Shadow IT risks have grown as organizations have accelerated digital strategies, developed multi-cloud/hybrid-cloud infrastructures, and empowered business users to provision their own services.
What is shadow IT? Gartner defines shadow IT as “IT devices, software, and services outside of the ownership or control of IT organizations.”
Business teams no longer need to seek IT’s approval to provision new applications, hypervisors, servers, and storage. They can simply access pay-as-you-go services from AWS, Microsoft Azure, and Google, spinning up an instance of servers or other services in seconds, without IT teams’ intervention or knowledge. This can be both a blessing and a curse. Here’s why.
- Businesses have their own IT strategies and spending: Business units control up to 36 percent of all IT spending, according to Gartner. Leaders of these groups are an important voice at the table for organizations setting business, digital, and IT strategies. However, business users also pursue their own objectives with technology, because 47 percent say they understand their requirements better than IT. Ideally, individual business unit strategies ladder up to support the larger organizational objectives. Yet, this process can be derailed if the various groups don’t closely coordinate their strategies and spending and account for all of their applications and devices.
One way to establish visibility into this chaos is to deploy a next-generation configuration management database (CMDB), which helps internal groups avoid a wild west of unmanaged systems and services that could short-circuit strategies and progress. CMDBs automatically scan an organization’s virtualized services, software, and hardware to create a complete, up-to-date inventory of technology assets. This data can be used for creating strategies, setting IT budgets, modernizing application portfolios, and rationalizing assets.
- More non-technical users are provisioning IT services: The universe of people who can deploy and install their own technology include business users and technologists. Business users don’t just deploy Software as a Service (SaaS) apps, but also low-code/no-code platforms, infrastructure as code services, and more.
As a result, shadow IT cloud usage is estimated to be 10X the size of currently known cloud usage. The average company has 975 unknown cloud services compared to 108 known ones. Many of these services could be redundant, resulting in wasted IT spending and the risk of software license violations and fines.
IT teams may not realize the scope of the problem because they rely on different discovery tools embedded in IT monitoring platforms. In addition, different groups typically focus only on their assets. For example, server, application, and networking teams focus only on their respective devices. As a result, IT teams may have a false sense of confidence that they understand the full scope of their assets, when they are actually only seeing a partial view of them.
When IT teams deploy Device42 for an evaluation of their infrastructure, they’re often shocked to discover the extent of unknown systems and can then move swiftly to bring these assets under control. - Data lives everywhere: Business users are storing organization data in cloud backup solutions or spinning up database instances to develop and test new services. More than four in five (82 percent) of IT professionals report that employees stored company data on unsanctioned cloud services. And more than one in three (38.3 percent) don’t know if an external party has tried to exfiltrate it.
Being able to identify where data is stored is a crucial capability for all organizations. By understanding their data holdings, organizations can apply proper governance and control. The visibility a CMDB provides into data store details enables organizations to strengthen public cloud data security, a major weakness for most organizations today. IT teams can see their number, location, performance, capacity, configurations, and more. Teams also gain the insights they need to ensure compliance with customer, regulatory, and audit mandates. - Security risks are growing: In addition to data security ills, organizations can experience other increased security risks, such as unapproved user actions, unpatched software, malware, and more.
CMDBs enable organizations to harden security by identifying high-priority gaps, making the appropriate changes and configurations, and automatically capturing this information.
As an example of shadow IT, a company that deployed Device42 discovered that an employee was running crypto mining programs on their servers during off-hours. This unauthorized use of IT resources was a serious violation of the company’s IT and security policies and cost it tens of thousands of dollars per day. As a result of their new-found insight, IT leaders were able to take swift action and mitigate this major issue. - Performance challenges are increasing: Redundant or unknown applications place a strain on networks, increasing bandwidth and performance risks. Organizations can also experience performance failures, due to end-of-life systems that aren’t decommissioned proactively or unknown application dependencies that aren’t considered in cloud migration plans and disrupt business processes.
IT teams can use their CMDB to plan network growth, ensuring adequate bandwidth for business applications. They also can view application dependencies and use this information to develop better transformation plans that deliver real value, while also mitigating impacts on business users.
Shadow IT Is Here to Stay ‒ But Can Be Managed Better
So, is the answer to ban business provisioning of applications and services? Far from it. It’s not possible to end shadow IT, nor would it be desirable. When managed well, empowered business users are able to innovate faster by accessing their own resources. It is now far easier to spin up an instance of virtual machines, applications, and network solutions than purchase physical boxes and deploy them in an on-premises data center. Being able to move fast to build, test, and deploy applications is a source of competitive advantage for most companies today.
However, IT does need to be able to see and understand all resources, to make strategic decisions and implement tactics. By doing so, IT can ensure effective use of technology budgets, grow the business, ensure operational stability, and reduce security vulnerabilities.
Device42 provides the next-generation CMDB the organizations need to gain visibility into — and control over — shadow IT. Our CMDB provides full, automated discovery of all assets; builds dependency maps; and keeps the information fresh and updated on a 24/7 basis. IT teams can trust this discovered data and use it to make the right decisions for their organizations.
