The challenges of shadow IT in a bring-your-own-cloud world

A long time ago, in an IT company far, far away, I would carry in a Compaq Portable so I could get my work done. Today, while the PC may have changed, not much else has when it comes to IT and the cloud — and especially shadow IT.

Today, as Dr. Robert (Bobby) Blumofe, Akamai's CTO and executive vice president, said, "I used to say that there are two kinds of enterprises: those that use cloud and know it, and those that use cloud and don’t know it. My point was that your developers are using the cloud whether you like it or not, and whether you know it or not."

True, he said that "pretty much all enterprises are using the cloud and know it,” but that doesn’t mean that shadow IT no longer exists. “Of course, it does,” he said.

BYOD is back

Is shadow IT still that much of a problem? For sure, it’s been a long time since bring your own device (BYOD) was a major IT headache.

Mike Bushong, Juniper Networks' group VP of cloud-ready data center, thinks it's still a big deal.

"While shadow IT has largely been driven by the consumerization of IT, it has now become the most prevalent and concerning form of IT as companies shift to the cloud,” Bushong said.

More specifically, third-party clouds empower workers to use their own mobile devices (smartphones, tablets, and laptops) to access software-as-a-service (SaaS) apps and services without involving IT.

Used for the instant — and inexpensive — gratification of technology, users get frustrated by IT’s cautiousness and slow response to requests, so they take matters into their own hands. “While this can benefit users in the short term, it can be a risky problem for companies in the long run,” said Bushong.

Oren Teich, chief product officer of the Upbound cloud platform, told Silverlinings, "BYOD is about misaligning incentives. People brought their own computers to work because it helped them get their job done better,” he said. “I’ve used a Mac personally for a long time — first as contraband and now as part of the mainstream. I wasn’t setting out for BYO, I was aiming to work efficiently. With the cloud, that dynamic is still in play.”

People just want to get their job done with the best tools possible, and centralized teams are trying to manage risk and control, noted Teich. What’s different is that it’s not an either-or choice. “With modern tooling, teams can maintain oversight by using enterprise cloud computing control planes,” he added.

Bring your own cloud

There are other reasons people use their own cloud services. Often, it's because while C-level executives have decided that, say, Azure is the cat's meow, that doesn't mean developers feel the same way.

Or, in the reverse, while the IT staff may swear by Amazon Web Services (AWS), some departments still decide that they know best what their needs are and use another cloud.

As Ivo Ivanov, CEO of DE-CIX, an international carrier- and data-center-neutral Internet Exchange, explained, "Some companies ‘unofficially’ use third-party services without IT authorization, ignoring the company’s cloud strategy. This creates major headaches for cloud network architects, as data is routed through the public internet rather than secured clouds."

Simultaneously, as Srini Kadiyala, CTO of OvalEdge, a data governance consultancy, observed, “Shadow IT is increasingly moving out of the shadows, as more business groups make use of third-party cloud services or similar tech, sometimes with limited or no involvement from the organization’s IT group."

This can be useful if the company’s information security function has an organization-wide influence. In Kadiyala's opinion, "Sufficiently knowledgeable security teams with a big enough perspective can also spot where a shadow project is duplicating the work of something already existing and maybe even obviate the need for such a project.”

Not everyone is so optimistic, including Bushong. "Shadow IT can make any organization extremely vulnerable, especially with the rise in the adoption of cloud services,” he said. “Unsurprisingly, the first reaction of most CIOs is to shut it down. Still, that can be harder than one might think. There will always be users who go rogue, circumvent the rules, and try to sneak in the technology they believe makes their jobs easier.”

Embracing the challenge

Now, how to address the issue of folks going rogue? Bushong's advice is to address this issue without creating more problems.

“It is important to assess your shadow risk factors. These are security, integration, and operational,” he said. “But it’s not necessarily a bad thing that needs to be completely repressed. Your decision about how to address shadow IT will impact your users, your budget, your operations, and the security of your business.”

According to Bushong, “You have two options. Eliminate shadow IT because the security, compliance, and cost risks are too great. Or, for those who see that shadow IT advantages outweigh the risks, embrace it and enable users to be more productive, business units to be more agile, and customer-facing employees to improve service and loyalty."

Jamie MacQuarrie, the co-founder of the low-code software development platform company Appivo, agreed with him, "Shadow IT is always interesting. Vendors don’t mind it, users embrace it and it gives IT teams ulcers."

So, MacQuarrie believes, you should consider "embracing shadow IT.”

“By that, I don’t mean to let users do whatever they want,” he said. “Rather, it’s an opportunity for IT to really listen to their users.”

Shadow IT is one way that users tell IT that there are important unmet needs. “If it’s not something that IT can jump on immediately, then IT can evaluate and approve vendors/solutions for self-support by users. There are always nuances and exceptions, but IT can continue to control risk by providing users with an approved list of solutions that meet current shadow IT scenarios,” he added.

However, teams handle shadow IT and the cloud, they have to keep one thing firmly in mind — they will have to deal with it, they can't stop it. They can only seek to control it as best they can and use it to their benefit.