The number of locations enterprise IT teams are responsible for managing is exploding across sectors, and the number of applications and devices that teams are leveraging to connect their workers is on a similarly epic growth trajectory. In fact, it’s estimated that the software-as-a-service (SaaS) market ballooned past $100 billion in revenue over the course of 2019, thanks in large part to a growing number of enterprises retiring their legacy workflows and hardware-based tools for solutions that can be delivered quickly (and relatively cost-effectively) through the cloud.
At the same time, data privacy has never been higher on the minds of enterprise IT teams than it is today. Data governance generally has become a top priority, as far-reaching regulations like the European Union’s General Data Protection Regulation (GDPR) and the upcoming California Consumer Privacy Act (CCPA) put the legal onus on enterprise IT to protect and secure this data.
A large challenge in meeting these compliance goals is that at many large enterprises, there’s a wealth of applications, devices, and users communicating on the network that may be doing so “in the shadows.” In fact, Gartner estimates that anywhere between 20% to 50% of enterprise app spending takes place without IT’s knowledge or consent — aka, Shadow IT.
Just imagine those optics: Even as enterprise IT is being stretched thin with managing the networks, locations, apps, and devices it’s approved for users, unknown variables could be running rampant without teams having any insight into what users are doing when IT isn’t watching.
In the recently published Network Readiness Survey from Accenture, only 36% of the 300 IT pros surveyed are “very satisfied” that their network is equipped with the capabilities required to support the business. This is despite the fact that companies are wasting no time in bringing advanced digital technologies into the network fold, including big data/analytics (83%), digital customer experience tools (78%), and IoT/edge computing (77%). This makes it challenging for enterprise IT to model user experiences or forecast future network demands if teams aren’t equipped with a complete picture of current behavior.
And all of this is just to manage the tools and solutions that enterprise IT teams are actually aware of.
The rise of Shadow IT mirrors the rise of SaaS in the enterprise — tools and workflows that are delivered “as-a-service” are, by design, easier to acquire and more cost-effective than on-premise solutions, which is a boon for enterprise IT as their role transforms. But it’s also made it easier for users outside of IT to explore and pretty quickly deploy their own SaaS without consulting IT.
The problem here is multifaceted but primarily lies in the inability of an already stretched IT department to vet the tools that users demand, which could open the door to bad actors inadvertently gaining access to sensitive company and customer data used by employees.
The Changing Role of IT
According to a recent Salesforce report, 71% of enterprise IT teams are transforming from “a technology-providing cost center to a value-based service brokerage.” That’s because the rate of technological change even just a decade ago was far less aggressive than it is today. As a result, teams in the past had a fairly predictable list of problems and solutions they’d deploy as needed.
Now, teams have to be far more strategic, as a constantly evolving slate of network technologies are relied upon to support the business. Modern IT teams are now literally tasked with supporting the infrastructure that drives corporate success, and simply playing a reactionary role when so much is at stake could set the entire business up for failure.
This is especially true where Shadow IT is concerned.
The primary concern with Shadow IT historically has been that when users bring unauthorized apps onto the network, IT is blind to potential dangers that these tools might introduce — namely, data leakage and falling out of compliance with privacy regulations like SOC2, GDPR, and CCPA.
More often than not, however, Shadow IT isn’t conducted with bad intentions on the part of the end user. Instead, it’s often a matter of teams preferring one solution over the other or discovering a useful SaaS app and running it without gaining approval from enterprise IT teams first. A team may be approved to use Citrix GoToMeeting to conduct video conferencing, but users at a certain location might prefer Zoom and run that solution, despite it being outside of company policy.
But even seemingly harmless reasoning like this can be risky.
Take, for instance, recent research from McAfee that found 144 apps in the Google Play store that had secretly contained a malware called Grabos. The virus was masked innocuously as an audio player within each app and was only discovered after more than 17 million downloads.
