Your users are probably using cloud-based services that you’re not even aware of to organise their files and collaborate with each other. What are you going to do about it?
“Shadow” IT — cloud services bought from third-party providers without authorisation by the IT department — is becoming a significant problem for many companies, even if they don’t know it yet.
Canopy, the Atos cloud brand, recently conducted a survey of 350 IT decision makers across the UK, Germany, France, the Netherlands and the US. Half of the line of business managers reckoned between five and 15 per cent of their departmental budget was spent on shadow IT, amounting to €8.6m.
And 60 per cent of the CIOs surveyed said that shadow IT drained around $13m on average from their organisation last year.
Bleeding budget as customers flock to third-party service providers is a problem enough in itself, but security is just as big an issue. According to the Canopy survey, the lion’s share of the cash went on backup services, meaning that files are being sent to service providers over which the IT department has no control.
Companies often only refresh their IT in a major way every decade or so, according to Thales Security cybersecurity practice lead Sam Kirby-French.
In contrast, employees’ experience with technology outside the office evolves continually, and they are constantly presented with new and exciting technology options that can make office systems look antiquated.
“Part of it is that the IT department isn’t supporting the user well enough, and the user wants to make their own life as easy as possible, so they will use alternatives,” he said. “And it’s difficult to stop them using those alternatives.”
The Canopy survey said more than two-thirds of respondents viewed their IT department’s sluggishness as a key factor that would push departments further into the arms of third-party service providers.
This unresponsiveness manifested itself as a failure to sanction short-term pilots quickly enough, and to host products for launches in a timely enough way.
Banning it is inadvisable
What kind of policy can the IT department put in place to stop naughty users from exposing corporate data in the cloud? The most draconian one is the grumpy cat approach: simply blacklist everything.
Corporate filtering systems can easily block a list of URLs. While these blacklists have most commonly been used to switch off porn sites, social media, and videos of dogs walking on tight ropes, they could just as easily be configured to block a growing list of cloud-based services that users might be using as temporary file dumps.
Not so fast, warns EMEA marketing director Nigel Hawthorn at Skyhigh Networks, which helps companies find the cloud-based services being accessed within client networks. It uses this data, aggregated from organisations around the world, to produce a report every quarter.
In the first quarter of 2015, the average firm used 923 distinct cloud services, the Skyhigh Networks estimates. That's more than a fifth more than the year before and around 10 times higher than IT estimates. It's also going to lead to an awfully big black list, a list that's growing all the time, Hawthorn said.
"We are adding 100 new cloud services to the registry every week," he explained. "Old-style web filters find it difficult to work out where to put them.”
Typically, URL blockers will have a few tens of categories for different sites, ranging from porn to social networks, entertainment and sports. "Where do you put a cloud service that could be used for many different things?" Hawthorn asks.
In any case, if you just try to block everything, you often achieve the opposite effect, pushing your users away from well-established and reputable sites into specious online apps run out of someone’s shed. Far better Dropbox, say, than Yuri’s MegaBling Filesharing Service.
Alternatively, they will simply find other ways of accessing the mainstream cloud services that they were using before. Once, people would bring modems into their office to get dial-up access to the internet at work. Today, 4G “Mi-Fi” hotspots and rogue Wi-Fi access points are an alternative.
“It’s a device that the laptop thinks is a hotspot, and it connects to data services. So people can get around the URL filters that block them from doing certain things. Now all of a sudden you have a rogue Wi-Fi access point that doesn’t even exit through the firewall,” said John Pescatore, director of emerging security trends at the SANS Institute.
He warns this will become a bigger problem in the future. “The reason that this is starting to reach the tipping point is how often you turn on your device and search for Wi-Fi. You see dozen of these things,” he warns.