News Column

Shining a light on Shadow IT

August 26, 2014 Staff

While IT always has to contend with an ever-changing landscape driven by shifts in technology, the sector has not really had to deal with the situation that has emerged over the past few years, where IT decisions are made, without the IT department even knowing about them.

With cloud computing, particularly software-as-a-service, end users are able to plug in to services with little more than a browser, an internet connection, and a company credit card to pay subscription fees, if the service isn't free. Departments and business units, and individuals are happily signing up for cloud services and tossing company data into the cloud, without any thought for security, governance or whether data can be safely retreived from service providers.

In the hardware space, while data has potentially been 'mobile' since the floppy disk, previous generations of mobile workers tended to be equipped with company-issued laptops or perhaps BlackBerrys, which IT, in theory, configured for proper security for the limited amount of data that might be carried on them. With the rise and rise of smart mobile devices however, with huge amounts of storage space and, increasingly, a pipeline directly into mobile-enabled corporate applications, the risks from hardware have grown massively. The proliferation of mobile devices and the desire of the workforce to BYOD has increasinly meant IT organisations having to give access to devices over which they have no control.

Tackling the problem of hardware and software outside of IT's control, so-called 'shadow IT', has become a difficult taks for the IT department, as organisations seek to retain control over data and access, at the same time as gaining the benefits of allowing workers to use the tools they want, and the benefits of the cloud model. So how big a problem is shadow IT in the region, and how should organisations best manage it?

How widespread is Shadow IT?

Megha Kumar, Research Manager, Software, IDC Middle East, Turkey & Africa: Shadow IT is prevalent in the sense that users see programs such as Dropbox or other cloud-based data sharing systems as being efficient and helping with their productivity. Most departments end up using these systems without IT approval only because users do not realise that this violates IT/data sharing policies.

Simon Mingay, Research Vice President, Gartner: Every organisation has some level of shadow IT, and in the vast majority it is growing at a significant pace. There's a range of drivers behind the growth, but most are beyond the control of the IT organisation itself. So the increasingly rich, easily accessible, 'instant' availability of relatively cheap Software-as-a-Service and cloud services being a very significant one. But also the changing demographic in the workplace and the changing nature of work itself, all being key contributors.

In the Middle East, is there any typical pattern to shadow IT is it single users, or is it departments procuring their own apps or devices?

Mingay: All of the above. But what's evolving is increasing use of more sophisticated solutions. And this is where it starts to clash with the traditional role of the IT organisation.

Kumar: With regards to departments actually implementing systems that do not have a buy in from IT is a bit more rare in the Middle East, but holding companies do provide independent budgets to their subs to implement what is more suitable for their operations. Even this is changing as companies choose to consolidate and streamline to control costs.

Are you aware of your end users using Shadow IT?

Ajay Rathi, Head of IT, Meraas Holding LLC: With millions of apps available on apps store and Google Play, IT has become the playground for end users. The end users are becoming smarter by the day and they want easy to use consumer apps for the enterprise. They would like to work with Dropbox, rather than the restrictive corporate FTP. Corporate laptops are bulky and slow, users wants to bring their own light weight laptops or tablets to connect to corporate resources. To connect their personal tabs and phones, they sometimes plug in a wireless device in the network.

Jawed Akhtar, Chief Information Officer, Ebrahim Khalil Kanoo Co: Yes, we are aware of this. Users if not monitored usually install free applications from the internet or CDs and use them. They may use this for business or sometimes just as fun, to learn and explore.

Samir Khan, Regional IS Manager, Information Technology, African + Eastern: There is a presence of shadow IT, though in a small scale. It's existing because of several reasons: the advent of cloud systems; increased understanding of systems on the part of functional managers; increased go-to-market pressure requiring more than the usual turnaround from IT as well as increasingly complex requirements that under-resourced IT staff can't service; and no clear, long term IT strategy which is shared with all concerned.

Does your organisation have any policies to govern or forbid shadow IT?

Arun Tewary, VP (IT) & CIO, Emirates Flight Catering: No, we have not put any policy in place. However, all IT-related projects are routed through my office and shall move further only after my endorsement. This way 'shadow' is not allowed to grow without my knowledge.

Rathi: There are policies, which are signed by every employee when he joins the company. With business requirements as an excuse, there are many exceptions to the policy approved by management. Over a period of time the exceptions keeps on increasing, making the policy ineffective.

Thameem Rizvon, Group IT Director, Kamal Osman Jamoom: Our policy is aimed to standardise IT across the organisation, which will help reduce support costs and improve stability of applications. We have a policy for hardware that gives a standard unit for desktop or laptops. This has been in place for many years of course tested many times, with users raising requests to change but successfully retained as we have identified a standard set of devices which are best in their class. We review this periodically, so we always have the appropriate hardware provisioned for users to fulfil their business needs.