Teams might not be concerned about one employee’s phone being infected by a virus initially, but when that phone is on the enterprise network, the virus can gain access to legitimate business and customer data used by secure apps from a compromised device.
With that being said, it’s not just the threat of malware that should have network teams concerned about Shadow IT. When this practice is on the rise, it’s usually a response to growing dissatisfaction with the policies and tools in place.
Moreover, users may be to blame for their own dissatisfaction, when nonapproved apps are sapping up network capacity planned for approved tools, impacting performance of both in the process. If teams are unknowingly leveraging an array of bandwidth-heavy UCaaS solutions across a wide array of devices rather than sticking with the lightweight toolset approved by the enterprise IT team, there will be no winners when it comes to delivering adequate performance when network bandwidth is being stretched to the limit, and latency and jitter issues begin causing major disruptions.
This all should immediately trigger enterprise IT to start rethinking their approach to network and app management, including (and perhaps especially) when determining which apps IT allocate network capacity to in the first place.
To get a handle on how teams can shine a light on Shadow IT and address it appropriately, teams need to take the following steps.
1. Gain a sense of the company’s complete app landscape. When network teams don’t have visibility into all apps leveraging total network capacity, it not only leaves IT blind to potentially malicious applications in use, it also limits visibility into how noncritical apps are impacting the performance of important ones. Even if it’s a matter of employees using alternative solutions to get the job done, understanding employee habits versus what’s prescribed by the company policy can help IT rethink how they allocate network capacity.
Unfortunately, many of the network management tools that teams leverage to make management easier in this day and age tend to make network visibility a tall order. SD-WAN services, for instance, were designed specifically to help teams managing a growing number of remote locations and cloud solutions mask the underlying paths that traffic travels over. SD-WAN solutions are a black box, making their own decisions about how to route each app session. Many of these products do a great job, but their WAN focus limits their visibility into the complete end-user experience, and a trust-but-verify approach with third-party monitoring is advised. Without insight into the autonomous systems and ISPs involved in delivering traffic, teams won’t know where performance issues are taking place, and they surely won’t be able to identify which applications or parts of the network are responsible for bad performance or are impacting end users.
As a result, teams need to employ a comprehensive network monitoring solution to regain this visibility and identify apps accordingly. Having a complete visualization of all the tools leveraging network capacity is the essential starting point to figuring out the scope of an enterprise’s Shadow IT issues and to start evaluating the root cause.
2. Baseline performance and explore other solutions. After successfully gaining a grasp on the company’s app landscape, IT should use this knowledge to explore which solutions/policies have been working while highlighting areas for improvement. If a team abandons one collaboration tool for another, for instance, IT should evaluate if it was simply a matter of user preference or if it was actually a performance issue that IT could remedy to help get all users back on the same page. Similarly, if Shadow IT has unearthed a more attractive new solution, it might be time for IT to make a switch. The ancillary benefits here are that if one team has discovered a service that works really well, other teams could benefit from it, and IT can consolidate tools in use for better pricing.
3. Use newly gained visibility to help enforce new policies. It’s all really simple at the end of the day — enterprise IT needs a comprehensive view of the network and visibility across the board to be effective. This doesn’t necessarily mean dedicating manpower specifically to policing end users and holding them to task. Instead, teams need to employ lightweight — that is, low bandwidth and easy to control — solutions that can deliver real-time insights from a single pane of glass.
If users have discovered a solution they prefer over the tool approved by enterprise IT for the same task, maybe IT should reevaluate and start retiring the legacy service for the user-preferred alternative. And when it comes down to nonbusiness apps simply taking up far too large a share of total network capacity, it may be time for teams to start identifying users and apps that should be prohibited from the network (or, at the very least, given limited network access).
With continued, active visibility, IT will know whenever rogue apps pop up on the network and who to ping about it. But rather than taking a policing approach, IT should use this as an opportunity to build a bridge between departments that turned to Shadow IT in the first place, recommending new tools or proactively assisting when performance laps.
