By now, most enterprises should have a formal policy in place governing the self-provisioning of IT resources. Those that don’t have private clouds up and running should have at least heard the warnings about unchecked “shadow IT” to recognize the risk it poses to sensitive data.
But the fact remains that shadow IT is named so because it operates outside the realm of established IT policies, so organizations have a difficult time even tracking its influence on data operations, let alone bringing it under established security and governance policies.
According to a recent survey by Oracle, 95 percent of IT executives say shadow IT is a major cause of complexity in the data environment, and more than 60 percent say provisioning by individual business units is now driving the IT spend instead of formalized resource allocation programs. This is causing many organizations to face the same integration challenges that hamper operations in the data center, essentially duplicating the silo-based infrastructure that the cloud was supposed to eliminate in the first place.
The most direct approach to containing shadow IT is to offer users a viable option to provision adequate resources within an approved, scalable ecosystem. As NTT Security’s Garry Sidaway notes, shadow IT doesn’t arise because data users are malicious toward the enterprise but because it provides a convenient and cost-effective way to fulfill job responsibilities. The way around this is to first establish a working cloud environment using public and/or private infrastructure and then treat employees and their data as business partners subject to various levels of access to both data and resources. In this way, IT can focus on risk management and compliance rather than overseeing every system and application that users try to bring into the work environment.
At the same time, some organizations are embracing the “citizen developer” movement, in which virtually anyone who needs resources is empowered to provision them with or without IT’s help as long as data does not stray beyond established guidelines. This is an adjustment for IT, which has always acted as the authority over all things related to infrastructure, but in the end leads to greater empowerment because the department is seen as a partner in the business process, not an inhibitor. It also leads to a greater understanding among knowledge workers that provisioning, migration, integration and all the other things that make data management so enjoyable do, in fact, take time and expertise, so it usually pays to work with IT rather than circumvent it.
Still, since shadow IT is, well, in the shadows, how can the enterprise determine if these enlightened policies are actually working? Fortunately, a number of tools have hit the channel recently offering the ability to monitor data flows even if the enterprise does not know where they’ve gone. One of the newest is the Data & Device Security platform from Vancouver developer Absolute that peers into endpoints on the enterprise networking to see where they are storing data and leveraging other resources. Built on the company’s Persistence technology, the system detects device folders tied to cloud storage applications and can even identify sensitive data such as health records and other personal information and delete it from third-party resources if necessary.
It’s been pretty much accepted that you can’t fight shadow IT by simply prohibiting it. Even if successful, such a policy would place the enterprise at a distinct disadvantage to those who adopt a more accommodating stance. But that doesn’t mean that data and infrastructure provisioning should become a free-for-all, either.
Through proper policy enforcement and a new approach to managing and monitoring the data environment, there is no reason why IT cannot provide the kind of resource flexibility that satisfies user needs while still maintaining adequate control over all types of data.
Arthur Cole writes about infrastructure for IT Business Edge. Cole has been covering the high-tech media and computing industries for more than 20 years, having served as editor of TV Technology, Video Technology News, Internet News and Multimedia Weekly. His contributions have appeared in Communications Today and Enterprise Networking Planet and as web content for numerous high-tech clients like TwinStrata and Carpathia. Follow Art on Twitter @acole602.