Open Source: Standing in the Shadows of IT

I recently asked a friend why he was sending me a work document that listed client names and other business data to my inbox. He then realized he had unwittingly stored a very sensitive work document in a DropBox account that was shared among friends.

Shadow IT is a term that is used to describe information-technology systems and solutions that are used by employees that are not sanctioned by the IT Department. Examples include cloud solutions such as DropBox and GitHub to store data as well as software downloads, especially free software, like open source. The main reason for these rogue activities is often internal barriers to get technology approved and vetted by the internal compliance team. With innovation occuring so rapidly, departments are no longer happy waiting weeks or months for an authorized solution.

Cloud computing and related SaaS and PaaS applications have created a whole new way for employees to easily bypass internal IT. A recent study by Stratecast shows upwards of 35 percent of all SaaS apps in an enterprise are purchased and used without oversight and more than 80 percent of respondents feel justified in continuing to use the non-approved services without ensuring that protective IT policies are applied.

Another trend that enterprises are struggling to deal with is Shadow BYOD. This refers to the number of unmanaged personal devices connecting to the network and accessing government or corporate data. Whether it is a flash drive, iPad or other device, it can put sensitive data at risk

Open Source and Shadow IT

Open source software is ripe for Shadow IT. In a February 2015 Gartner survey, 99 percent of responding organizations reported using open source. Users can download the software quickly and easily. Since the software is "free" and there is no need to get approvals to purchase, using the software can go unnoticed by IT Managers and compliance officers.

Enterprises have come to realize that managing the use of open source software usually diverts business, technical and legal resources, which is where the cost of free software comes into play.

These software packages can be perplexing for an enterprise because they can have thousands of third-party modules, with each module having its own creator/contributors and its own license that may restrict or have specific requirements around its use.

Litigation is always a lurking danger with open source and most enterprises do not want to be exposed to this risk. Does the shadow IT in your enterprise expose you to unnecessary indemnification or compliance risk?

Embrace Shadow IT

Information Technology departments in enterprises can play a very important role by embracing shadow IT to help drive innovation. Examples include approving underlying platforms, becoming educators and providing “preferred supplier” lists.

Enterprises must grade the security risk of Shadow IT against the opportunity cost of stifling employees and discouraging innovation from within. Many of these tools and solutions eventually end up becoming part of the enterprise’s sanctioned IT portfolio.

We see developers who start off using open source technology "in the shadows", but eventually becomes formally adopted by the enterprise. In order to achieve this adoption, developers need to find a commercial distribution that suits the needs of the business, brings in the proper support and SLA while mitigating the risks. An enterprise-wide solution allows other departments to benefit as well, without having to worry about license counts.

By integrating your systems, tools, and data more closely with your business, shadow IT can help drive (rather than hinder) innovation in the enterprise.