Cloud optimize

Cloud computing and the dangers of shadow IT

Business users who engage cloud providers without the proper vetting that would normally come from IT pose a serious risk.

Of the many well-known promises of cloud computing, such as lower costs, faster time-to-delivery, and improved reliability, perhaps one of the most dangerous promises that cloud providers on all parts of the stack (infrastructure, platform and software) are making, is to make business users effectively independent from the IT department. This promise, while a key selling point for some, is in fact a huge threat not only to companies, but to cloud computing as a whole.

In trying to make business users more independent from the IT department, cloud providers have been slowly creating a shadow IT ecosystem that, instead of having its own processes, many times has no process at all, consisting of haphazardly put together sets of solutions that create significant risks for companies, many times without them actually knowing about them.

Shadow IT rises from two main features of cloud solutions, especially cloud- or cloud-based software: the external hosting of solutions and the pay-as-you-go business model. These, in turn, create two separate sets of risks for corporations. The former creates risks associated with IT (data security and privacy, systems reliability, disaster recovery), while the latter creates risks on the financial side of things. Over the next couple of posts, we will explore in more detail these two sides of shadow IT, and how companies can deal with them effectively.

The hidden dangers of shadow IT

When software is hosted outside the corporate network, users will traditionally access it through their browsers. Where conventional software needs to be installed on user’s machines, cloud-based software can simply and immediately be accessed and used from whatever computer or device the user is currently in front of. This means incredible convenience to end-users, but can also be an IT nightmare. Since software no longer needs to be installed and, in many cases, doesn’t even require IT to enable any sort of security feature on end-user machines, the users can simply hire whatever they want and start using it without involving IT in their decision-making process.

While this may seem great (users can start operating the software much faster), there are several pitfalls that come from not bringing IT into the loop. Business users are rarely concerned with long-term IT sustainability, and are usually more worried about solving their immediate problems. This means that they might skip through a lot of the due-diligence that would normally fall to the IT department, and forget to think about things such as security and proper service level agreements when looking at cloud providers.

Business users are also rarely concerned with creating a long-term IT strategy. This means that they might select solutions that are incompatible with each other to perform different tasks or, even worse, a company might end up with several different solutions that solve the exact same problem: different departments can hire different cloud-based BI solutions that simply don’t talk to each other, creating data silos that are much harder to breach than anything that could be created in-house.

Business or technology

While it can be easy to place the blame on either side of the fence, the fact is that both IT and business have their share of responsibility in this matter. Over the course of the years, IT departments have developed structures and processes in order to be able to manage entire corporate technological infrastructures. As is natural with any large structure, these departments have gradually become more rigid and slower to respond to the immediate needs of the business users. This is not because IT is unwilling to do so, but rather because it needs to follow processes that have been established to ensure the long-term survival of the company.  

Business users, at the same time, often forget to look at even the most basic aspects of the cloud providers they are looking into hiring. Since they feel abandoned by their IT departments, they look to external providers to fulfill their needs, and, since they don’t have the competencies of IT, they can many times forget to ask important questions from their providers, leading to problems in the future.

Perhaps the most important and neglected aspect of this issue is communication. The lack of open communication between them has created the situation where business users many times actively seek to keep IT from the decision process. In many companies, IT will hear the words “cloud computing” and simply ignore everything else that comes after it. This simply leads the users to keep them away from future discussions, which doesn’t help anyone. At the same time, clear and level-headed communication to users about the potential risks of cloud solutions can help them make better, informed decisions (even if they do decide to keep IT out of the loop).

While communication doesn’t solve everything, it can go a long way to diffuse these risks. In my next post, we’ll talk about the other side of this issue, the financial risks related to shadow IT, which can’t be handled simply with a conversation. 


About

After working for a database company for 8 years, Thoran Rodrigues took the opportunity to open a cloud services company. For two years his company has been providing services for several of the largest e-commerce companies in Brazil, and over this t...

1 comments
ManoaHI
ManoaHI

Security issues aside, "shadow IT" has been around for decades. It is not only regarding cloud-based systems. It actually went all the way back to Lotus 1-2-3 and later Excel and Access. Macros created by a user instead of a system designed by the user and IT and programmed by IT, the user picks up a "------ for Dummies" or some other manual and has a go at it himself/herself. Sometimes successful and sometimes not so. We had a solid policy, backed by CEO, CFO, COO and CIO, that anything created by any user without IT input would never be supported in any fashion. Some of the "successes" would cause problems later, whereby the user that creates it then later leaves the firm. The remaining or new users come on board and start using it. Eventually, government regulations or just falling behind, it starts to fail or no longer meets regulations. That is the real problem, users are quite happy to not involve IT, so they create it themselves and want IT to "fix-it" and they wanted it done ASAP. A few Access "systems" took us by surprise. The users get really mad when we show them the policy and find out the creator has left the firm a few years back. This is to me, the biggest risk for any firm.