Home > Do You Know Where Your Cloud Is? Understanding Shadow IT

Do You Know Where Your Cloud Is? Understanding Shadow IT

The public cloud has greatly increased the flexibility of businesses everywhere. Need another petabyte of storage? You’re but a few mouse clicks or a couple lines of code away from allocating all those disks with effectively no lead time. At the same time, it makes it easy for business units, a functional organization, or a disgruntled vice president with a corporate card—who may be frustrated with your IT for various reasons. This can be security restrictions or not meeting business needs quickly enough. These groups often pursue their own cloud strategies, with either software as a service (SaaS) solutions, platform as a service (PaaS) offerings, or their own infrastructure as a service (IaaS) solution. The limitations of networking and authentication tend to make IaaS deployments less probable, but they still exist in the wild. Though shadow IT has always existed—many organizations have informal “applications” only existing in spreadsheets or consumer-grade databases—the pervasiveness and power of modern cloud applications means this risk is larger than ever. It’s important for IT organizations to work to meet the needs of the business while simultaneously keeping their arms around everything deployed to maintain data protection and sovereignty.

Meeting the Business’s Technology Needs

It’s more important than ever for IT organizations to be flexible and work to meet their organizations’ business needs. Your business users aren’t looking for an IT department that says “no” to most requests or gives long, drawn-out project timelines for seemingly easy-to-implement or business-critical projects. It’s easy to get started with any sort of cloud offering—many of them feature initial low or no-cost options and have extremely low barriers to entry. But neither of these solutions are good for the overall health of the business. You’re potentially putting your data at risk, which can reduce the value of the IT organization. How does IT evolve to meet these challenges? You need to work directly with your business teams to support these efforts. Nearly all major SaaS offerings—Salesforce, Microsoft Office 365, and Slack, among others—offer enterprise features like single sign-on (SSO) and better auditing and controls. It can be challenging to transition from lower tiers of cloud services to the enterprise tiers of service, which means you want to ensure proper deployments from the start. You may also get locked into less favorable pricing if you have a departmental purchase as opposed to purchasing centrally through your organization. For infrastructure projects, if your organization doesn’t have or plan to have a private cloud environment allowing for rapid application development, you should be open to using the public cloud. This is especially true for new projects with short timelines, as the flexibility of these platforms allows you to be more agile and meet your business users’ needs.

Monitoring and Identifying Shadow IT

Though your IT organization needs to evolve to meet the needs of your business, it also has to protect the company’s data, ensuring it’s secure and backed up. The biggest risk of your users using cloud services isn’t necessarily the services themselves but the risk of data ending up on the public internet or being inadvertently shared with other organizations. To avoid this, you need to monitor your network traffic patterns and endpoint logs to identify cloud usage. This will be an ongoing and iterative process to profile your normal network traffic and look for outbound cloud traffic (see Figure 1).

Figure 1: Cloud network security architecture

When you identify unknown cloud workloads, you should work with your business teams to have a clear understanding of what applications they’re using and why they’re using them. If your users are acting in good faith, this process shouldn’t be punitive—you should take the opportunity to work with the teams using cloud services to bring them into the IT fold, ensure they’re using centralized security, and make sure any personally identifiable or business-sensitive information is managed in accordance with your corporate data standards. Beyond this, your IT organization should work to lock down your network so it’s harder for users to begin using unsupported cloud services. In many cases, you can work with your cloud vendor to ensure private connectivity to the cloud services you’re using, which means you can further lock down those service endpoints. Having robust centralized network and endpoint monitoring in place can help you understand the cloud usage within your network and identify any potential rogue workloads. As you can see, shadow IT is a threat to any business. The best way to minimize or even eliminate it altogether is to adopt agile practices, as you’ll be giving your users exactly what they need. When you start adopting agile processes, consider what SolarWinds has to offer. It has a number of solutions capable of helping to fast-track your organization on the way to getting agile. Since every minute counts in the modern era of cloud computing, you don’t have time to waste.
Avatar photo
Joey D'Antoni
Joey D'Antoni is a principal consultant at Denny Cherry and Associates Consulting. He is recognized as a VMware vExpert and a Microsoft Data Platform MVP…
Read more