What is “Shadow IT”??
Wikipedia describes Shadow IT as:
In big organizations, shadow IT (also known as embedded IT, fake IT, stealth IT, rogue IT, feral IT, or client IT) refers to information technology (IT) systems deployed by departments other than the central IT department, to work around the shortcomings of the central information systems.
Shadow IT systems are an important source of innovation, and shadow systems may become prototypes for future central IT solutions. On the other hand, shadow IT solutions increase risks with organizational requirements for control, documentation, security, reliability, etc.
via Wikipedia [1]
My first thought after digesting some basic information is that Shadow IT sounds like people coming up with their own hacks to solve the problems not being addressed by the currently implemented “official” IT infrastructural system.
People trying to be well-meaning may think they have better solutions, and maybe they don’t want to bother the IT dept., or some others may knowingly be aware that it’s against company IT policy, but do so anyway, as it either allows them to perform their job or perform their job in a quicker/more efficient way.
Information systems in large organizations can be a source of frustration for their users. In order to bypass perceived limitations of solutions provided by a centralized IT department, other departments may build up independent IT resources to suit their specific or urgent requirements. It isn’t uncommon for resourceful departments to hire IT engineers and purchase or even develop software themselves, without knowledge, buy-in, or supervision from a centralized IT department.
via Wikipedia [1]
Check your company’s mission statement. My bet is it doesn’t say anything about following the diktats of the IT ministry. IT’s mission is to enable and support the business. To the extent it does so, it’s valuable. To the extent it prevents productivity, is an obstacle to be circumvented.
via Equinix [2]
It’s also been attributed to consumers in general becoming more aware of the options and solutions avaialbe to them as society moves to more broadly embrace all things cloud.
So why have so many technology solutions slipped through the hands of so many CIOs? I believe a confluence of events is behind the trend; there is the obvious consumerisation of IT, which has resulted in non-technical staff being much more aware of possible solutions to their business needs – they are more tech-savvy. There is also the fact that some CIOs and technology departments have been too slow to react to the business’s technology needs.
via CXO Unplugged
So, I also wanted to think, well, “What’s the point of a company IT policy if it’s not going to be followed and enforced?” That latter enforcement part will usually guide how seriously the employees take the policy. But again, this shadow IT problem seems to be running rampant.
How prevalent is this shadow IT problem?
Trying to get an exact figure on how prevalent shadow IT is would be difficult because the very nature of shadow IT seems to be that it’s done under the cover of darkness.
Why is shadow IT so hard to measure and track?
Shadow IT is notoriously hard to measure. Within an organization, the amount of shadow IT activity is by definition unknown, especially since departments often hide their shadow IT activities as a preventive measure to ensure their ongoing operations. Even when figures are known, organizations typically don’t volunteer these. As a notable exception, The Boeing Company has published an experience report[see here] describing the alarming numbers of shadow applications which various departments have introduced to work around the limitations of their official information system.
via Wikipedia
However, this can clearly cause big risks and have significant impact on things.
When IT examines the use of cloud services across the organization, they generally find Shadow IT is 10 times more prevalent than they initially assumed. The average organization today uses over 1,427 different cloud services, derived from anonymized usage from over 30 million users across over 600 enterprises using McAfee CASB. Often IT departments discover many services in use that they have never heard of before. [4]
Shadow IT can also add about a whole abundance of additional security problems into the picture. This would be on top of the regular security processes and protocols that are officially implemented by IT and/or the organization at large.
So, let’s think about it this way. On a good day, meaning no shadow IT going on at all, just by the book, officially company IT recognized infrastructure are the only tools implemented and in use. Even in a normally functioning IT environment like that, there are still the day-to-day threats that have to be dealt with. Now we want to throw in the use of this additional shadow IT that the IT dept doesn’t even know about and we think security problems won’t arise from that???? (Clearly we don’t, and shouldn’t, think that way.)
Security risks arise when data or applications move outside protected systems, networks, physical location, or security domains.
via Wikipedia
Another form of shadow IT comes by way of applications connected using OAuth, where a user authorizes access to a third-party application via a sanctioned application. For example, the user can use their Facebook credentials to log into Spotify or another 3rd party application via their corporate cloud app (Google G Suite or Microsoft Office 365). With this access, the 3rd party app may have excessive access to the sanctioned app, thereby introducing unintended risk.
via Wikipedia
Also, think about the expenditure side. If more than one department use the same rogue app, and aren’t even aware of the others use of the same app, the company can essentially be paying double for the same rogue app if both department heads are sliding it through their expense accounts.
[Note: From this criteria of “shadow IT”, I do not think Equinix falls within these definitions, as Equinix is not being deployed by these companies without their explicit consent. There’s no “shadow” or untoward things going on.]
Sources:
[1] https://en.wikipedia.org/wiki/Shadow_IT
[2] https://blog.equinix.com/blog/2012/11/16/come-to-the-dark-side-embracing-shadow-it/
[3] https://www.cisco.com/c/en/us/products/security/what-is-shadow-it.html
[4] https://www.mcafee.com/enterprise/en-us/security-awareness/cloud/what-is-shadow-it.html