While it’s become standard for most businesses to leverage the cloud for at least part of their IT services, applications, or infrastructure, the ease of access to cloud-based IT is creating complexities for IT teams.
Many organisations are now saying they’ve benefited from the cloud but, at the same time, there are hundreds of apps used in the organisation that are paid for on corporate credit cards, and aren’t undergoing rigorous review by the IT department. This so-called ‘shadow IT’ is starting to become a bigger issue, particularly for smaller organisations.
For example, one customer with 75 staff members had more than 120 apps running across various platforms, many of which were subscription-based and being paid for by corporate credit cards. The organisation had lost sight of this, creating a potential security risk and creating additional and possibly unnecessary expenses, as well.
Another customer switched to a new website provider only to realise, an entire year later, that the business hadn’t switched off its Amazon Web Services (AWS) infrastructure from the previous developer. This was costing the company around $2500 per month; simply to pay for a platform that was supposed to be switched off but hadn’t been.
The dynamic, multi-cloud world is a boon for organisations, but organisations need to orchestrate their cloud deployments carefully and strategically to avoid increasing their cyber attack surface and being stung by unnecessary costs and complexity.
The temptation for staff members to turn to cloud-based apps is overwhelming because of the stringent security requirements that can get in the way of doing business. A secure organisation should follow best practices by whitelisting applications for use. However, whitelisting is a difficult job that requires cooperation from everyone in the team as well as full visibility into the entire environment.
Even in an environment where apps are whitelisted, it’s still virtually impossible to lock devices down so people can’t use a credit card and download a cloud-based app. The result is that people, frustrated by what they perceive as a lack of access to the tools they need to get their jobs done, take the path of least resistance and adopt shadow IT.
This happens more easily than most people realise. For example, if a business uses Skype for Business for its conference calls but a client uses Zoom, then employees may need to use Zoom even though that’s not the approved platform. It’s not unusual to see companies using as many as five different collaboration platforms, although they likely only pay for one or two.
Furthermore, many of the apps that are being developed and taken to market quickly aren’t underpinned by a strong architecture that prevents security breaches and service outages. Today’s developers are producing apps on an industrial scale, on the fly, and don’t necessarily have the core discipline that developers used to have. When an app gets breached, or goes down, these developers don’t always have the skillset to find the problem and get the app back up and running quickly enough to support mission-critical users. When uptime is everything, this can create significant problems.
This highlights an urgent need for improved governance in organisations. It’s time for organisations to take stock of what’s being used in terms of approved apps and shadow IT. By consolidating the organisation’s use of cloud-based apps and services, the business can potentially save significant amounts of money, and mitigate risk.
Craig Somerville is managing director and CEO, Somerville Group and executive council member, CompTIA.