details secure but accessible.

Shadow-IT (not my phrase by the way) is growing and helping both organizations and IT departments save money and work more effectively. In fact, according to PwC, between 15% and 30% of IT spending now occurs outside the standard consolidated budget of the IT department, which has its benefits and drawbacks. However, users need to take a breath and think about what information is being shared within these applications.

In addition, IT departments need to look at how they can work with users – yes, with them and not against them – to encourage productive spending and Shadow-IT that will aid and not harm corporate networks and business goals. Users want the simplicity of these shadow applications, not a complex IT department corporate system, which is why they are using them and not an expensive, difficult-to-implement document management system. Users find a downloadable app and free use of 2.5GB that fills their needs, and they’re on their way. Perfect.

At the same time, IT departments need to be confident in its organizational control, while adhering to budgets. Instead of reinventing the wheel, IT departments needs to consider how it can enhance and add additional functionality to these downloadable apps that addresses issues surrounding security. This returns control of enterprises’ IT, ensuring compatibility with unsupported technology.

My further advice to IT departments: Work with your CFO and the departments that are implementing technology on their own and find out what they need and why they are making certain purchasing/usage decisions. Add to these existing offerings. Do not implement a massive over-priced solution that is too hard to use or just ban users from deploying these outside, ‘unsanctioned’ applications. Look around and see how you can extend them; add the security the corporate entity needs and the additional functionality users crave.

IT departments will never be able to totally stop employees from bringing in personal devices and handpicked services, but you can get a better handle on the situation, and in the process embrace this shadow culture without being scared of it.


Simon Bain is the company founder, CTO and chief architect of Simplexo Ltd's software solutions.

What’s hot on Infosecurity Magazine?