This practice can represent significant security and compliance risks, as employees may use services that are not aligned with the organization’s security policy, may not be properly configured, or put data beyond the geographical region a compliance framework demands, potentially putting sensitive company data at risk. These challenges are compounded in a multi-cloud connected world with organizations consuming services from more than one provider.
Employees engaged in shadow cloud IT most often cite speed and convenience as justifications to bypass IT, making it easier to do their jobs. While it may appear more efficient to an end user to adopt a do-it-yourself approach to technology, it may also lead to a lack of organizational visibility and control over the data and applications being used, which can create security, compliance, and data governance issues.
It is important for organizations to have clear policies and procedures in place for the use of cloud services, to educate employees about the risks associated with shadow cloud IT, and to take appropriate steps to prevent cloud services from being consumed without appropriate oversight.
Shadow IT challenges in the cloud
Having employees adopting cloud services without the oversight or approval of IT can introduce several challenges to the organization, including:
Security Risks: Unauthorized cloud services may not have proper security measures in place, may be improperly configured, may not meet policy, and are likely to lack adequate controls, resulting in company systems, services, and data becoming vulnerable to cyber threats.
Compliance Concerns: The use of cloud services without approval may violate industry regulations and standards, state law, or compliance frameworks, leading to legal, financial, and reputational consequences.
Data Governance: Without proper oversight, shadow IT can result in a lack of awareness of data location, as well as limited visibility of who has access to company data. This makes it difficult to maintain control and enforce policies, as well as undermining security.
Wasted Effort: Shadow IT can result in multiple employees using different cloud services to perform the same tasks, leading to an inefficient use of resources.
Integration Issues: The proliferation of cloud services can lead to compatibility problems, making it difficult to integrate data and workflows across the organization, as well as creating confused environments.
Lack of Support: IT departments cannot support cloud services that they are not aware of, leading to potential productivity losses for employees using them.
Cost: In the pay as you go cloud service model, commissioning cloud services attracts cost, and those costs would be passed to the organization.
How to manage the risk of shadow IT in the cloud
Managing the risks associated with shadow IT in the cloud calls for policies and procedures to discourage the behaviors, as well as mechanisms to check for unauthorized cloud service adoption, and technical controls to return to an established baseline.
Successful management of shadow IT should consider these areas:
Policy: Define clear policies around the use of cloud services, and make sure that employees understand the expectations and consequences of using unauthorized services.
Employee Education: Inform employees of the risks and consequences of adopting cloud services without the support and approval of the IT teams, and the importance of using only approved cloud services. Repeat the training message regularly, and ensure it aligns with policy.
Enablement Technology: Employees who can access the systems and services they need, and have a mechanism to request new systems and services they feel would make their jobs easier, will reduce the likelihood of shadow IT.
Monitoring: Monitor cloud service usage to detect possible instances of shadow IT, enabling any unauthorized cloud services to be blocked or removed.
Regular Assessments: Make security assessment business as usual and regularly review the security and compliance of cloud services, taking corrective action to address any risks that may emerge.
Cloud service adoption: Under the shared responsibility model, it is the responsibility of the customer to ensure the services consumed meet security and compliance requirements.
Establish Controls: Set up policies and blueprints within cloud services that only permit the deployment of approved cloud services in approved locations, by authorized people, supported by robust governance that protects the organization.
Failure in these areas can result in unauthorized staff commissioning unapproved services without the knowledge of the organization, integrating them with broader cloud infrastructure and exposing cloud environments to unknown risk, before sending the organization the bill.
Best Practices for Managing Shadow IT
Addressing the challenges that shadow IT represents, particularly in terms of multi-cloud security, calls for a comprehensive approach which addresses the points above. In addition, specialist tools designed to detect and analyze cloud service resource consumption are invaluable. Best practice in addressing shadow cloud IT include:
Optimizing visibility: Analysis of cloud service use enables distributed teams to be responsive to new cloud services, and informs the governance process as well as the establishment and enforcement of security policy.
Automating detection: Using CSPM technologies that auto-detect new cloud services as well as newly-adopted cloud services, and provide a graphical representation of where they are, and who is using them.
Adoption of technology controls: Using technology controls to enforce policies based on business requirements means your teams will only be able to adopt services that have been properly evaluated and approved.
Controlling costs: Introducing controls to limit the adoption of cloud services to approved technologies results in visibility and control of cloud service costs, and no surprises.
Assess services as well as workloads: It is all too common for organizations to focus on workloads when assessing shadow IT, but it is important to consider all forms of cloud service consumption to gather a full picture.
The value of controlling shadow IT
There are several benefits to controlling shadow cloud IT, delivering value to the organization in several ways.
By better controlling technology consumption, organizations will improve security posture by ensuring adherence to policy and consistent configuration. Enhanced visibility of technology consumption and prompt corrective action results in an improved compliance position from the confidence that data is being held in approved locations with appropriate controls.
Reducing or eliminating shadow IT delivers a better integrated technology environment, which increases staff productivity by reducing technical obstacles, and reduces costs in time as well as in terms of cloud service consumption.
Wiz Inventory can help customers identify and remediate multi-cloud shadow IT - to get visibility of cloud service technology consumption in your organization, contact us for a demo.