When an enterprise sanctions or whitelists a SaaS application, promoting it out of "Shadow IT" without allowing for that application to be accessed from any device in any location, it further establishes a dichotomy between the old guard IT way of thinking (users can be persuaded to access data only over the WAN) and the new guard that embraces cloud, mobility, and the idea of accessing data anywhere, any time, and from any device.
To underscore the notion of old guard thinking, some companies are even deploying app-level VPNs, which, in the context of SaaS, is like asking employees to use a different browser to access each application. That’s counter-intuitive to the purpose of SaaS adoption because if you require a corporate-prescribed client to access a SaaS application, you obviate the agility that drove lines of business to SaaS in the first place.
If a company has a BYOD policy, they’re also making a mistake. BYOD isn’t a policy IT creates, it’s a fact that IT must contend with. (Note I didn’t write "embrace," because IT doesn’t have to love it -- though they will learn to do so!) There can’t be a subset of approved devices, clients, or browsers through which users could access productivity applications, because creating such a policy invites the specter of Shadow IT -- which, by the way, is not a real thing.
Shadow IT is a derogatory moniker created by control-obsessed IT leaders who fear the pace of progress and technology democratization spurred by consumerization. IT believes that they are facing an end-user Arab Spring that will cause them to lose the level of control they’ve enjoyed for decades. But in consumerization business tech users are doing what they’ve always done, and what humans have been doing for time immemorial: following the simplest path to productivity.
Shadow IT is what users turn to when the applications and policies offered and proffered by IT are regarded as hurdles to productivity. Whether it’s because the network is too slow, access to some sites is blocked, or a new app simply does the job better, every security control adds friction to the user experience and, as with a rock in the midst of a river, users will naturally flow around the source of friction.
In a recent article, Robert Lemos compared SaaS providers to banks and argued that banks have set a precedent for taking full responsibility over the user accounts. He posited that if bank customer gets infected with malware, and the customer’s money is subsequently sent to the Ukraine, it is a problem for the banks. But the comparison is, at best, idealistic. By law, banks assume full liability and provide complete compensation for lost consumer funds whereas SaaS providers do the opposite, placing the onus of accountability and liability on the customer.
As Gartner noted last year, "[SaaS providers] accept little or no financial responsibility for fulfillment of these vague [security] commitments, so even if it is determined that these obligations were not met, the buyer has no recourse."
Approaching SaaS adoption, BYOD, and mobility as integral elements of a move to the cloud requires enterprise IT to think of information security not as a matter of whitelists and blacklists, but as a model of assumed risk and qualitative loss tethered to today’s reality, not yesterday’s policy.