Shadow IT a Concern for Federal IT CIOs

The report found that the average government organization uses 120 distinct collaboration services, such as Microsoft Office 365, Gmail, and Cisco Webex. 

federal it and shadow it

Shadow IT is widely prevalent in government agencies, with the average public sector organization using 742 cloud services. That’s about 10 to 20 times more services than IT departments expect, according to a report from Skyhigh Networks.

Based on data from 200,000 public sector employees in the U. S. and Canada, the report found most cloud services deployed in the public sector are collaboration tools.

The average organization uses 120 distinct collaboration services – such as Microsoft Office 365, Gmail, and Cisco Webex. Other top cloud services are software development services, file sharing services, and content sharing services.

The average employee uses 16.8 cloud services, including 2.9 content sharing services, 2.8 collaboration services, 2.6 social media services, and 1.3 file sharing services.

"Shadow IT puts IT in the uncomfortable position of saying no to employees using cloud apps they use to do their jobs, going as far as to block access to a cloud app using the federal government’s firewall or Web proxy," Kamal Shah, vice president of products and marketing at Skyhigh Networks, told eWEEK. "However, for every app that’s blocked, there’s evidence employees are finding other, lesser-known, potentially riskier services to use in its place."

Shah said instead of seeing shadow IT as a threat, innovative public sector IT departments will see shadow IT as an opportunity for employees to identify the applications they want to use. IT can then enable the ones that have gained traction and are enterprise-ready.

He noted that federal, state and local governments are accelerating their adoption of cloud services to achieve improved inter-agency collaboration, agility, and innovation, while diminishing IT complexity.

"However, security concerns around protecting data in the cloud from cyber- criminals and state-backed groups remain a barrier to adoption," he explained. "Federal requirements such as FedRAMP, FISMA, FIPS 140-2, and FITARA help to mitigate risk through stringent controls, but they are not sufficient."

Shah said agencies will need solutions that provide unparalleled visibility and risk assessment, usage and threat analytics, and seamless policy enforcement so they can confidently take advantage of the cloud to fulfill their mandates.

Security certainly appears to be an issue for federal IT pros. The report found only 10 percent of cloud services encrypt data stored at rest, 15 percent support multi-factor authentication, and 6 percent have ISO 27001 certification.

"Public sector entities need to enable IT-sanctioned cloud services by implementing data security controls," Shah said. "For example, IT needs to encrypt data with agency-controlled keys or tokenize data before it is uploaded to the cloud – making data indecipherable to any third parties. Where possible, IT needs a streamlined way to leverage FIPS 140-2 compliant encryption libraries to ensure the strength of encryption."