For software we restrict users from being able to install on their own except for travelling users. Whenever we notice unauthorised software, we work with the respective business head to understand the requirement and either uninstall or approve new applications if required.

Lijeesh Rajan, Director of Centralized IT Services, Dubai & Northern Emirates. Rotana Hotel Management Corporation: There is no particular policy stating 'shadow IT' as a term, however, unauthorised solutions are something which we emphasize in policies. However, there are [unauthorised] workaround solutions that become productivity tools in operational departments, which tend to overlay the policies. Once the personnel who promoted them, move on, [management of] it falls back to the IT department, to improve it or challenge its use. In most of the cases, these solutions are not productive as they are presumed to be.

Do you have any regular activities to detect unauthorised applications in your environment?

Akhtar: We do control and monitor this regularly. We do not allow any user to install any freeware or unlicensed software. In fact user's PCs have admin access removed so that they do not install any unwarranted software. On some authorised software we only provide access to selected users, with the strict control not to create any applications to use for business. Of late we observed that some IT savvy staff were developing applications and trying to use them for business.

Rizvon: We use Microsoft System Center Configuration Manager to check for any unauthorised apps and we also check whenever the devices come in for service.

What sort of policies should organisations have to manage the issue?

Kumar: Security policies will cover non-complaint device and application usage. Data sharing policies need to cover the usage of cloud services and the data that can be shared on the cloud. Without proper control, shadow IT can be a nuisance for both IT management and enterprise security. Education and training levels on data sharing and more controls around data sharing and applications downloads needed to be implemented.

Mingay: Clear policies around security, privacy, compliance, vendor engagement. But also supporting services to help users understand and deal with these appropriately. Guidance on which areas are appropriate for end user development/solution acquisition, and which areas are the domain for enterprise IT, and controls to identify when a solution is sliding from one domain into another.

How should organisations best tackle shadow IT?

Mingay: IT organisations must engage! It is no longer practical to take the moral high ground and wag fingers at people, and then when things go wrong take the view 'we told you so'. The idea that the CIO can be responsible for all things IT in the enterprise has passed, and now there will be many channels of delivery. As such the IT organisation will be responsible for enterprise IT, and needs to engage in actively shepherding and guiding 'shadow IT' firstly to bring it out of the shadows into the open and secondly to ensure it is used appropriately to create value. This means adapting the services the IT organisation provides to support 'shadow IT'.

Kumar: Frequent audits are needed. Also if a cloud service such as Dropbox seems critical for a department, [IT should] upgrade it for an enterprise level option that provides better monitoring and complies with the security policies of the company.

How can you best manage shadow IT?

Rizvon: It is best is to work with the management team on why it is important to have a standard policy against shadow IT. In the last few years, our IT staff size has either remained the same or reduced every year and our budgets are almost flat. This has been possible by following a Standard IT policy for hardware and software.

Tewary: By keeping a 'safe' distance between enterprise systems and such shadow systems. The maintenance and upkeep of the shadow systems is done through the vendor who delivered it and by the business segment who went for it. We do not allow any direct data interface/data transfer and data updates between enterprise applications and shadow systems. Based on needs, we shall keep such shadow systems on separate VLANs.

Rajan: We work towards having co-ordination between management divisions whether it is sales, marketing or finance to understand the solutions and their tools in action. This allows us to understand well how to maintain their solutions and also to look for and deliver the right solutions that meet their needs.

Rathi: The best way to manage shadow IT is to listen to the user. His requirements are genuine and in most of the cases, they are ready to use an alternative secure application. We need to explain to them, the security issues and the impact it would have on the enterprise. Simply saying 'no', makes them hate IT. Use technology to identify the offender, talk to them, provide an amnesty for breaking the policy and get them on your side. Believe me the end users simply wants to get their work done with ease.

Khan: In our organisation we deal this with by building and sharing IT strategy with the CEO and functional heads; and building capability in the IT team to understand business needs in every area. We have also established information risk management, so that the risk of shadow IT is clearly understood. We give special attention to vulnerable areas like digital media, websites, social media - the typical areas where shadow IT initiates.

Sometimes we play hardball in preventing the proliferation of IT, if it touches the overall IT strategy; while sometimes we allow relatively innocuous initiatives to go by to win friends. IT departments need to take cognizance of this trend, and change their strategy to leverage this this trend is here to stay.

For more stories covering the world of technology, please see HispanicBusiness' Tech Channel

Source: (United Arab Emirates)

Story Tools Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters