Shift to 'permit and control' shadow IT

IT departments are under increasing pressure to acknowledge shadow IT and go beyond merely sanctioning its use to actively supporting it.

Johannesburg, 22 Aug 2018
Tallen Harmsen.

Shadow IT has long been the bane of many IT departments. That's because they are mandated to control the IT environment for a number of reasons, chief among them security.

Imagine a local financial services firm that has users running around with all kinds of servers hidden under their desks, behind filing cabinets, or locked in "meeting rooms". They can store sensitive customer data, employee records, and other rich, unstructured data types that IT departments simply don't know about.

Or, more likely these days, people are accessing cloud services freely, for a few bucks a month tagged "stationery" or some such innocuous-sounding term on their monthly expenses claims sheet. And who reads the terms and conditions of those services? Even fewer are looking into who owns the intellectual property (IP) being run through those services, how it's being used and who's responsible for its safe upkeep. That, right there, is a giant problem.

This isn't exactly Earth-shattering news. Shadow IT is rampant because businesspeople are trying to get the job done but they're often restricted by IT's legacy way of working. IT has always done what the rest of the business has done: applied the necessary policies and regulations in systematic ways that move vertically through the organisation's hierarchy. It's slow, it's cumbersome, and it's heavily bureaucratic.

Shadow IT is rampant because businesspeople are trying to get the job done but they're often restricted by IT's legacy way of working.

And how is IT supposed to keep up, anyway? They've had their budgets slashed, their headcount cut, their world is infinitely more complex than it used to be, and they're simultaneously being told: "Do more, quicker, better!"

Seems like a catch-22.

But IT departments are operating in an entirely different world today. Digitalised, agile enterprises eschew that dated approach in favour of cross-functional teams who collaborate across departments. It's an easy concept to grasp. As consumers we love it. But in our traditional, hierarchy-laden organisations we struggle to implement it.

But, the thing is, your typical shadow IT services today are cloud-based and they scale quite happily according to needs, up or down. They can be turned up, up-scaled, down-scaled, or switched off altogether in minutes. They embody all the good and wonder of our digital world in the grips of the fourth industrial revolution. And it's hard for traditional, legacy internal IT teams to compete. So why should they?

Internal IT doesn't always have the systems administrators to go around spinning up new services, spinning them down, expanding, shrinking or trying to keep on top of the whole mess. Virtual environments help but only to a point. You still need administrators looking after the whole kit and caboodle. Orchestration also helps but you're still limiting users to what you want to offer them. It's still a "permit or deny" kind of scenario.

By shifting to a "permit and control" environment you change the scenario entirely so that you give users what they always want from IT (usability and availability) while making sure IT gets what it has been mandated to achieve: security.

In the "permit and control" world you let your people use the systems they know will most benefit what they're trying to achieve for the business but in a controlled way that limits exposure to risk. And IT doesn't have to go through all the tedium of finding a suitable solution, vetting its functionality and capabilities, then roll it out. All IT has to do is make sure it's secure and handles the IP properly while remaining open and flexible.

IT's role adapts, as a result, to still play the same role of making sure the systems meet policy and regulatory requirements, but it's done in a way that really enables end-users. They give them the systems they want without the inhibiting bureaucracy that bogs delivery down to a snail's pace. And they maintain the security that they're responsible for ensuring. Plus, they alleviate the pressure on their people to continuously look after the systems.

Embracing shadow IT and bringing it into the fold is the only way to successfully deliver usability, availability and security. Without it, shadow IT is massively increasing the odds that you offer hackers an open back door. Beyond a shadow of a doubt.

Tallen Harmsen
Head of cyber security at IndigoCube.

Tallen Harmsen has more than 14 years of experience as a security consultant and 21 years in the IT industry. He has been exposed in depth to the financial services, insurance, healthcare, pharmaceutical, mining, retail and logistics sectors. In his role as head of IndigoCube Cyber Security business, he engages progressive business solutions that challenge the emerging and entrenched threat landscapes.