Cloud & The Fuzzy Math of Shadow IT

Do you know how many cloud apps, on average, are running in your organization? The number is probably greater than you think.

Krishna Narayanaswamy, Founder & Chief Scientist, Netskope

July 10, 2014

4 Min Read

Organizations are adopting the cloud in a big way. Today, representing about 23% of IT spend, cloud computing has accelerated because it allows people to get their jobs done more quickly, more easily, and more flexibly than they can using traditional computing tools. Set to account for 60% of cloud services in 2017, software-as-a-service has proliferated in enterprises and has now reached a tipping point. 

IT has responsibility for some cloud apps. Most IT departments I’ve talked to say they have responsibility for a handful of cloud deployments, maybe 10 at most, and further estimate that they have 40-50 total apps running per organization. In reality, they have an average of 461 cloud apps, according to our latest Cloud Report, an aggregated, anonymized measure of cloud app usage from the Netskope Active Platform.

This isn’t just individuals using apps like Dropbox and Twitter. It’s that too. But it’s whole lines of business using apps, and not just a few of them. It’s Workday, SuccessFactors, Netsuite, Zendesk, Marketo, and GitHub. It’s every line of business, department, and workgroup. A more recent report shows an average of 47 cloud marketing, 41 HR, 32 collaboration, 27 storage, and 27 finance and accounting apps per enterprise. Even our four person marketing team at Netskope uses 50 cloud apps.

{image 1}

Why is IT’s estimate so out-of-whack? The reason is a combination of need and procurement ease. Now more than ever people are empowered to go outside of IT to get the tools they need. This means they are procuring, paying for, managing, and using these apps without IT’s involvement. Gartner predicts that by the end of the decade, 90% of technology will be procured outside of IT. This isn’t because people want to flout the rules. It’s because they need the best tools to get their jobs done -- and fast -- because, by God, their competitors will clean their clocks if they don’t.

Even IT realizes this necessity. A forward-leaning public sector CIO recently described a project to me he and his team took on to estimate the time it would take to complete all of the IT projects on the docket. Their estimate: seven years. He used this calculation to justify the rapid pursuit of cloud investments and the facilitation of non-IT groups to make those investments. Even if he had the budget and additional headcount to accelerate the roadmap, his team would not be able to execute nearly fast enough to meet the needs of the organization. The only way to be strategic to users and the business is for IT to embrace cloud and help the business do the same. It’s the only way.

Embracing cloud sounds like the right answer, and it is, but it’s not without risk. Two key risks are non-compliance and data loss or exposure. A recent Ponemon report called “Data Breach: The Cloud Multiplier,” found that 51% of survey respondents believe cloud apps are as or more secure than on-premises applications. That said, the survey also found that for every percent increase in cloud service usage in a 12-month period, respondents estimate a 3% increase in the probability of a data breach. This means that if an organization has 100 apps and adds 25, its chance of a data breach will increase by 75%. It’s well understood that cloud apps introduce capabilities that change the computing dynamic and therefore increase the probability or the magnitude of a data breach.

For one thing, cloud usage is growing quickly within organizations, often without IT or the security team’s knowledge. This lack of visibility makes it impossible to monitor for the existence of risky apps and data violations.

Second, cloud and mobile go hand in hand. Cloud apps offer easy access from anywhere, and often provide native apps that make it possible (and in fact preferable) for users to access them from multiple devices. Users are also acquiring and using more devices. Cisco reports an average of 3.3 devices per knowledge worker. This means that the surface area for risks, threats, and policy violations is greater today than ever before.

Finally, cloud apps make it easy to share data with others, which makes it easy for sensitive data to get out of an organization’s control. Sharing is available in not just well-known cloud storage apps like Box and Dropbox, but in customer relationship management, business intelligence, and software development too. In fact, one out of every five cloud apps in use by our customers enables sharing, and 49 out of the 55 app categories Netskope tracks have apps that enable sharing. As we jokingly say around the office, “Shadow IT has a share button, and isn’t afraid to use it."

Do you know how many cloud apps are running in your organization? Let’s chat about the security risks and rewards of bringing “shadow IT” into the light.

About the Author(s)

Krishna Narayanaswamy

Founder & Chief Scientist, Netskope

Krishna Narayanaswamy is a founder and chief scientist of Netskope, a leader in cloud app analytics and policy enforcement based in Los Altos, Calif. He is a highly regarded researcher in deep packet inspection, security, and behavioral anomaly detection and leads Netskope's data science and user behavior research efforts. Krishna brings 24 years of experience to his work. He founded Top Layer Networks and served as a distinguished engineer at Juniper Networks. He holds 10 patents that range from security to accelerated packet processing to application identification.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights