IoT
IoT
Cloud
Commentary
8/6/2015
12:02 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
50%
50%

Shadow IT: It's Much Worse Than You Think

The number of unauthorized cloud apps being used in the enterprise is 15 to 20 times higher than CIOs predicted, according to a Cisco report. What's a CIO to do?

Shadow IT: 8 Ways To Cope
Shadow IT: 8 Ways To Cope
(Click image for larger view and slideshow.)

Most CIOs are aware that Shadow IT occurs within their organization. As it turns out, the problem may be much more prevalent then they ever imagined. A new Cisco report shows that the number of unauthorized cloud apps being used in the enterprise is 15 to 20 times higher than CIOs predicted. That means that the risk and added costs attributed to Shadow IT are also significantly underestimated. So what is a CIO to do?

I recently had the opportunity to discuss the topic of Shadow IT with Bob Dimicco, global leader and founder of Cisco's Cloud Consumption and Broker Services Practice. Dimicco and his team surveyed IT customers to gauge their estimates of how much shadow IT is happening within their organizations. Then, they compiled data from customer projects that portrays an explosion of Shadow IT in the enterprise. It also illustrates the obvious disconnect between what IT believes is happening and the factual evidence. The data used was collected directly off production networks over the past 18 months. It was collected from participating Cisco enterprise customers in the US, Europe, Canada and Australia operating across a wide range of business verticals.

According to Cisco: "IT departments estimate their companies are using an average of 51 cloud services, when the reality is that 730 cloud services are being used. And this challenge is only going to grow. One year ago, the multiple was seven times, six months ago it was 10 times, today it is 15 times and given the exponential growth of cloud we predict that by the end of this calendar year it will be 20 times or more than 1,000 external cloud services per company."

[ Confused about cloud computing price structures? Read Cloud Computing: 8 Hidden Costs. ]

In every geographical region and across all industries, the results were strikingly similar. According to Dimicco: "When we got started, we were wondering, is there going to be one or two industries where this was going to be most prevalent? No, it's prevalent across all industries and this is consistent with the major countries in which we worked with customers."

Lest you think the data might be inaccurately skewed through the inclusion of personal apps or websites used by employees on the corporate network, think again. "When we do this sort of analysis based on traffic, we always eliminate websites," said Dimicco. "If someone's going to Yahoo, or someone's going to iTunes, those things are eliminated." Much of the Shadow IT Cisco discovered included Compute services such as Infrastructure-as-a-Service (IaaS) from AWS and Google, as well as multiple storage and backup service providers. On the Software-as-a-Service (SaaS) front, marketing and sales applications such as Salesforce.com dominated.

(Image: amisb/iStockphoto)

(Image: amisb/iStockphoto)

Why is this important? Shadow IT can increase your organization's risk of data loss. It also significantly increases overall IT operations cost. So what is a CIO to do?

Dimicco and his team developed a five-step, multi-year plan to move Shadow IT out of the shadows and bring it back under the oversight of IT through a Hybrid IT model. Essentially, the Hybrid IT model is an expansive list of IT-approved cloud services that employees use as they choose.

Before an IT department can even begin thinking about a Hybrid IT model, step one is to discover and identify which unauthorized cloud services are being used inside an organization. Cisco is (naturally) proposing its Cloud Consumption Services to assist in the discovery process. In fact, the company used the tool to compile the results for its Shadow IT report. According to the company, the tool can provide ongoing results to quickly identify new services favored by employees so they can be vetted and eventually added to the approved Hybrid IT services menu.

However you ultimately decide to handle the situation, know that the likelihood that Shadow IT can be completely eradicated from enterprise organizations is extremely slim. Rather, the goal for CIOs and IT departments should be to significantly reduce the need for employees to circumvent IT in order to perform their work duties. Ultimately, this will mean that IT departments will have to dramatically expand their portfolio of approved applications and cloud services they offer their end users. Just how many will that be for your organization? You'll never know until you get true visibility into how much Shadow IT is going on.

Andrew has well over a decade of enterprise networking under his belt through his consulting practice, which specializes in enterprise network architectures and datacenter build-outs and prior experience at organizations such as State Farm Insurance, United Airlines and the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kstaron
50%
50%
kstaron,
User Rank: Ninja
8/19/2015 | 11:36:22 AM
Employees and short-cuts
I agree, employees will take the fastest route. But since they don't always understand the dangers of using a non-approved app or program, it's up to managers to make sure the employees are trained to know what those are so they can help the IT department get their favored programs vetted instead of just taking down the firewall and getting it done. Sometimes protecting against data loss means it's slower, and as long as the approved programs can get the job done in a reasonable time frame all is well. It's when employees are waiting for the processes to work at all they turn to something else. If they have a process in place where they inform IT of a better program and IT is willing to try it you can develop a good hybrid culture with less shadow IT.
apptifred
50%
50%
apptifred,
User Rank: Apprentice
8/10/2015 | 7:14:06 AM
Users will always take shortcuts
Users are under constant pressure to perform their tasks, disregarding what IT departments has in their policies. Users will take necessary shortcuts and it's up to the CIO to see that the shortest shortcuts are provided by the IT department.
RiskIQBlogger
50%
50%
RiskIQBlogger,
User Rank: Apprentice
8/8/2015 | 5:01:56 PM
Shadow IT Asset Creation
ShadowIT also broadens the attack surface, including assets that attackers can leverage to infect customers such as forgotten about or otherwise unaccounted for http live apps. I'm talking about digital assets generated via third-party CMS's/hosted on third-party IaaS platforms and/or acquired via M&A activity.

The unknown digital 'debris' floating around most enterprise digital footprints is a great place to start an attack. Attackers can plot a course back into the network OR find vulnerabilites to embed malware into. In many cases the only way to know about these assets is to detect them via either manual or automated discovery methods. 
MikeIMarks
50%
50%
MikeIMarks,
User Rank: Strategist
8/7/2015 | 1:31:52 PM
Identifying Cloud Apps Being Used is Only Step 1
Great point about step 1 being to discover the actual cloud apps being used. In the vast majority of cases, the use of Shadow IT is for appropriate business issues - time to market, innovation, etc. So, if there's a legitimate business need for these apps, then step 2 after discovering them, is to ensure that those those apps deliver the expected quality and reliability that the workforce requires. The challenge of course is that the apps run on infrastructure beyond the control of enterprise IT. Monitoring End User Experience from the perspective of the workforce end user's device, is 1 way to both discover the apps and to ensure their reliability as the end user sees it. Many enteprises use this approach to hold their cloud IT vendors accountable to SLAs that are more meaningful to the business that simple infrastructure availability and response times.
nasimson
50%
50%
nasimson,
User Rank: Ninja
8/7/2015 | 10:03:19 AM
bias.
Isnt it a non-surprise? Coming from Cisco, isnt the bias obvious because Cisco has intrinsic interest for organizations to adopt cloud solutions of their own 
2014 Next-Gen WAN Survey
2014 Next-Gen WAN Survey
While 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of September 25, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.