Tuesday, August 26, 2014

The Solution to "Shadow IT"


In users’ minds, IT no longer needs to look complicated, and if it does then you’re doing it wrong.  But users have no real understanding of network security, data protection laws or the current threat environment.  It’s better to guide and support your users while giving them the tools they want.
Let users work better, without Shadow IT
“Shadow IT” is the trend for enterprise users making use of IT services that have not been approved by corporate IT.  It covers a broad range of use cases, from employees accessing corporate email on their private phone or home PC, to entire departments researching, selecting, purchasing and using their own cloud services.  All these cases have in common is that central IT doesn’t know that they are happening, and that they are not approved as might be the case in a BYOD policy.

At first glance, you may think that users finding their own ways to work more effectively would be a good thing, and as I will show the drive certainly should be harnessed, but Shadow IT raises several risks that make it worrying to the enterprise.  First of all, in some parts of the world companies need to follow policies regarding data safety, meaning the act of putting customer data in an unapproved system could lead to legal issues and fines.


If this corporate level issue isn’t enough, the nature of the cloud services that users choose is itself a security and compliance risk.  While many free or “freemium” services look attractive to consumers, have a look at their terms and conditions: many very popular services state that by uploading content you give them the rights to it.  That may be no big deal if it’s your holiday photos (though you may well disagree) but it does mean that if a user wants to perform a mail merge and uploads customer details from the CRM, then the cloud service might decide to sell on this data.

A similar scenario happened to a friend of mine who was part of a large bid team responding to an RFP.  The team decided to use a particular cloud service for their project plans and Gantt charts. This would be a powerful sales tool as the cloud version would look far nicer than the corporate-approved (Microsoft) ones.  Having uploaded their plans, these somehow ended up in the hands of a competitor, who was able to outbid them and win the deal.

Although it’s a broad trend, I believe that Shadow IT has a simple cause, and that providing integrated enterprise mobility as part of a smart end-to-end mobility solution can reduce both the temptation and risk.  Free cloud services are here to stay so let’s help user get the tools they need and want in a secure way rather than denying them their productivity.

What causes Shadow IT?

The short answer is the Shadow IT is caused by enterprise users who believe that they can work more effectively by not following approved processes than by doing so, even if working around the system is complicated, risky, and opens both them and the company to unacceptable risk.

If you think that’s bad, make sure you’re sitting down; because in many cases they are entirely correct.
At first glance this seems to be the kind of Catch-22 that makes CIOs long for the days before smartphones, and makes CISOs (Information Security heads) wonder if they should lock down their entire networks.  However the motivation behind Shadow IT should actually be embraced, because with appropriate guidance and supervision it could be the foundation of a far more connected, efficient (and secure) enterprise that users will embrace.
It’s worth reiterating that the knee-jerk reaction to lock down the corporate network won’t actually resolve matters.  In the olden days, IT involved logging into centralised servers and users weren’t especially interested in computing, but today personal smartphones and easy-to-use consumer apps mean that everyone and their mother thinks they know how best to run IT “because it should be really easy, just look”.
So the first thing we need to bear in mind is that in users’ minds, IT no longer needs to look complicated and if it does than you’re doing it wrong, but equally that these users have no real understanding of network security, data protection laws or the current threat environment.  Pandora’s Box has been opened in terms of the easy access to free services, but it’s impossible to completely lock down your environment without compromising productivity.  It’s better to guide and support your users while giving them the tools they want.
On the other hand, the consumerisation trend also means that the majority of your users really, genuinely believe that IT can be helpful, easy and fun; and having realised that, they would really like to stop using these fiddly, complicated systems that look like they came from the early 1990s, please.
Finally, the consumerisation trend has another effect, in that the first device many business users have really felt comfortable and productive with was a mobile device, and this is not only true of millennials entering the workforce but also of older users who may not have much technical knowledge but feel comfortable with their iPad.  In terms of shadow IT, this means that it is not just about the software but also the hardware, and increasingly savvy business users realise that they can accomplish some tasks more easily on a mobile device.

What is integrated enterprise mobility, and how does it resolve Shadow IT?

Integrated enterprise mobility is the outcome of treating business applications as a way of pushing out access to business processes to devices, as opposed to creating a mobile front-end onto a specific system.  For example, rather than a mobile ERP app, the user could have an app for contract renewals, which could automatically share data between the CRM, ERP, email and social media clients as required to minimise the amount of fiddly input required, and letting the user focus on closing the deal.

The application should also run natively across multiple channels, which in a nutshell is to say that it should look like an iOS app on iOS, like an Android app on Android, and intelligently present itself in a natural way according to whether it’s on a smartphone or tablet.  This isn’t just so that the user feels reassured by a familiar interface, but because each ecosystem has its own habits and ways of working and this makes users more effective.

As part of our goal in bringing Shadow IT under control is to give users confidence that they can work how they want, it’s also important to ensure business applications have offline access built in so users don’t need to worry about losing connectivity and can trust their work to be available anywhere.

What other elements make a smart end-to-end mobility solution?

I mentioned that Shadow IT can be handled with a smart, end-to-end mobility solution and integrated enterprise mobility is only one part of that, though it is the part the user will really see and will drive acceptance.  From a corporate perspective, the ability to ensure that applications are always available with performance monitoring, to manage access control, auditability of applications, rapid development and deployment to multiple platforms from a single source and the ability to ensure the security and integrity of corporate data are equally important.

Ideally, this means you need a smart platform that can handle the back-end business process integration in a code-free manner, push native applications to multi-channel mobile with offline support built in, supported by mobile device management and security tools and with the whole underpinned with an In-Memory Data Grid for scalability, resilience and management.  However the success or failure of any attempt to conquer Shadow IT will depend on user acceptance.

How to build a solution that users will prefer?

I have previously provided my perspective on why integration and mobility projects fail, and in this case one of those points, user engagement, is key.  If you are trying to stop the Shadow IT phenomenon, you need to learn directly from users why it is that they have gone down this route, then work with them to create a system that offers the ease and functionality they need with the security, reliability and management the business needs.

Appointing champions is a great way to do this, because by empowering a trusted, authoritative figure to represent the user base and giving them a direct line to management, you can quickly identify the root causes of employee frustration and let users tell you what you need to focus on fixing.  These champions are also the most likely to be trusted as a source of information, allowing you to get users onboard when explaining the reality of enterprise security.  Always remember that Shadow IT users are frustrated and motivated to succeed, not subversive troublemakers who want to harm your security.

Today’s businesses and business users are under more pressure than ever before to be highly productive, so every few seconds of delay can add up to a lot of frustration.  Enterprise IT is not the enemy, but to beleaguered users it can sometimes seem that way, especially in the more security-focused companies where approved technology doesn’t seem to keep pace with demands.  By working with your users and implementing integrated enterprise mobility you can head off the security treats of Shadow IT and make the business more successful.
David Akka is Managing Director at Magic Software Enterprises UK. David is a successful executive manager with a proven track record as a general manager with a strong background in sales, marketing, business development and operations. Past experience in technology and service delivery include both UK and European responsibilities.




Originally published on enterpriseappstech