This article was originally published by Telecom Reseller.
A recent CIO survey found that on average, most IT leaders believed they had only 30-40 apps running on their network—when in reality that number was over 900. The danger of that unknown could be exposing your company data and eating up as much as 40-50% of your IT budget, according to Gartner and Everest Group. Can the challenges of unsanctioned cloud applications be stopped? Here’s a quick guide to shadow IT and how to handle the blind spots.
Shadow IT is a term used to describe SaaS applications and cloud-based systems and services (think PaaS, and IaaS) implemented and used without explicit approval from the corporate IT department. It refers to the unauthorized cloud applications running on your network that the IT team knows nothing about. Similarly “stealth IT” describes solutions implemented by departments other than IT.
Ideally, IT departments provide guidance to the corporate enterprise on technology solutions, systems, and services, helping them create a controlled and secure IT environment. But the cloud and shadow IT issues shatter that ideology. Today, every employee with a device and a credit card can threaten the security of the corporate IT environment just by conducting business as usual.
Shadow IT has benefits but also comes with serious security consequences.
SaaS applications are considered an important source for employee productivity and innovation, and the widespread availability of them can create rapid service deployment at lower costs without the IT team taking on the burden of service deployment. These services help departments be more agile, responding to changes rapidly and gaining access to resources that help them be competitive. But many times company data (and much more) is at stake.
Ultimately, shadow IT is a competitor to the internal IT operations and services, and is known to come with these risks:
The most dangerous threat, however, is the issue of scope awareness. For most, the shadow IT problem is far worse than they recognize. Remember that statistic from the CIO survey that says most have 888+ unknown apps running on their network? In highly-regulated industries such as healthcare and financial services, there were 20X more cloud apps than originally estimated. Furthermore, the cost of remediation can be significant. Gartner found that investments in shadow IT controls can exceed 40% of IT spending, and research from the Everest Group found that it comprises 50% or more.
Many factors continue to drive the shadow IT problem including:
So, can the cloud app problem be stopped?
With today’s easy access to SaaS applications, it’s virtually impossible to prevent shadow IT. Instead, technologies, policies, and processes should be in place to create checks and balances. All cloud applications must be identified, monitored, and managed from a security perspective.
Visibility is the first step, as IT departments require deep network visibility to understand the list of applications and services operating in their IT environment. The key is to eliminate the guesswork needed to identify unauthorized cloud application usage and to gain the insight needed without the added cost of purchasing a variety of endpoint security solutions.
Secondarily, IT needs usage statistics. With the comprehensive list and clarity on which applications are most popular, you can adequately delineate the known and unknown applications, addressing unsanctioned ones using a prioritized approach.
These questions and insights can help guide your risk mitigation plan:
When an IT department can get the application visibility and usage statistics all within the same network management portal it uses every day, creating a governance system for shadow IT becomes a simple part of IT management. Masergy’s Managed SD-WAN is one such service. Learn more about Masergy’s Shadow IT Discovery solution.
For more information on this topic, the IEEE produced a detailed article, “Shadow IT Evaluation Model,” which includes an in-depth discussion of how to evaluate shadow IT.
Applying for a cyber insurance policy? You'll need security policies and countermeasures in place, including endpoint detection and response.
Want to use AI to automate your network? These three tips from ZK Research serve as a buyer’s guide for AIOps success.
Security for cloud migration is the new imperative. Forrester’s best practices report includes these four key guidelines.