Rise of Shadow IT – Is your IT Department irrelevant?

Is shadow IT making IT departments increasingly irrelevant? When users can source their own IT product or system independently, could it be said this is a symptom of IT departments that are out of touch or that is not providing the right services?

Let's delve in with some examples and my take on what a modern IT department should do to be more responsive, possibly avoiding some of these pitfalls in the first place. We will also check out what Microsoft Azure Cloud App Discovery can bring to the table.

How it starts

It can start innocently enough, when users start going directly to their preferred service, it could be Dropbox or Slack or some other killer app and then before you know it, your IT department is looking out of kilter.  It can be a slippery slope as IT departments can then become an afterthought, where your staff don't even think to consult when commissioning projects.

They might even send their own staff on IT training and employee a contractor even to get an IT system up and running, bypassing their IT department entirely. New staff as well may trigger this, who have their own preconceptions of what works well and with what they want to bring into a new job. 

Bypassing the IT department - Case Study 1

I am painting a worst case scenario admittedly but one I don't think is that uncommon in some ways.  I have seen it first hand, where there was a significant delay in implementing SharePoint Online.  

Pockets of staff started adopting SharePoint Online anyway in the meantime. Power users spread the technology and know-how, all with no support or sanction of the IT Department. It got to the point where outside of IT, managers were sending their staff to SharePoint training courses.

This did get caught in the end and redirected to an official project but it just shows you how staff will find a way if you're not meeting a need, they will go just work around it. 

"Does anyone know anything about a Rackspace server?" -  Case Study 2

Another example, around three months back, we got asked if we knew anything about a Rackspace server, which none of us did.  What transpired was someone in the organization had commissioned a hosted server to setup a WordPress website. This server was unknown to the responsible staff in the IT department who would as a matter, of course, secure and maintain systems.

This Rackspace server unsurprisingly left unmaintained instead was hacked and used to launch an attack against a third party.  The third party thought the hack originated from us. Rackspace actually were the ones to spot and notify us that one of "our" servers had been compromised.  A pretty poor situation I think we can agree.

Combating Shadow IT

You could call this rogue IT or as Microsoft tend to call it, shadow IT.  It's unapproved invariable unsanctioned IT services or products introduced into an organization.  Rather than be fearful of shadow IT, another tact is to embrace it and listen to what it's telling you and why people went elsewhere in the first place.

Here is my approach to shadow IT, it's meant to be a holistic systematic approach that puts the IT department in control of technology.

Facet

Outline​

Approachable

Be open to questions and thinking out of the box

Roadmap

Have a technology roadmap so everyone knows what to expect down the line

Transparent

Be honest with staff explaining why particular decisions are made and why certain technology can't be approved

Amnesty

Give staff a way out when they go off track and help them to utilize the right tools

Education

Help staff navigate and pick which is the right tool, one that works well for their particular needs.  Keep staff informed regularly with new developments .

Ambassadors

​Recognize power users that are interested in technology , can endorse change and help with it's introduction across an organization

Structure

Have a IT department structure that cultivates innovation and allows IT staff to have the time to work in new ways and be at the forefront.

Of course there will be times when you can't entertain the requests at all, they will be so left-field, there just not going to fly.  Also in highly regulated fields, healthcare, finance etc., your hands may be tied to a large extent.  

Unearthing unmanaged cloud applications

Moving on to one tool that can help with managing one aspect of shadow IT, Microsoft have a tool, Azure Cloud App Discovery.  It can help unearth cloud applications in an organization.

​In modern enterprises, IT departments are often not aware of all the cloud applications that members of their organization use to do their work. It is easy to see why administrators would have concerns about unauthorized access to corporate data, possible data leakage and other security risks. This lack of awareness can make creating a plan for dealing with these security risks seem daunting.

Azure Cloud App Discovery uses an easy to deploy PC agent that reports back telemetry to Azure.  

Azure Cloud App Discovery

It doesn't take long as data is collected in a matter of hours, you get a nice easy to interpret Azure dashboard.  Very quickly you can identify applications you may have otherwise known were in use.  

Azure Cloud App Discovery

You can do a lot more than reporting, apps can be managed, brought into the fold, with enhanced security, single sign-on, support for Multi-factor Authentication,  integration with the Office 365 app launcher and more.

Summary

That was my insights into shadow IT, with first-hand experience of this and at least one tool that helps.  I'll have further posts on similar topics in the near future, look out for these if this is of interest.