Some call it the CIO’s worst nightmare. Others say it is the harbinger of 21st Century enterprise productivity. No matter what you call it, however, shadow IT is a fact of life at almost every organization, whether those at the top care to admit it or not.
Shadow IT is cause by individuals taking it upon themselves to spin up their own data resources on third-party infrastructure without approval from IT. It’s an insidious practice because what at first appears to be a convenient and less costly way for knowledge workers to accomplish their tasks invariably ends up posing serious management and governance issues, and could even jeopardize the entire enterprise security apparatus.
It is for these reasons that many are calling for a hard line against shadow IT. Better to stamp out the practice altogether than let it encroach upon critical data and applications. But then, what do you do when a rival develops a key application or exploits a lucrative new opportunity because their teams have ready access to vast amounts of scalable, flexible infrastructure? With the hardline approach, you may remove a potential future security threat, but the competitive disadvantage is real and immediate.
The other option is to allow shadow IT, but in a way that preserves both user flexibility and the enterprise need for control and management. One way to do this is through application-layer governance and security. By placing encryption, key management, discovery and other policy-related functions at the app level, users are free to traverse the infrastructure of their choice while the enterprise maintains control of what’s really important: data. If someone happens to break the security of either your own or your provider’s cloud infrastructure (which will still be maintained, even in an app-centric environment), the damage is minimal because everything on the app level and above is still secure.
Can app-layer security be beaten? Of course, no system is foolproof (fools are simply too ingenious), but in this way the enterprise at least gets to loosen up the reins a bit when it comes to provisioning applications and resources while still getting piece of mind that their data assets are not subject to a free-for-all.
Make no mistake, though, app-layer management will require a fair bit of recoding, although Cisco, Sun Management and others are already out with various app-layer systems and platforms to make the going a little easier.
Building your own private cloud, either at home or on hosted infrastructure, will help smooth some wrinkles as well. As long as the enterprise has basic PaaS or IaaS architectures in place, users will be able to pull the necessary resources as needed, going outside the firewall only if IT deems it necessary. With application-layer governance, this entire process can be automated using pre-established policy templates and architectural frameworks.
Dealing with Shadow IT is a clear case of “if you can’t beat ’em, join’em.” IT could easily stymie the ability to seek resources on the cloud, but that would essentially task one department with interfering with another’s productivity. In the old days of finite, silo-based resources, this was necessary, but now that unlimited scalability is here there is no reason to play the heavy hand…
…except the fear of doing something different.