It's not news that shadow IT is a problem. It's been a problem ever since employees started bringing Apple and Osborne computers to the office in the 1970's to do their work. But nothing has accelerated the problem like the cloud, which removes almost all constraints on employees to bypass IT.
The Q2 Cloud Adoption and Risk Report from Skyhigh Networks looks at enterprises that attempted to address the problem of shadow IT, how they did it and how successful they were. The subjects were over 200 organizations, generally large ones in the Fortune 2000, across all major verticals - Education, Financial Services, Food & Beverage, Healthcare, High-Tech, Media, Oil & Gas, Manufacturing, Retail, and Utilities.
Skyhigh Networks sells a series of services for enterprises to manage access to outside cloud services. The service programs the organization's firewalls and proxies to enforce policy set by IT with the service. Usage data from the service provided much of the data used in the study.
Shadow IT is a problem because it bypasses the IT staff who are responsible for protecting the security of enterprise IT resources and prevents proper enforcement of compliance with legal regulatory regimes, contractual obligations and other company policy.
Simply forbidding the use of outside services is a proven losing policy; employees don't use them to spite IT, they use them to help get their work done. If the company does not allow or provide tools, employees will find them elsewhere. This is why the most successful companies in the study were the ones which worked with employees to help them use outside cloud services in a secure and approved way.
In the study Skyhigh identified 3,816 unique cloud services in use, an average of 738 per organization. The majority of these services lack basic security features and only 9 percent, according to Skyhigh "... fully satisfied the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection. Only 11 percent encrypt data at risk, only 16 percent provide multi-factor authentication, and only 4 percent are ISO 27001 certified." When surveyed in advance of seeing real usage data, IT typically believed the number of services in use is a small fraction of the real number.
As part of its service, Skyhigh says it rates over 8,000 cloud services for their level of risk, including an evaluation of the terms of service and the company's history of security incidents.
Skyhigh says that organizations used its service to manage the shadow IT problem in a variety of ways. Broadly speaking, IT can set policies for services that will:
- Allow access
- Allow but monitor access
- Allow but educate users of service risks and acceptable use policy (notices to users explain risks)
- Enforce read-only access
- Block access and provide company-approved alternatives
These policies can be set specific to a service or based on the risk level.
According to Skyhigh, the third option, on the spot education of the user, was the most effective way to influence cloud usage. It provides an opportunity both to discuss the risks of various services and to offer an approved alternatives.
In the study, organizations were able to reduce the use of file sharing services by 97 percent. These are probably the riskiest of consumer services and the ones for which secure alternatives are most easily available. The other major findings were:
- 33 percent overall reduction in number of cloud services used
- 87 percent reduction in number of tracking services identified
- 83 percent increase in percentage of low risk services as compared to total services used
- 79 percent average reduction in volume of data sent to high-risk cloud services
- 50 percent average reduction in number of high-risk cloud services used
- 97 percent average reduction in data volume sent to high-risk file sharing services
- 78 percent average reduction in number of high-risk file sharing services used
There was also a 6 percent ($532,000) reduction in cloud service expenditures.