A term that you may have heard used a few times may not make complete sense, so;
What is Shadow IT?
The term Shadow IT or Stealth IT is used to represent the implementation or usage of IT services that have not been officially created or deployed by the IT department. The service or software may be free, but most likely it has been paid for with a corporate credit card that is then claimed back as an expense. Cloud services are so easy to purchase and consume, that there is a temptation by managers to just go and subscribe to a low cost service that seems to meet all of the needs that IT have not provided. Sometimes these can be hard to find, as Cloud services often just use port 80 or 443, which will largely be undetectable.
Examples of Stealth IT are;
- Cloud application services, such as SalesForce, Cloud9, NeutronIDE,
- Cloud storage services such as DropBox/Box/OneDrive/Google Drive and iCloud
- Communication and chat platforms such as MSN, Skype, GoToMeeting, Webex, Slack etc.
- Marketing services such as Mail Chimp, ActiveCampaign, Survey Monkey
- PDF creators like CutePDF, PDF creator or Adobe PDF Creator
- Content indexers like Copernic, Ultra Search, Agent Ransack
- Note taking tools like OneNote, EverNote, Wunderlist
Unexpected examples of Shadow IT are;
- Excel workbooks, and Excel macros
- Access databases
- Word macros
- Email services like Hotmail, Live, Yahoo, Gmail
- Encryption tools like TrueCrypt
- File compression utilities like 7Zip, unRAR, jZip, Unzipper
- USB drives and local storage – including even storage in personal network drives
The impact on businesses can include;
- Silo’d data – information stored in external sources, or only accessible to a few
- Not being backed up – resulting in information loss
- Higher risk of data leakage and disclosure – not always malicious, but can also lead to lack of compliance with the law
- Lower appreciation of the IT department – when the Shadow IT service is better than what IT provides, who are you going to trust?
- Wasted time – with different and non-integrated systems, where processes are not consistent, where interaction between teams needs new software or accounts, or data conversion.
- Inconsistent business logic – if it’s not centrally controlled, then the lore of the team (or the manager’s opinion) gets implemented, sometimes not in the direction of the business
- No integrated authentication or auditing or control of access – IT departments control who has access to data, and audit the access, but if they lose control, who can see the data?