For a few years now as a result of the Bring Your Own Device (BYOD) phenomena working hand in glove with the explosion in cloud-based third party business-oriented applications one of the most vexing problems for enterprise IT has been how to get a handle a seemingly runaway train named “Shadow IT.” This is the common term now used to describe when employees individually, or even entire lines of business (LOBs), in search of tools that will enable to do their jobs better decide the rewards of using unauthorized Software-as-a-Service (SaaS) applications are worth the risks.
In this case the risks of not be rewarded for better job performance trump the risks to the corporation caused by unauthorized SaaS use that exponentially increases the vectors of vulnerability of the enterprise leaving IT in a compromised position to manage risks.
How big a problem is this? According to a new study done by Stratecast, a division of research firm Frost & Sullivan, for security giant McAfee, Shadow IT is rampant.
The conclusions are based on a recent survey of 600 IT and line of business decision-makers or influencers in North America, the UK, Australia and New Zealand. Two-thirds of the employees surveyed came from companies with 1,000-10,000 employees, and one-third from companies with more than 10,000.
The big takeaway is the one in the headline, 80 percent of survey respondents admit to using non-approved SaaS applications in their jobs. In a bit of a shocker it turns out that IT employees use a higher number of non-approved SaaS applications than other company employees.
Everyone is bypassing IT, including IT itself
As a bit of context, it should be noted that Frost & Sullivan estimates that the overall SaaS market in North America alone will grow at a rate of 16 percent CAGR, reaching a market value of $23.5 billion USD by 2017. SaaS in short is simply irresistible.
Aside from the fact that it seems everyone is doing it, key findings from the survey include:
“There are risks associated with non-sanctioned SaaS subscriptions infiltrating the corporation, particularly related to security, compliance, and availability,” said Lynda Stadtmueller, program director of the Cloud Computing analysis service within Stratecast. “Without appropriate knowledge, non-technical employees may choose SaaS providers or configurations that do not measure up to corporate standards for data protection and encryption. They may not realize that their use of such applications may violate regulations concerning handling and storage of private customer data, leaving the company liable for breaches.”
The report is filled with some really interesting charts based on the surveys. As a bit of a teaser to encourage you to download it in its entirety, the one below on drivers for adoption that includes a comparison of LOB versus IT use is one that stands out.
Source: Stratecast Report, The Hidden Truth Behind Shadow IT: Six Trends Impacting Your Security Posture
The report also documents that despite willful violation of company policies and rules, respondents do not do so with malicious intent. They do so, broadly speaking, to get ahead. “With over 80 percent of employees admitting to using non-approved SaaS in their jobs, businesses clearly need to protect themselves while still enabling access to applications that help employees be more productive,” said Pat Calhoun, general manager of network security at McAfee. “The best approach is to deploy solutions that transparently monitor SaaS applications and other forms of web traffic, and uniformly apply enterprise policies, without restricting employees’ ability to do their jobs better. These not only enable secure access to SaaS applications, but can also encrypt sensitive information, prevent data loss, protect against malware, and enable IT to enforce acceptable usage policies.”
Let the trend be your friend
As with much of what is taking place in the technology field in general these days, the report looks at the trends of more devices, more use of third-party cloud-based apps as not just inevitable but something to be embraced. In fact, the authors provide seven tips enterprises should consider that can leverage the value of what today is use of unauthorized SaaS, and doing so as the authors note with an approach, “That protects your business, without implementing a police state.” These include:
There are two ways to look at the survey results. It can be seen as a call to action for IT to clamp down on out of control unauthorized SaaS use, or as an opportunity to not just fix but take advantage of industry trends which can be leveraged without compromising enterprise security. As the authors correctly point out, it really is in everyone’s interest that the second view is the road to travel.
Practically every organization has vast amounts of "dark data" in the form of weblogs, machine logs, and logs from sensors on everything from oil rigs…
It's time for some fresh thinking about voice services. Once the dominant source of revenue for mobile operators, voice calls are now a rare form of c…
When a customer gives you his data, he expects that you're going to use it wisely and safeguard it against those who shouldn't have access to it. But …
Now imagine for a moment a world in which nothing breaks-or rather, nothing stays broken. Too good to be true? Not quite. Self-healing technology is b…
As the number of connected things has grown, so has the determination of cybercriminals to exploit them. Businesses might not think about the cybersec…