Shadow IT is not a new problem. It’s been around conceptually for as long as IT teams have had rules in place and users have ignored them. In the old days, that may have meant saving a confidential file on a floppy disk or USB drive, but today it refers almost exclusively to the widespread use of cloud-based solutions outside the jurisdiction of IT.
SaaS applications give users a far easier alternative to traditional IT services and there’s not much IT can do about it. IT tries, of course. But for all the talk of preventing shadow IT, it’s still poorly understood and poorly managed. Case in point: CIOs continue to vastly underestimate the number of applications being used in their organizations. According to Symantec, the average enterprise organization was using 928 cloud apps at the end of 2016, up from 841 earlier in the year. CIOs, however, reported that they think their organizations only use 30 to 40 cloud apps. That puts the delta between perception and reality at almost 900 applications.
How is this possible? Because the ways that we’ve been tackling shadow IT don’t work. Let’s look at three common techniques for managing shadow IT and why they’re broken.
1. The all-encompassing firewall. Many organizations’ knee-jerk reaction to the rise of unapproved technology is to lock everything down. Put agents on employees’ computers, restrict access to websites, subscribe to a specific, approved list of services and block the rest.
This approach may succeed in limiting the spread of shadow IT, but it limits all the good stuff, too. Blocking sites and services prevents your people from working together internally and with your prospects, customers, partners and any other organizations in your ecosystem. It assumes that the risk of using SaaS applications outweighs the benefits, and in today’s world, that simply isn’t true. From Dropbox to Google Docs and DocuSign, business these days gets done via cloud applications. Without the ability to participate in that collaboration and utility, your people and your organization will fall behind.
2. Single sign-on. Other organizations acknowledge that SaaS is a necessary evil but still want to exert some control over how applications are accessed. Enter single sign-on (SSO). You connect your SaaS apps to your Active Directory to create a single source of truth in your data center, under your control. This forces wannabe-rogue employees to bring their cloud apps to IT for inclusion in the program, theoretically setting up a best-of-both-worlds situation.
This technique works, until it doesn’t. Single sign-on can be an effective method to guard SaaS vendor authentication but can’t overcome key limitations from both people and technology. For starters, the scale of the SaaS world is just too big. There are tens of thousands of SaaS companies and even the top single sign-on providers can’t connect to all of them. At best, your SSO system may support 60% of SaaS vendors. The remaining 40% remains a tremendous liability.
There are psychological factors at play here, too. The SSO providers sell their solutions as a panacea to shadow IT. IT teams choose to believe that their infrastructure is secure and managed. This false sense of security results in resources being diverted from that other, still very risky, 40% of unsupported apps.
Users’ mindsets can sabotage SSO efforts as well. The entire proposition depends on your employees jumping through hoops: bringing a tool to IT, filling out forms and waiting for days or weeks to use a tool that they could quite literally get up and running in minutes on their own. So, someone in marketing decides he needs a tool today, puts it on his credit card, calls it “travel and entertainment,” intends to tell IT about it at some time in the future, but of course never does.
3. Cloud access service brokers. The third and most complex option that organizations use to combat shadow IT is going through a cloud access service broker, or CASB. In this scenario, a company enlists a CASB to go to a major SaaS app – say Salesforce. They ask Salesforce to restrict access to a single IP address from their data center, then set up the DNS in their corporate network so that any time someone goes to salesforce.com, it redirects them. They then proxy the data through their firewall and various encryption and decryption systems to gain deep visibility into any nefarious activities and protect themselves from the dangers of shadow IT.
Like SSO, CASBs work, but they are also an incredible amount of work to implement. Most organizations don’t have the time, money or inclination to go to such lengths. CASBs also struggle with the same challenges as SSO solutions, and people will still be people. If they find a product that does the job and is reasonably priced, they will continue to use it and not tell IT, no matter how many protocols you put in place.
If these approaches don’t work, what does? If you can’t beat ‘em, join ‘em. IT needs to shift its mindset from control to enablement, recognizing that while SaaS applications do introduce risk to the enterprise, they bring an exceptional amount of value as well. A workforce that can quickly and easily access the tools it needs to innovate, collaborate and perform is a very powerful thing. Shadow IT, like it or not, plays a significant role in making that happen.
That doesn’t mean that we should throw up our hands and leave application security and management to the wolves. Instead, IT must take ownership of the dark (SaaS) side. Discover exactly what applications are out there, with whom and how many. Learn why and how the business is using these applications and help them do so more effectively instead of standing in their way. Once you know what you have, start managing it like any other IT asset, with metrics, dashboards and a reasonable risk-benefit balance.
SaaS applications and your employees’ propensity to use them aren’t going away. Instead of slamming doors or burying its head in the sand, IT should focus on bringing shadow IT into the light.
Arlo Gilbert is the CEO and co-founder of Meta SaaS, an enterprise SaaS optimization and management platform. He is a serial entrepreneur who has raised capital and exited, bootstrapped a marketing and payments platform to $50 million in annual revenue, and built cloud-based companies. Follow him on Twitter @arlogilbert.