Shining a light on Shadow IT

Shadow IT can pose a serious risk to security and governance

Tags: African + Eastern ( Your Own Device (BYOD)Cloud computingEmirates Flight Catering CompanyGartner Inc. ( Middle East and AfricaKamal Osman Jamjoom
  • E-Mail
Shining a light on Shadow IT Shadow IT — apps and devices that are in use without IT’s knowledge or consent, is a growing problem.
By Staff Writer Published  August 26, 2014

While IT always has to contend with an ever-changing landscape driven by shifts in technology, the sector has not really had to deal with the situation that has emerged over the past few years, where IT decisions are made, without the IT department even knowing about them.

With cloud computing, particularly software-as-a-service, end users are able to plug in to services with little more than a browser, an internet connection, and a company credit card to pay subscription fees, if the service isn’t free. Departments and business units, and individuals are happily signing up for cloud services and tossing company data into the cloud, without any thought for security, governance or whether data can be safely retreived from service providers.

In the hardware space, while data has potentially been ‘mobile’ since the floppy disk, previous generations of mobile workers tended to be equipped with company-issued laptops or perhaps BlackBerrys, which IT, in theory, configured for proper security for the limited amount of data that might be carried on them. With the rise and rise of smart mobile devices however, with huge amounts of storage space and, increasingly, a pipeline directly into mobile-enabled corporate applications, the risks from hardware have grown massively. The proliferation of mobile devices and the desire of the workforce to BYOD has increasinly meant IT organisations having to give access to devices over which they have no control.

Tackling the problem of hardware and software outside of IT’s control, so-called ‘shadow IT’, has become a difficult taks for the IT department, as organisations seek to retain control over data and access, at the same time as gaining the benefits of allowing workers to use the tools they want, and the benefits of the cloud model. So how big a problem is shadow IT in the region, and how should organisations best manage it?

How widespread is Shadow IT?

Megha Kumar, Research Manager, Software, IDC Middle East, Turkey & Africa: Shadow IT is prevalent in the sense that users see programs such as Dropbox or other cloud-based data sharing systems as being efficient and helping with their productivity. Most departments end up using these systems without IT approval only because users do not realise that this violates IT/data sharing policies.

Simon Mingay, Research Vice President, Gartner: Every organisation has some level of shadow IT, and in the vast majority it is growing at a significant pace. There’s a range of drivers behind the growth, but most are beyond the control of the IT organisation itself. So the increasingly rich, easily accessible, ‘instant’ availability of relatively cheap Software-as-a-Service and cloud services being a very significant one. But also the changing demographic in the workplace and the changing nature of work itself, all being key contributors.

In the Middle East, is there any typical pattern to shadow IT — is it single users, or is it departments procuring their own apps or devices?

Mingay: All of the above. But what’s evolving is increasing use of more sophisticated solutions. And this is where it starts to clash with the traditional role of the IT organisation.

Kumar: With regards to departments actually implementing systems that do not have a buy in from IT is a bit more rare in the Middle East, but holding companies do provide independent budgets to their subs to implement what is more suitable for their operations. Even this is changing as companies choose to consolidate and streamline to control costs.

Are you aware of your end users using Shadow IT?

Ajay Rathi, Head of IT, Meraas Holding LLC: With millions of apps available on apps store and Google Play, IT has become the playground for end users. The end users are becoming smarter by the day and they want easy to use consumer apps for the enterprise. They would like to work with Dropbox, rather than the restrictive corporate FTP. Corporate laptops are bulky and slow, users wants to bring their own light weight laptops or tablets to connect to corporate resources. To connect their personal tabs and phones, they sometimes plug in a wireless device in the network.

Jawed Akhtar, Chief Information Officer, Ebrahim Khalil Kanoo Co: Yes, we are aware of this. Users — if not monitored — usually install free applications from the internet or CDs and use them. They may use this for business or sometimes just as fun, to learn and explore.

Samir Khan, Regional IS Manager, Information Technology, African + Eastern: There is a presence of shadow IT, though in a small scale. It’s existing because of several reasons: the advent of cloud systems; increased understanding of systems on the part of functional managers; increased go-to-market pressure requiring more than the usual turnaround from IT as well as increasingly complex requirements that under-resourced IT staff can’t service; and no clear, long term IT strategy which is shared with all concerned.

Does your organisation have any policies to govern or forbid shadow IT?

Arun Tewary, VP (IT) & CIO, Emirates Flight Catering: No, we have not put any policy in place. However, all IT-related projects are routed through my office and shall move further only after my endorsement. This way ‘shadow’ is not allowed to grow without my knowledge.

Rathi: There are policies, which are signed by every employee when he joins the company. With business requirements as an excuse, there are many exceptions to the policy approved by management. Over a period of time the exceptions keeps on increasing, making the policy ineffective.

Thameem Rizvon, Group IT Director, Kamal Osman Jamoom: Our policy is aimed to standardise IT across the organisation, which will help reduce support costs and improve stability of applications. We have a policy for hardware that gives a standard unit for desktop or laptops. This has been in place for many years — of course tested many times, with users raising requests to change — but successfully retained as we have identified a standard set of devices which are best in their class. We review this periodically, so we always have the appropriate hardware provisioned for users to fulfil their business needs.

For software — we restrict users from being able to install on their own except for travelling users. Whenever we notice unauthorised software, we work with the respective business head to understand the requirement and either uninstall or approve new applications if required.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code