When end users circumvent the IT department and start using software-as-a-service (SaaS) applications without permission, the IT pros complain about the plague they call "shadow IT." But it would seem the professionals are also operating in the shadows, according to a survey out today.
The report entitled “The Hidden Truth behind Shadow IT,” was a collaboration of consultancy Frost & Sullivan and McAfee. The survey asked 300 IT pros and 300 line-of-business employees whether they used SaaS applications in their jobs without official approval. Eighty percent admitted they did, with only 19% of the business employees and 17% of IT claiming to be innocent.
Background: Does “Shadow IT” lurk in your company?
The idea of the threat of “shadow IT” has grown with the expanded use of cloud-based applications that can easily and often cheaply be brought into use without the IT department knowing about it all, much less approving SaaS based on security policies.
For the IT department, the reaction has often been, “Oh poor IT, if we could only stop the employees from doing this,” says Jennifer Geisler, senior director in McAfee’s network security division.
Of the IT pros admitting complicity, 42 percent said they do it because they are “familiar” and “comfortable” using such services. A third said the “IT approval process for new software applications is too slow or cumbersome,” echoing the line-of-business managers. A quarter said the non-approved software “better meets my needs than the IT-approved equivalent.”
The favorite types of non-approved SaaS applications for all 600 of the survey’s respondents were related to business productivity, social media, file-sharing, storage and back-up. The most popular non-approved SaaS applications included Microsoft Office 365, Google Apps, LinkedIn and Facebook, Dropbox and Apple iCloud. Many even said they were planning to increase this non-approved usage for things such as data storage related to ERP systems and financial and legal departments.
The report also indicates that these employees readily acknowledge the risks and liability in what they are doing.
Just under half cited strong concern about the potential for data exposures, theft, or simply not being able to get the data back from the cloud application. Twenty-two percent admitted they had already experienced some security incident with social media, while 16% pointed to a security-related incident in file-sharing, backup or storage.
“Despite their experiences of deep concern, more than 80% of respondents presumably feel justified in continuing to use non-approved services without ensuring that protective IT policies are applied,” the survey report states. There’s the sense that “the end justifies the means,” the report notes.
What, if anything, can be done about “shadow IT,” especially since IT employees as much as any others may be implicated in it all?
Geisler says the first step is nailing down policies, with the chief information security officer setting the tone in terms of confronting the need to use SaaS in a way that satisfies compliance and security requirements. Technologies for monitoring and controlling SaaS can also be applied, but trying to shut down SaaS entirely is hardly feasible. SaaS is often a creative way to do business, especially with younger employees, the report notes. But those in charge of IT security have to set up viable ways to control passwords, identity and access management, encryption, and data-loss prevention, for example, as part of SaaS usage. With IT personnel confessing they are part of the “shadow IT” problem, Geisler suggests, the IT department “can no longer just point the finger” at the rest of the company.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org