Shadow IT: Honey Badger Better Care - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // CIO Insights & Innovation
09:06 AM
Lori MacVittie
Lori MacVittie

Shadow IT: Honey Badger Better Care

Use of Dropbox and other consumer services is exploding in enterprises, yet companies turn a blind eye to the security risks. This sends the wrong message to cloud service providers.

Late last week, popular SaaS storage provider Dropbox admitted to a web vulnerability that put the confidentiality of data at risk. Its response was to shut off link-sharing functionality to prevent abuse -- a decision that was not, if comments on its blog post about the decision are representative, well-received. Not only did this vulnerability put users at risk, its remediation apparently disrupted workflows across enterprises and thus negatively affected a key business performance indicator: productivity.

According to SkyHigh Networks' Cloud Adoption Risk Report for the second quarter of 2014, Dropbox remains the No. 1 file-sharing service in use across more than 250 companies, spanning the financial services, healthcare, high tech, manufacturing, media, and services industries. Unfortunately, there's only one "enterprise-ready" cloud service as defined by Skyhigh Networks in the Top 10 file-sharing services list, and it ain't Dropbox. That honor belongs to Box, which comes in at No. 4 on list.

It's nearly a sure bet that you have users -- or entire departments -- blithely saving business data to Dropbox or some other file-sharing service. Unless you have complete control over every user's desktop (VDI vendors are right now salivating over this use case) it's highly unlikely that that "shadow IT" passed you by.

[How does distrust affect cloud businesses? Read Data Protection Fears Vs. US Cloud Market.]

Most CIOs readily acknowledge that, yes, unauthorized cloud services are in use within the corporate demesne. Most also underestimate just how pervasive they are, says Tal Klein, VP of strategy for Adallom, another player in this relatively new cloud service security market. "Executives usually estimate something like 30 cloud services, and we usually find around 300,” says Klein. “We've yet to see a company with more than 1,000 employees that had less than 200 'shadow IT' apps.” 

That's a precarious situation that should have the business concerned. Yet it's often business leaders themselves giving at least tacit approval, which dampens any kind of urgency that might be felt by those well aware of the risks. 

And, there's very little impetus for providers of these services to get enterprise ready. Of the 3,571 services assessed by SkyHigh, only 7% met the criteria to be considered "enterprise ready."

The  2014 Strategic Security Survey shows infosec pros are plenty worried about cloud services.
The 2014 Strategic Security Survey shows infosec pros are plenty worried about cloud services.

Surprised? Don't be. If the users "paying" the bills -- whether via expense account or serving up your data for mining -- don't care, why should the provider?

CIOs need to confront this issue now. Yes, shadow IT has gone on for years. But SkyHigh claims the average number of services in use by organizations has increased in the last quarter by 21%. The longer you turn a blind eye, the harder it's going to get.

Although IT is simply not going to shut down shadow IT at this point, you might still be able to put into place the minimum governance necessary to ensure that services are not incurring unnecessary risk.

The first step is discovery -- get a handle on just what services are in use and by whom. Find out by using logs or by simply talking to business units in a non-confrontational way. Then do some research to see which meet your definition of enterprise-ready and which do not. For the latter group, steer users toward services that are, in the opinion of IT, ready for use in their enterprises given all the various business, industry, and legal requirements. It might mean putting in place the controls required to shut down unauthorized services and offering a grace period for users to migrate to a more acceptable cloud service. Consider creating or augmenting an existing enterprise app store that includes links to vetted cloud services -- those that make your "enterprise ready" grade -- so users can easily access acceptable options. 

No matter how you approach the problem, approach it. Approach it now. Because cloud service adoption is continuing to accelerate, and the Dropbox vulnerability is not going to be the last security issue we're going to see.

Private clouds are moving rapidly from concept to production. But some fears about expertise and integration still linger. Also in the Private Clouds Step Up issue of InformationWeek: The public cloud and the steam engine have more in common than you might think. (Free registration required.)

Lori MacVittie is the principal technical evangelist for cloud computing, cloud and application security, and application delivery and is responsible for education and evangelism across F5's entire product suite. MacVittie has extensive development and technical architecture ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Lorna Garey
Lorna Garey,
User Rank: Author
5/14/2014 | 11:31:58 AM
Re: Embrace the beast!
Encryption is one of those techs that everyone agrees is smart, but then they have some excuse why they can't use it consistently. Key management is hard! It will add latency/confuse users/cost too much! It didn't take off when IT was in control. Not holding my breath for it to be widely adopted now.
User Rank: Author
5/14/2014 | 10:12:59 AM
Re: Embrace the beast!
As CIOs at our recent InformationWeek Conference discussed, you can get a grip on Dropbox use by offering preferred alternatives. Onyeka Nchege, CIO of Coca-Cola Bottling, described how he holds up a caution sign, rather than a stop sign, for business users, on matters of BYOD and shadow IT. Then you present the alternatives.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

How CIO Roles Will Change: The Future of Work
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2021
A Strategy to Aid Underserved Communities and Fill Tech Jobs
Joao-Pierre S. Ruth, Senior Writer,  7/9/2021
10 Ways AI and ML Are Evolving
Lisa Morgan, Freelance Writer,  6/28/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Flash Poll