That Mysterious Shadow IT: 10 Things IT Administrators Need to Know

By Chris Preimesberger

Have you ever used your personal smartphone at work? Is your department the lone Google Docs adopter in the company? Guess what? That’s shadow IT. People using apps and devices for business without IT being aware aren’t nefarious; they’re just people trying to get jobs done fast and affordably using the most convenient tools available.

When people first began using Yahoo Messenger at work, IT administrators didn’t like it. Today, IM has become a valuable communications tool across workplaces. Shadow IT technologies such as mobile devices and unsanctioned cloud apps aren’t meant to do harm but are being used to save time and make employees more efficient.

The oft-heard bring-your-own-device (BYOD) concern is that someone will download content onto a mobile device and then lose the device. With passcodes and encryption, that’s yesterday’s problem. Uploading and sharing sensitive content in cloud apps is much more risky.

Because cloud storage apps are popular, content sharing is a well-known shadow IT problem. But shadow IT isn’t just about sharing files. It includes everything from medical companies using big data tools to crunch clinical trial data to unauthorized individuals downloading employee data from HR apps and business divisions adopting unsanctioned ERP apps.

While shadow IT can cause security problems such as data leaks, it can also create inefficiencies and get in the way of optimizing IT delivery. When line-of-business people buy separate instances of the same apps or redundant apps, the organization can’t take advantage of cost efficiencies or identify areas for optimizing performance and usage.

Sure, individuals perpetuate shadow IT. But entire divisions and lines of business are also culprits, buying and deploying instances of unsanctioned apps. For example, the marketing department at Brocade shared presentations with executives and external collaborators via Box.com out of convenience before realizing that IT needed to be involved for security oversight.

Increasingly, organizations—even at the division and remote-office level—are developing their own cloud or mobile apps. This is often outside of IT’s purview, and IT may not learn of it until there’s a performance problem or security breach.

True, shadow IT that’s run amok can create compliance holes. However, if IT can monitor and be assured that authorized employees have proper access to systems and data, and sensitive content is properly protected, it can ensure and report on regulatory compliance.

Because people love their cloud apps (or at least like them very, very much), they will bypass onerous security policies to be able to use them. A truism in IT: Blocking never works. It’s much better to find a way to allow employees to use the apps, even if only under specified conditions. That’s one reason Vegas.com embraces the cloud-based model and allows employees to use hundreds of apps of their choosing.

If IT can understand user activity and ensure that the right policies are enforced, it can let users go rogue with the apps they love. Take Universal Music Group as an example: When producers there needed cloud apps such as SoundCloud, for instance, to send content back and forth with artists and musicians, UMG adopted technology that let employees use such apps instead of banning them outright. Employees there now are using more than 500 apps of their choice at work, all sanctioned by IT.