Shadow IT
   HOME

TheInfoList



Click Here for Items Related To - Shadow IT
OR:
Shadow IT on:   [Wikipedia]   [Google]   [Amazon]

In organizations, shadow IT refers to
information technology Information technology (IT) is a set of related fields within information and communications technology (ICT), that encompass computer systems, software, programming languages, data processing, data and information processing, and storage. Inf ...
(IT) systems deployed by departments other than the central IT department, to bypass
/ref> limitations and restrictions that have been imposed by central information systems. While it can promote innovation and productivity, shadow IT introduces security risks and compliance concerns, especially when such systems are not aligned with corporate governance.


Origins

Information systems in large organizations can be a source of frustration for their users. In order to bypass limitations of solutions provided by a centralized IT department, as well as restrictions that are deemed detrimental to individual productivity, non-IT departments might develop independent IT resources and for the specific or urgent need or requirements. In some cases, IT specialists could be recruited or software solutions procured outside of the centralized IT department, sometimes without the knowledge, or approval of corporate governance channels.


Benefits

Although often perceived as attempts to undermine corporate governance, the existence of shadow IT often is an indicator of needs from individual departments not being satisfied from a centrally managed information ecosystem. Thus the immediate benefits of shadow IT are as follows: * Innovation: Shadow IT could be seen as sandbox for potential or prototype solutions in response to evolution of changing business requirements. Also, alignment between departments can be avoided or enhanced dependent on the constraints within the broader business. * Individual productivity: Shadow solutions are customized to the needs of the individual departments and thus allows the individuals involve to be more effectively. A study confirms that 35% of employees feel they need to work around a security measure or protocol to work efficiently. * Reduced internal costs: Some shadow policies, such as Bring your own device, BYOD, reduces direct hardware and software costs, while allowing localized support decreases overhead for IT departments.


Drawbacks

In addition to
information security Information security is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data ...
risks, some of the implications of shadow IT are: * Costs: Additional time and investment could incurred at a corporate level on additional integration and validation and compliance of discovered shadow IT infrastructures. On the other hand, department choosing the solutions with the lowest price-tag for their shadow solutions might not have considered costs for deployment and maintenance. This also results in diminished return on investment in case of insufficient buy-in. * Consistency: As shadowed technical solutions might beyond centralized version control, they might deviate from standardized methodologies or calculations. Multiple, coexisting shadow infrastructures also introduces a heavily fragmented application landscape. This also makes centralized configuration management more difficult. * Operating inefficiencies: Established shadow solutions might prevent overall implementation of more efficient processes due to widespread use or inadequate documentation. The shadow system might also be beyond the capacity of the centralized IT department for integration and maintenance, especially when it becomes "too big to fail".


Compliance

Shadow IT increases the likelihood of uncontrolled data flows, making it more difficult to comply with various legislations, regulations or sets of best practices. These include, but are not limited to: * Sarbanes-Oxley Act (US) *
Basel II Basel II is the second of the Basel Accords, which are recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision. It is now extended and partially superseded by Basel III. The Basel II Accord was publ ...
(International Standards for Banking) * GLBA ( Gramm-Leach-Bliley Act), * COBIT ( Control Objectives for Information and related Technology) * FISMA (
Federal Information Security Management Act of 2002 The Federal Information Security Management Act of 2002 (FISMA, , ''et seq.'') is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (, ). The act recognized the importance of information security to the eco ...
) * DFARS ( Defense Federal Acquisition Regulation Supplement) * GAAP (
Generally Accepted Accounting Principles Publicly traded companies typically are subject to rigorous standards. Small and midsized businesses often follow more simplified standards, plus any specific disclosures required by their specific lenders and shareholders. Some firms operate on t ...
) * SOC ( System and Organization Controls) * HIPAA (
Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Ted Kennedy, Kennedy–Nancy Kassebaum, Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President ...
) * HITECH ( Health Information Technology for Economic and Clinical Health Act) * IFRS (
International Financial Reporting Standards International Financial Reporting Standards, commonly called IFRS, are accounting standards issued by the IFRS Foundation and the International Accounting Standards Board (IASB). They constitute a standardised way of describing the company's fi ...
) * ITIL ( Information Technology Infrastructure Library) * PCI DSS (
Payment Card Industry Data Security Standard The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its us ...
) * GDPR (
General Data Protection Regulation The General Data Protection Regulation (Regulation (EU) 2016/679), abbreviated GDPR, is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of ...
), * CCPA (
California Consumer Privacy Act The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of the state of California in the United States. The bill was passed by the California State Legislature and si ...
) * NYDFS ( New York Department of Financial Services)


