Five Ways Shadow IT in the cloud hurts your enterprise

This column is available in a weekly newsletter called IT Best Practices.  Click here to subscribe.  

According to the Skyhigh Networks Cloud Adoption & Risk Report Q2 2015, the average enterprise now uses 1,083 cloud services. That astounding figure is almost 50% higher than this time last year, and up 100% from two years ago.

Of those thousand cloud services in use today, it’s many may fall into the category of “shadow IT.” That is, the IT department has had no role in helping to select and deploy the services, and might not even know they are being used.

Individual workers, small workgroups and even entire departments may have set up the cloud services to become more productive in their jobs, but circumventing the IT department’s approval leads to security risks and other problems. Here are five ways that “shadow IT” cloud services hurt your organization.

1. Data security and protection methods might not meet your corporate standards. The top of mind issue has to be how data is secured and protected once it’s in the cloud—especially if it’s regulated data or company confidential information. According to Skyhigh, just 7% of cloud services meet enterprises’ requirements for security, compliance, and governance.

When selecting a cloud-based application, it’s important to investigate the data protections provided. Will the data be encrypted? If so, what encryption scheme is used? Who controls the encryption keys? Who can gain access to the data? Where is the data stored? What about backups? Enterprises tend to have a lot of policies pertaining to data security, and regular workers might not take them into account when signing up for a cloud service. And of course, it’s stating the obvious to say this puts the organization at high risk of a data breach.

2. Data could be distributed to too many unknown places. Another concern is data can be spread among many cloud services, making it hard to track and account for. The first rule of data governance is to know what you have and where it is. If the IT department doesn’t know about data in the cloud, this information is left out of business continuity plans, disaster recovery plans, audits, insurance plans and so forth. What’s more, data a personal cloud service can quickly get out of synch with the “official” version of the information, and then you have people making business decisions using obsolete or “bad” data.

3. Many of the cloud applications in use might not be ready for the enterprise. Workers find consumer-grade applications they use at home and decide to use them at work because they are cheap and easy to use. The problem is, those services aren’t built to enterprise-grade specifications. Besides data protection, what if the service gets hit by a DDoS attack? Is the service provider fully capable of defending against the attack and maintaining full availability? What happens if the application provider runs out of funding and goes out of business? What happens to your data? Can you get it back? Enterprises have much higher standards of operation than consumers do, and it’s important to choose cloud applications that match those standards.

4. The organization has no leverage for volume pricing. According to Skyhigh, the average enterprise now uses 57 different cloud-based file sharing services. If you lack a company standard service, the organization loses its leverage to negotiate volume pricing for one or two or a handful of officially sanctioned services. Say a application service provider charges $150 for an annual single-person license of its software. If an organization commits to purchasing licenses for 10,000 people, the provider might bring the price down to $10 per person. That $140 per person savings is lost if the company allows workers to choose whatever service they prefer.

5. The IT department is accountable for unknown applications. The IT department has traditionally been responsible and accountable for data security, governance and compliance. When workers engage cloud services without IT’s knowledge, this doesn’t let the CIO off the hook. He or she would be the first person the CEO turns to if the company suffers a data breach in one of these unseen shadow IT applications. IT has a responsibility to know where the company’s data is and ensure that it’s protected.