Shadow IT is a Red Herring

Fear of Shadow IT can be allayed by grokking Dave McCrory’s data gravity theory: Data is drawn to utility, therefore the majority of enterprise data in the cloud will be drawn to cloud services that provide the most utility.
SaaS applications that provide the greatest utility are not rogue cloud services, but rather services that enable the workforce to be productive as an organization, like Salesforce, Successfactors, Workday, ServiceNow, Concur, Netsuite, Office 365, Box (yes, DropBox too), and Google Apps. These are sanctioned services, even if they begin their life in the enterprise as rogue – once they are adopted by enough employees they become sanctioned, either by the business unit, or the company as a whole.
And that is precisely what we at Adallom are seeing among our customers. I can’t cite our data as empirical because our customers largely represent early adopters (we just came out of stealth in November), but when we account for a customer’s complete cloud data portfolio, we consistently find that Shadow IT represents only two to nine percent of their enterprise data in the cloud.
Defining Shadow IT
Fear stems from what we don’t know. Shadow IT is a provocative topic because anything in the shadows triggers danger, doom and peril. That can make for a shaky organizational risk posture, always fearful of what might happen.
The concept of Shadow IT breeds fear and distrust. Sure there are crooks out there but most people are just trying to get their work done. I have my own theories about how to look at this issue by what we can see, rather than what we can’t. So, if we remove our blinders, what do we see? Usually SaaS technologies that lots of people use to do their every day work. Look around — IT should invest their energies in services people use.
My thoughts on this topic started from a simple conversation with Forrester analyst Andras Cser late last year. I asked him, what was Forrester’s position on Shadow IT? And he answered, “Well, it depends on what you mean by ‘Shadow IT’…”
What followed was a fascinating discussion which ultimately led to the creation of a Forrester report about what really causes people to circumvent IT. And it’s pretty simple: People will go around IT for SaaS tools that really work for them. And really — there are millions of people who rely on these SaaS technologies. The result: A virtuous circle that is not shadowy at all. It’s actually good business in broad daylight. Individual lines of business learn of new apps that boost productivity, better serve their customers, enable mobility, and are available as-a-service. As the cycle continues, more people circumvent formal IT provisioning processes that they view as ineffective or slow, with the unintended side-effect of sidestepping IT security controls in the process.
Andras defined this type of Shadow IT as “Departmentalization.” Contrasted with “Consumerization.” There is a distinct difference between “Consumerized Shadow IT”, defined as a single “rogue” user interacting with unsanctioned cloud applications, and “Departmentalized Shadow IT” which is essentially no different than sanctioned SaaS applications, which are now included as a prominent piece of IT portfolios across industries.
In fact, an IDC survey published last year found that more than 60% of enterprise technology projects are funded by business units rather than IT, which means the status quo has pivoted so profoundly that “Departmentalized” SaaS services have a better case for being called sanctioned than legacy IT provisioned on-prem enterprise apps.
If we can accept that business unit and IT provisioned cloud services fall into the same “sanctioned” bucket, then it is finally possible to have a real conversation about the menace of Shadow IT. By that I mean, the risk associated by Shadow IT: Data exfiltration. We are worried that we don’t know what kind of enterprise data is going through unsanctioned cloud services, and that is the FUD that drives the “Shadow IT Discovery” buying behavior. We are concerned about the plethora of unsanctioned cloud services which could ostensibly interact with enterprise data of unknown privilege.
About a month ago, Lori MacVittie was doing research for an InformationWeek article she was writing on the subject of Shadow IT. Lori asked me how many of these unsanctioned Shadow IT services we at Adallom see when people run our free ShadowScan utility. My answer, later quoted in her article, was “never less than 200.” Amplified by some of the other quotes in the article, referencing bombastic numbers upwards of 3,000 rogue applications, I understand it would seem we are simply worsening the symptoms of cloudphobia. But the thing the article didn’t capture is that I shrugged when I gave my answer. What I should have said was, “Never less than 20 – but it’s not a big deal. Statistically, more apps don’t equal more risk.”
Shadow IT puts the focus on attempting to quash fears that are largely unknown, perhaps quantified, but certainly not qualified. Mapping security practices to this fear makes for an exercise in absurdity.
The real emphasis should be about what services we know people are using. Extending IT purview and controls to these services makes it possible to manage the critical mass of enterprise data that is flowing in and out of these SaaS environments. That’s an approach that actually makes sense, removes the fear factor and far better represents the people and the trust so critical to a successful business.
Tal Klein is vice president of marketing at Adallom, a founding sponsor of The New Stack.
Flickr image via Creative Commons.