The New Shadow IT: Custom Applications in the Cloud

By: Morpheus Data

There’s a new kind of shadow IT arising in companies of all types and sizes: user-created cloud applications. This is one form of unauthorized IT that many firms are embracing rather than fighting, albeit cautiously.

The trend is more than just a version of “if you can’t beat ’em, join ’em.” For many IT managers, it’s an acknowledgment that their customers — line managers and employees — know what tools they need to get their work done better than anyone else. Cynics might point out that working with rogue developers in their organizations is an admission that shadow IT is now too prevalent to stop.

Dark Reading’s Kaushik Narayan writes in an April 7, 2017, article that “the consumerization of IT has spurred a free-for-all in the adoption of cloud services.” Narayan claims that CIOs routinely underestimate the number of unauthorized applications being used in their organizations, at times by a factor of 10. One CIO told Narayan there were 100 such apps in place when an examination of the company’s network logs put the number at about 1,000.

A 2016 survey of IT professionals by NTT Communications found that 83 percent report employees store company data on unsanctioned cloud services and 71 percent say the practice has been going on for two or more years. Source: CensorNet

The type of applications being developed and implemented outside IT’s supervision include HR benefits, code-sharing platforms, and customer service. These apps put sensitive company information beyond the control of data security precautions, including payment details, confidential IP, and personally identifiable information. As Narayan points out, IT departments lack the personnel and resources required to retrofit key data center apps with cloud-specific security.

Tapping ‘citizen developers’ to reduce application backlog

According to statistics cited by CSO’s George V. Hulme in an April 17, 2017, article, 62 percent of enterprises report having “deep app development backlogs,” often numbering 10 or more in the dev pipeline. In 76 percent of enterprises, it takes three months or longer to complete an app, extending to one year in 11 percent of companies.

Many organizations are cutting into their app-development workload by enlisting the services of citizen developers among the ranks of business managers and employees. The challenge for IT is to ensure the apps created and deployed by non-developers meet all security, cost, and performance requirements. You don’t manage volunteer developers the same way you manage in-house IT staff.

A recent survey by FileMaker reports that improved work processes (83 percent) and greater work satisfaction (48 percent) were the two factors most likely to motivate citizen developers. Source: CIO Insight

Start by making security as easy as possible to bake into key application components likely to be used by citizen developers. An example is to incorporate security services in a simple, accessible API. Once you’ve identified apps in use but developed outside the IT department, you determine the sensitive information the app may include. The only way to monitor which cloud apps employees are using is by paying close attention to where your data is going.

VMware director of security John Britton suggests four requirements for managing citizen developers:

  • Limit the non-pro developers to Java, JavaScript, or another memory-managed language (they’re probably using web-based or mobile apps).
  • Make sure the developers always use encrypted connections to protect data in transit, and that they encrypt all stored data.
  • Provide the developers with mobile SDKs so the apps can be managed remotely for updates, revoking access, and wiping data on a lost or stolen phone.
  • Mentor the developers via an advisory board to help them improve the quality of their applications.

Malware lurks in ‘unsanctioned’ cloud storage services

Living with the unauthorized use of cloud services by employees can quickly become an unending game of whack-a-mole. Research by cloud security firm Netskope found that the average number of cloud services used by companies increased 4 percent in the fourth quarter of 2016 from the year-earlier period to a total of 1,071. Only 7 percent of the cloud services are considered enterprise-ready, according to Netskope. Eweek’s Robert Lemos reports on the study in an April 25, 2017, article.

It’s no surprise that use of cloud services to spread malware is on the upswing as well. Netskope estimates that 75 percent of cloud-based malware is categorized as “high severity”: 37 percent of cloud threats are a form of backdoor, 14 percent are adware, and 4.2 percent are ransomware. One reason cloud-based malware is forecast to increase is how easy it is for malware to spread via cloud services.

Turning an IT liability into a corporate asset

The mistake some IT departments make is to consider the shadow IT phenomenon as a risk that must be minimized rather than an opportunity that they can capitalize on. For example, you can overcome the resistance of some employees to new technologies by highlighting the productive use of cloud services by their coworkers. This is one of the many benefits of shadow IT described by TechTarget‘s Kerry Doyle.

The pace of business shows no signs of slacking, which argues in favor of increased use of cloud-based tools to reduce the requirement cycles of application development. The nature of development changes when developers work directly with business departments rather than toiling away in a separate IT division. The developers learn first-hand how the department functions and what employees need to ensure their success. At the same time, line managers and workers gain a better understanding of the compliance, security, and other requirements of internal IT policies.

Doyle writes that once IT departments abandon their traditional role as the sole source for all workplace technology, they are free to expend their scarce resources more productively. IT staff then can become leaders and directors of company-wide cloud initiatives in which users play a more active role. By serving as an “innovation broker,” IT enters into partnerships with business departments that lead to streamlined planning, acquisition, implementation, and maintenance of increasingly vital information services.