Out of the Shadows: Fear is the Real Cloud Threat


Posted on

Shadow IT is a misnomer, and we need to stop pretending that so-called rogue software applications are going to bring down the enterprise. That kind of fear mongering is misleading and doesn’t help advance the cause of securing data in the cloud. In fact, it is more of a threat to the security of the cloud than the software it demonizes. 

The term Shadow IT was coined out of a vestigial, unenlightened human impulse to fear that which we do not understand. It’s new; it’s unfamiliar; it’s different… it must be bad. In order to begin thinking about the topic objectively, however, we need to come up with a new name.

I suggest: Emergent IT.

Take a deep breath. Now exhale, and let’s have a rational discussion about the vital role of Emergent IT and why the enterprise should embrace rather than fear it.

The journey of a high-tech product or service along the path from emergent to mainstream is well documented, perhaps most famously in Jeffrey Moore’s seminal Crossing the Chasm. Moore’s book, first published in 1991, was merely an adaptation of the theory of Diffusion of Innovators brought into the digital age, describing how technical innovations overcome the forces of conservative restraint to become essential tools for productivity.

That concept was never more apt than in the cloud era where cost of and barriers to adoption are now so low, and the pace of change so rapid, that new products and services designed to boost productivity are launched seemingly every day. Combine the depth and variety of applications with the highly mobile, always-on archetype of today’s employees and you have created an environment where different workers with different needs and preferences will seek tools that can help them overcome the challenges of their particular working style.

Constrain those workers within the boundaries of a rigid set of choices over fear of “Shadow IT” and three things will happen: they’ll be less productive than they might otherwise be, they’ll ignore IT boundaries and use new tools or workarounds anyway, or they’ll grow frustrated and leave for an organization that is more suited to their style and accommodating of their professional ambitions.

Allow those workers to innovate and adopt Emergent IT, however, and your most ambitious employees will use these resources and be happier, more productive and more efficient. And those early adopters may well find tools that your organization will one day mainstream.

Of course, the naysayers will wring their hands and worry about data security, evoking fear of the different and unfamiliar, but what’s really at issue is not the cloud applications being used, but the security programs in place that are not prepared for the cloud.

Consider that early adopters of Emergent IT will typically only constitute a small percentage of employees, and those users are probably the most skilled and comfortable with the use of the tools they choose. That means the amount of data those users may be using in the cloud will also be small.

Sanctioned IT by definition is used by a majority of employees, not all of whom may be adept with the tools they’re given, or who may operate on the assumption that because a certain application is sanctioned by the company, it must be secure. The assumption of security encourages risky behavior and, thus, puts more of a company’s digital assets at risk. Adallom’s own Cloud Usage Risk Report, published in November of 2014, demonstrated this fact when it found that:

  • 5% of an average company’s private files are publicly accessible: The productivity gains of SaaS adoption come at the cost of reduced legacy control effectiveness and purview; it’s time to refresh enterprise governance controls.
  • The average company shares files with 393 external domains: Accountability and liability for the distribution of enterprise data, especially privileged data continue to challenge IT in the cloud era.
  • 29% of employees share an average 98 corporate files with their personal email accounts: Personal sharing of enterprise data manifests both governance and security risks.
  • Think of the orphans: An average of 6% of files in cloud services are orphans. Of those, approximately 70% were created by users outside the company, and 30% by terminated employees or former contractors.
  • 37% of our customers discovered they stored more cloud data in Salesforce than any other cloud storage service: Although Salesforce has a secure storage layer, its information governance controls are limited.

It’s time to emerge from out of the shadows and change the mindset of security in the cloud era from one of “lock and block” and move to innovate and accommodate. But that shift in thinking means understanding how security in the cloud era needs to work and adopting the right tools and techniques for meeting the challenges unique to cloud security.

Business Perspectives

cloud security

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs