Tom Bice is the Vice President of Product Marketing and Sales Enablement at Attachmate and Novell.
Shadow IT has been lurking in the dark corners of organizations for years now, but as BYOD and public cloud computing gain traction in the workplace more and more employees are stealthily adopting their own software and hardware without telling IT. When IT is left in the dark it makes it nearly impossible to mitigate potential risks, and in light of the recent barrage of data breaches executives are becoming increasingly concerned about the issue.
So what can you do? First and foremost, accept that shadow IT is here to stay. IDC found that the majority of information workers share files via email and other unsecure methods while only a small group, about 10 percent, use a service provided by their company. Rather than trying to squash all instances of shadow IT that pop up in your organization, put a plan in place to help manage it. The following tips can help get you started.
Monitor Your Network
If you don’t know where shadow IT may be lurking in your organization, you cannot account for it or secure it. Make it a top priority to continuously monitor your network for new and unknown devices to help pinpoint where shadow IT is occurring and what kind of new devices are being introduced into your organization.
Assess the Risk
When you identify a new public cloud application on your network, evaluate its risk level. Not all applications that haven’t been sanctioned by IT are bad. Allow employees to continue using apps that are low-risk or for sharing materials that don’t contain sensitive information. For example, consumer-focused file sharing services Dropbox are just fine for sharing public-facing marketing materials, but it should never be used to share private customer data.
Although it is important to compromise with business users on which outside applications they can use, you should always prioritize security. Top-tier data security is the biggest priority when considering cloud applications and electronic file management solutions.
In addition, it is important to take regulatory compliance support into consideration. Always ensure that new tools adhere to the evolving legal standards specific to your industry. The financial services and healthcare and life sciences industries face some of the strictest information security regulations. Healthcare organizations must mitigate risks of noncompliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Make sure you have a thorough understanding of the regulations set forth for your industry before approving new applications.
Determine its Manageability
IT already has infrastructure and processes in place for managing applications and services, and it must be able to manage new cloud applications using its existing infrastructure. The solution needs to provide IT with provisioning and de-provisioning capabilities to ensure that all employees have the right level of access and it needs to utilize the existing identity management and security infrastructure.
For example, does the solution work with the activity directory or LDAP, identity management and single-sign-on solutions? Can IT get the level of reporting and visibility required to manage the solution, troubleshoot and provide compliance and audit reports? All of these elements must be taken into consideration when determining whether an application is manageable.
Determine what your company’s policy is going to be for cloud computing. Outlining a policy will help employees understand why it is important to keep IT managers in the loop, underscore the security implications of using unapproved cloud computing services and establish expectations around using outside cloud applications. Be sure to include a detailed policy that leaves no questions unanswered. It is also helpful to identify a list of pre-approved cloud computing services, provide directions on how to use the services and specify what type of information is acceptable to share on each platform.
Provide Effective Alternatives
Although it is important to accept shadow IT, most businesses in regulated industries prefer on-site deployment. A study conducted by Hanover Research found that all the respondents they interviewed from highly regulated industries were looking for on-site based file sharing solutions due to the sensitive nature of their documents. However, when business users reject company services for cloud-based apps they aren’t trying to rebel, they are simply trying to do their job more efficiently.
The most effective way to get employees to use company software is to provide an option that is just as easy to use and productivity enhancing as the outside applications employees are turning to. If you provide the right solution, you can give employees the experience they want while maintaining the security you require.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.