Prevalence

Within an organization, the amount of shadow IT activity is by definition unknown, especially since departments often hide their shadow IT activities as a preventive measure to ensure their ongoing operations. Even when figures are known, organizations are reluctant to voluntarily admit their existence. As a notable exception, The Boeing Company has published an experience report describing the number of shadow applications which various departments have introduced to work around the limitations of their official information system. According to Gartner, by 2015, 35 percent of enterprise IT expenditures for most organizations will be managed outside the central IT department's budget. A 2012 French survey RESULTATS DE L’ENQUETE SUR LE PHENOMENE DU "SHADOW IT" par Thomas Chejfec : http://chejfec.com/2012/12/18/resultats-complets-de-lenquete-shadow-it/ of 129 IT managers revealed some examples of shadow IT : * Excel macro 19% * Software 17% * Cloud solutions 16% * ERP 12% * BI systems 9% * Websites 8% * Hardware 6% * VoIP 5% * Shadow IT support 5% * Shadow IT project 3% * BYOD 3%.


Examples

Examples of these unofficial data flows include
USB flash drive A flash drive (also thumb drive, memory stick, and pen drive/pendrive) is a data storage device that includes flash memory with an integrated USB interface. A typical USB drive is removable, rewritable, and smaller than an optical disc, and u ...
s or other portable data storage devices, instant messaging software,
Gmail Gmail is the email service provided by Google. it had 1.5 billion active user (computing), users worldwide, making it the largest email service in the world. It also provides a webmail interface, accessible through a web browser, and is also ...
or other online e-mail services,
Google Docs Google Docs is an online word processor and part of the free, web-based Google Docs Editors suite offered by Google. Google Docs is accessible via a web browser as a web-based application and is also available as a mobile app on Android and iO ...
or other online document sharing and
Skype Skype () was a proprietary telecommunications application operated by Skype Technologies, a division of Microsoft, best known for IP-based videotelephony, videoconferencing and voice calls. It also had instant messaging, file transfer, ...
or other online
VOIP Voice over Internet Protocol (VoIP), also known as IP telephony, is a set of technologies used primarily for voice communication sessions over Internet Protocol (IP) networks, such as the Internet. VoIP enables voice calls to be transmitted as ...
software—and other less straightforward products: self-developed
Access Access may refer to: Companies and organizations * ACCESS (Australia), an Australian youth network * Access (credit card), a former credit card in the United Kingdom * Access Co., a Japanese software company * Access International Advisors, a hed ...
databases and self-developed Excel spreadsheets and macros. Security risks arise when data or applications move outside protected systems, networks, physical location, or security domains.
BankAmerica The Bank of America Corporation (Bank of America) (often abbreviated BofA or BoA) is an American multinational investment bank and financial services holding company headquartered at the Bank of America Corporate Center in Charlotte, North Ca ...
employees began deploying
personal computer A personal computer, commonly referred to as PC or computer, is a computer designed for individual use. It is typically used for tasks such as Word processor, word processing, web browser, internet browsing, email, multimedia playback, and PC ...
s within the company in late 1981. While the financial firm already extensively used large computers, as the
data processing Data processing is the collection and manipulation of digital data to produce meaningful information. Data processing is a form of ''information processing'', which is the modification (processing) of information in any manner detectable by an o ...
budget did not account for personal computers, individual employees and offices bought them and
expense An expense is an item requiring an outflow of money, or any form of fortune in general, to another person or group as payment for an item, service, or other category of costs. For a tenant, rent is an expense. For students or parents, tuition i ...
d them as
office supplies Office supplies are consumables and equipment regularly used in offices by businesses and other organizations, required to sustain office operations. For example, office supplies may be used by individuals engaged in written communications, rec ...
. After the purchasing department in summer 1982 discovered unusually large purchases from Computerland stores, Bank of America allotted a acquisition budget for small computers and standardized on the
IBM PC The IBM Personal Computer (model 5150, commonly known as the IBM PC) is the first microcomputer released in the List of IBM Personal Computer models, IBM PC model line and the basis for the IBM PC compatible ''de facto'' standard. Released on ...
. By early 1983 all executives including president Sam Armacost reportedly had IBM PCs.


References

{{reflist


External links



Discussion on Tech Republic

Industry's First Cloud Adoption and Risk Report

Shadow IT in the New IT Management Triangle Information systems