Shadow IT


In big organizations, shadow IT refers to information technology systems deployed by departments other than the central IT department, to work around the shortcomings of the central information systems
Shadow IT systems are an important source of innovation, and shadow systems may become prototypes for future central IT solutions. On the other hand, shadow IT solutions increase risks with organizational requirements for control, documentation, security, reliability, etc.

Origins

Information systems in large organizations can be a source of frustration for their users.
In order to bypass perceived limitations of solutions provided by a centralized IT department, other departments may build up independent IT resources to suit their specific or urgent requirements. It isn't uncommon for resourceful departments to hire IT engineers and purchase or even develop software themselves, without knowledge, buy-in, or supervision from a centralized IT department.

Implications

In most organizations, the prevalence of shadow systems results in a heavily fragmented application landscape, where consistency, security and governability are sacrificed to achieve the necessary level of business agility, whether for the purpose of innovation or mere survival.

Benefits

The main benefit of shadow IT is the increased reactivity. The host department has direct power over its shadow IT resources, as opposed to central ones. Also, alignment between departments, a time-consuming and sometimes impossible task, is avoided.
Shadow IT systems are an important source of innovation, and shadow systems may become prototypes for future central IT solutions.
Incumbent IT management dealing with legacy infrastructure and data management challenges cannot easily provision data as a service, either because they are unaware of its advantages or cannot acquire the budget for its successful implementation. Against this background, neither can the IT department ever deliver against all business requirements at a low enough cost relative to a true DaaS IT department. These deficiencies lead the business to implement IT solutions that may be perceived to cost less to execute, albeit whilst introducing risks a formal IT project could avoid.
For example, with the rise of powerful desktop CPUs, business subject matter experts can use shadow IT systems to extract and manipulate complex datasets without having to request work from the IT department. The challenge for IT is to recognize this activity and improve the technical control environment, or to guide the business in selecting enterprise-class data analysis tools.
A further barrier to adopting DaaS is the legacy IT bulk provisioning of only the 'Read' element of the CRUD model. This leads IT into neglecting the need to 'write back' into the original dataset, because this is complex to achieve. It is the need of shadow IT users to then store this changed data separately that results in a loss of organisational data integrity.
Placing barriers to shadow IT can be the equivalent of improving organizational security.
A study confirms that 35% of employees feel they need to work around a security measure or protocol to work efficiently. 63% send documents to their home e-mail address to continue work from home, even when they are aware that this is probably not allowed.

Drawbacks

Besides security risks, some of the implications of Shadow IT are:
Shadow IT is notoriously hard to measure. Within an organization, the amount of shadow IT activity is by definition unknown, especially since departments often hide their shadow IT activities as a preventive measure to ensure their ongoing operations. Even when figures are known, organizations typically don’t volunteer these. As a notable exception, The Boeing Company has published an experience report describing the alarming numbers of shadow applications which various departments have introduced to work around the limitations of their official information system.
According to Gartner, by 2015, 35 percent of enterprise IT expenditures for most organizations will be managed outside the central IT department's budget.
A 2012 French survey of 129 IT managers revealed some examples of shadow IT :
Examples of these unofficial data flows include USB flash drives or other portable data storage devices, MSN Messenger or other online messaging software, Gmail or other online e-mail services, Google Docs or other online document sharing and Skype or other online VOIP software—and other less straightforward products: self-developed Access databases and self-developed Excel spreadsheets and macros. Security risks arise when data or applications move outside protected systems, networks, physical location, or security domains.
Another form of shadow IT comes by way of OAuth connected applications, where a user authorizes access to a third-party application via a sanctioned application. For example, the user can use their Facebook credentials to log into Spotify or another 3rd party application via their corporate cloud app. With this access, the 3rd party app may have excessive access to the sanctioned app, thereby introducing unintended risk.