Disruptive Business Models: Is Shadow IT the way of the future?

As IT workers we are constantly told that the business is dangerous when it comes to IT. They make decisions without thinking through the consequences, choose products that might not be right, bully us into accepting changes, and then think that we are overpaid automatons that just say "no" all the time. I'm generalising of course.

Over the past two years Cloud has unlocked the business ability to buy services when they like, in the form they like, cheaply, and arguably of better quality (on an all round basis) than a traditional IT model would otherwise deliver. Of course, this raises the spectre of service and security, however, new tools are dampening down those two fires and making it even easier for business to buy IT themselves, safely. This is called Shadow IT.

It is very common for me to find customers that have discovered they have dozens, if not hundreds, of Cloud services in use by the end user over which the IT department has absolutely no view nor control. There are two reactions to this. Treating it as an opportunity, or cutting those services off citing security reasons. 

The second approach reinforces the IT department always saying "no" and simply forces users to adopt another method of achieving the same result. For example, the move from Dropbox to Box. Of course, because IT cutoff access to the original Cloud service, there is not data orphaned in there, never to be retrieved. It's not a solution in my opinion. 

The other thing I see is a lot of money being spent on "security architects" who troll through various system logs, manually, to try and find out what Cloud services are in use, then complete ad-hoc risk assessments to determine, usually, that they should be cut off. The cost to organisations is massive. Worse, the process is never ending. Companies end up with a suite of security consultants costing them tens of thousands of dollars per month without being any closer to solving the problem. Security has become a gravy train in IT, and while it may have been necessary two years ago, it is now reasonably automated and can be managed by an administrator. 

So here's my dilemma. The business is buying Cloud services all around me. I can't control those. They popup as service requests when they break. I'm paying a fortune on security bodies to try and manage it and all they can tell me is how bad it is and which ones to turn off. When I turn those off, I get a negative reaction from the business who see me as an impediment to progress, not an enabler. I get pushed further and further out and there is no way to break the cycle. 

Well, that's what a rather expensive bunch of consultants would have you believe. But there is actually an answer. 

Just like the security industry rallied after the Snowden revelations the Cloud industry has rallied as well, coming out with products that automate security and service in that area. 

Enterprise solutions now exist that allow IT to understand exactly what Cloud usage is across the organisation, measure that automatically against a risk profile, and secure those Cloud services so that they can not only continue to be used by the business, but can be officially endorsed as a supported IT product. Better, you can buy those services from the Cloud. 

I'm not naming products, if you are interested you can contact me directly (ian@isisgroup.co.nz) and I'll pass the information on. What is important, is what they do. 

The service sits across your outbound connections and it matches data against the several thousand known Cloud services that exist in the world today. Those Cloud services are updated in real-time. 

When it discovers a Cloud service in use, it notifies staff and performs analysis on it automatically. It can tell you the type of data the service is consuming, who the staff are that are using it, and it matches it against a standard risk profile (which you can tailor to fit your own organisation), based on industry standards. Oh, and if you are in Government, you can add the GCIO profile, or any other agency standards such as FedRamp. So within a few days, you have a complete view of the Cloud services that are in use within your company and the risk profile. 

But wait. There's more. 

You can then choose to apply additional security layers to those services without the user being interrupted. So, for example with Dropbox, you can apply encryption at your gateway, ensuring that any data stored in the service is encrypted. This in turn, drops the risk profile. This also works with enterprise scale Cloud services like Salesforce. 

When a Cloud service changes composition, either architecturally or legally, for example privacy rules, the service knows, and if you are utilising that Cloud service then it will alter the risk profile (up or down) and let you know. 

The service can be tailored to point users to the accepted Cloud service. For example, a new user attempts to access Jo's Garage Cloud service but the service pops a note saying, we don't support Jo, but we do support Box, do you want be redirected there instead?

This approach costs a few bucks per user per month and comes with the usual slew of dashboards, reports, alerts, and ability to integrate with other IT management systems. Hell, this thing is so easy the business could run it. 

In New Zealand, this is a service the Department of Internal Affairs should consider adding to their Common Capability portfolio, stat. The amount of money this would save in security contractors is likely significant, while the capability boost to Government security would be massive.

So what does this allow us to do as IT workers? It allows us to devolve choice to the end user while actively managing risk. It allows us to be seen to help the user, rather than hinder them. It saves the organisations millions in security analysts who are attempting to do this process manually, which is impossible. The humans will always miss something, the machine won't. It brings an end to the endless cycle of discovering a Cloud service, analysing risk, then repeating the process, each time reinventing the wheel, each time (even with templates) taking days of valuable time, when it could be done in seconds. 

It allows the business autonomy. 

If we don't start to think this way, then we will find ourselves extinct. Every time we say no, the business goes away and does what they want anyway, in fact, they don't really even ask us these days. If we try and block something, then they just find a way around it. Adopting a service as I have described above, frees up resource, money, and gives the business the risk-based tools they need to do their jobs in a highly competitive and rapidly changing world. 

It highlights again, the changing nature of business models and the rapid impact that new services can have on old models.

IT consultant and blogger Ian Apperely posts at Strathmore Park.