5 tips for getting to grips with shadow IT
Being able to stop shadow IT from Cloud applications entirely is an illusion. However, there are ways in which IT departments can get the problem under control as well as possible.
by Manuel Meyer
With Cloud computing, dependency on a company's central IT system is no longer a reality. Employees can now use the Cloud by themselves and order and try out applications almost without limits, according to the motto: "If IT doesn't want to, I'll do it myself."
It is not possible to completely stop the resulting shadow IT. If the IT department only takes restrictive measures and does not make persuasive efforts, it will damage its reputation. Innovative solutions and shorter development cycles would also be severely impeded.
However, the following five tips show how the IT department can support shadow IT in the Cloud and assume a pioneering role in Cloud computing.
1. The right strategy
Countering shadow IT in the Cloud effectively requires a contemporary IT strategy that defines the development of the IT organisation, technologies, IT processes and digital culture in order to achieve long-term corporate goals. The Cloud should play a central role in this. The strategy must also define the goals. In this phase, it is recommended to put together a mixed skills team with employees from various departments, such as management, development, IT security and those responsible for governance and compliance. This means that all important aspects are taken into account in the planning. The right strategy helps to make decisions later on about new IT applications and also provides the departments with understandable reasons.
2. Cloud governance
In addition to the strategy, Cloud governance, i. e. the efficient, compliant and regulatory adequate use of Cloud services, is another important aspect to consider. Companies rely too heavily on existing governance processes for traditional IT environments, but governance is an important topic in Cloud computing, in particular when it comes to minimising risks. This applies specifically to costs, operation and security, but also the organisation and the Cloud service as such. Guidelines must also be defined for the Cloud explaining how these services can, may and must be used in the company.
In addition, control of the environment and the integrity of security must be maintained through targeted monitoring and technical policy enforcement. There are automatic compliance tools available that enforce or monitor guidelines. The Cloud provider offers many of these functions and tools.
It is very important that Cloud governance is not used as a "blocker argument" against a department as a reason for rejecting new Cloud applications. It should be communicated that the guidelines are not set in stone, but can be flexibly expanded in individual cases and adapted to the needs of the respective department at any time.
3. The necessary know-how
Today's IT departments offer far more than just reliable operation of IT systems. However, in order to prevent shadow IT or to be able to integrate it effectively, they need to stay one step ahead of the departments in terms of Cloud know-how. Ideally, central IT should see itself as a Cloud competence centre, so it can advise the departments on these topics on a level playing field. However, the IT department must be aware that often neither management nor the departments understand their technical language or are open to technical arguments. In its communication, IT should therefore try to adapt its language to that of the departments and formulate arguments in a comprehensible way. On the other side, the departments can put forward why the existing IT solutions do not meet their requirements and which additional functions are required.
If the IT department succeeds in changing the way it is perceived in the company – from Cloud blocker to creative innovation partner for the business who understands the needs of the departments and supports them – many problems with shadow IT will be solved.
4. The right integration
Shadow IT has become so widespread in most companies that IT departments are no longer asking themselves how best to combat the uncontrolled increase. It is more about integrating the various Cloud applications into the company's IT, but above all ensuring that the data in the Cloud is adequately secured and protected.
The following issues should be considered in this context:
- Identity & access management
- Auditing & monitoring
- Networking & connectivity
- Governance & security
Identity and access management can be defined as a kind of clamp across the various Cloud services that ensures confidentiality, data integrity and compliance. The management encompasses all aspects related to the provision of a Cloud service. This includes provider management, compliance and security requirements as well as backup and continuity aspects. Identity refers to the parties, their accounts and authorisation for the Cloud service. Is it just internal employees or should external partners also have access? Other parameters are involved depending on the situation, because the requirements for customer or partner identities are often different from those for employees.
Furthermore, it must be clarified which data and from which sources is processed via the Cloud service; this requires auditing and monitoring. By engaging a Cloud provider, a company delegates most of the logging and monitoring tasks, but these must also be monitored. Claims for damages can only be asserted if failures can be proven.
Questions about connectivity to other systems also need to be addressed, as Cloud services can be accessed from different devices in different locations. Remote access solutions via a virtual private network (VPN), for example, are a popular alternative. APIs are also critical for connectivity. They must be documented, developed further, managed and secured. This is achieved with an API management solution that consists of three main components: the management, gateway and engagement components. The topic of access also includes checking network access.
Cloud governance (discussed in detail above) includes not only the management of costs, operation and security, but also organisational aspects and responsibilities. The team responsible for this should be involved in all Cloud projects from the outset.
Last but not least, the security of Cloud services must of course be guaranteed. In order to ensure confidentiality, data integrity and compliance, the aforementioned identity and access principles are required. Another essential tool is data categorisation so that it is clear which data should be processed in the Cloud and how it is subject to compliance. Certain data, such as personal data, is subject to the strict GDPR data protection rules and must be protected accordingly. In addition to identity and access management, data encryption is probably the most important technical security mechanism. It must be guaranteed by the provider.
Ultimately, however, not only the technical integration, but also the integration of processes in particular is relevant. Transferring learned and already applied processes to Cloud applications ensures acceptance and thereby also makes them less prone to error. For example, it should be possible to request a Cloud environment for a project using the same processes and tooling as were used in the past to order, for example, an on-premises VM, a virtual machine, operated in the company's own data centre. If several new approaches suddenly become necessary for the new Cloud applications, this means more work for the IT department.
5. Streamlined processes
The onboarding of teams or projects into the Cloud must also be possible with manageable, i. e. streamlined, processes. Here it makes sense to standardise processes at an organisational level, as this speeds up the introduction of technology and enables agile working without restricting the offer.
These processes must not undermine the ideas and concepts of the Cloud, but should support them on an even more sustainable basis. For example, a good move is to provide internal departments and teams with compliant Cloud environments via a self-service portal. In this way, the IT department offers employees an incentive to opt for precisely these offers without restricting the use of modern services. Technology-savvy and interested colleagues are also given the opportunity to experiment for themselves and at the same time the IT department still has the opportunity to take action in a regulatory manner. New environments can be provided at the push of a button with a high degree of automation. Just the right balance between agility and control – and the costs remain transparent at all times.
It is ideal if a company's central IT department paves the way to the Cloud and manages it in such a way that departments receive their desired solutions quickly and in accordance with the law. The goal is to create controlled and supported Cloud environments that the employees in the departments can use to achieve their goals efficiently and thereby implement innovative processes in the interest of the entire company.
But Cloud computing is neither trivial for non-IT departments nor for IT employees and can only be achieved with a structured approach. Industry-specific characteristics and the diversity of Cloud services from different providers make the topic extremely complex. In the fight against shadow IT, it can therefore be a sensible step to get advice and support from a manufacturer-independent Cloud expert.