Cloud & The Fuzzy Math of Shadow IT

Organizations are adopting the cloud in a big way. Today, representing about 23% of IT spend, cloud computing has accelerated because it allows people to get their jobs done more quickly, more easily, and more flexibly than they can using traditional computing tools. Set to account for 60% of cloud services in 2017, software-as-a-service has proliferated in enterprises and has now reached a tipping point. 

IT has responsibility for some cloud apps. Most IT departments I’ve talked to say they have responsibility for a handful of cloud deployments, maybe 10 at most, and further estimate that they have 40-50 total apps running per organization. In reality, they have an average of 461 cloud apps, according to our latest Cloud Report, an aggregated, anonymized measure of cloud app usage from the Netskope Active Platform.

This isn’t just individuals using apps like Dropbox and Twitter. It’s that too. But it’s whole lines of business using apps, and not just a few of them. It’s Workday, SuccessFactors, Netsuite, Zendesk, Marketo, and GitHub. It’s every line of business, department, and workgroup. A more recent report shows an average of 47 cloud marketing, 41 HR, 32 collaboration, 27 storage, and 27 finance and accounting apps per enterprise. Even our four person marketing team at Netskope uses 50 cloud apps.

{image 1}

Why is IT’s estimate so out-of-whack? The reason is a combination of need and procurement ease. Now more than ever people are empowered to go outside of IT to get the tools they need. This means they are procuring, paying for, managing, and using these apps without IT’s involvement. Gartner predicts that by the end of the decade, 90% of technology will be procured outside of IT. This isn’t because people want to flout the rules. It’s because they need the best tools to get their jobs done -- and fast -- because, by God, their competitors will clean their clocks if they don’t.

Even IT realizes this necessity. A forward-leaning public sector CIO recently described a project to me he and his team took on to estimate the time it would take to complete all of the IT projects on the docket. Their estimate: seven years. He used this calculation to justify the rapid pursuit of cloud investments and the facilitation of non-IT groups to make those investments. Even if he had the budget and additional headcount to accelerate the roadmap, his team would not be able to execute nearly fast enough to meet the needs of the organization. The only way to be strategic to users and the business is for IT to embrace cloud and help the business do the same. It’s the only way.

Embracing cloud sounds like the right answer, and it is, but it’s not without risk. Two key risks are non-compliance and data loss or exposure. A recent Ponemon report called “Data Breach: The Cloud Multiplier,” found that 51% of survey respondents believe cloud apps are as or more secure than on-premises applications. That said, the survey also found that for every percent increase in cloud service usage in a 12-month period, respondents estimate a 3% increase in the probability of a data breach. This means that if an organization has 100 apps and adds 25, its chance of a data breach will increase by 75%. It’s well understood that cloud apps introduce capabilities that change the computing dynamic and therefore increase the probability or the magnitude of a data breach.

For one thing, cloud usage is growing quickly within organizations, often without IT or the security team’s knowledge. This lack of visibility makes it impossible to monitor for the existence of risky apps and data violations.

Second, cloud and mobile go hand in hand. Cloud apps offer easy access from anywhere, and often provide native apps that make it possible (and in fact preferable) for users to access them from multiple devices. Users are also acquiring and using more devices. Cisco reports an average of 3.3 devices per knowledge worker. This means that the surface area for risks, threats, and policy violations is greater today than ever before.

Finally, cloud apps make it easy to share data with others, which makes it easy for sensitive data to get out of an organization’s control. Sharing is available in not just well-known cloud storage apps like Box and Dropbox, but in customer relationship management, business intelligence, and software development too. In fact, one out of every five cloud apps in use by our customers enables sharing, and 49 out of the 55 app categories Netskope tracks have apps that enable sharing. As we jokingly say around the office, “Shadow IT has a share button, and isn’t afraid to use it."

Do you know how many cloud apps are running in your organization? Let’s chat about the security risks and rewards of bringing “shadow IT” into the light.