Shadow IT – The stumbling block for flexible Cloud services

Manuel-Meyer-2xThe Cloud offers a high degree of flexibility. However, this positive aspect also means that resources are continually procured without the knowledge of the IT department. This creates a shadow IT system that can have far-reaching negative consequences.

Shadow IT is not new. It also exists beyond the Cloud. But nowadays it is possible to source or build any conceivable application from the Cloud, without the supervision of the IT department. Highly complex solutions can also be used relatively easily without the central IT department. The specialist department is delighted, the IT manager is not. Because the carelessness of using Cloud applications and the resulting increasing shadow IT is causing enormous damage.

The following sections reveal the risk factors that should be given particular attention when it comes to shadow IT and in which specific areas it can lead to problems.


Disregard of compliance

Software set up by employees themselves within system environments that bypass the IT department rarely comply with the relevant security, data protection and compliance guidelines. More often than not, the department that wants to use a particular software is unaware of these requirements. Nor are they aware of what aspects they need to check for the Cloud services they want to use. The IT department usually takes care of this. Failure to carry out these checks properly may result in compliance issues, which in turn may lead to penalties, for example, in the course of tax audits or data protection.

Security standards are not met

Security standards are also often not adhered to if employees operate software solutions independently. Factors such as correct encryption, password protection or access rights are often not met. In such cases, the technical and organisational measures for the transfer of data to third parties are also not in place. This means that unauthorised persons can also access the data.

Contractual and legal aspects are not validated

Booking is very simple; the contract is concluded with a few clicks. The terms of use are also quickly accepted. But have they also been read? Have they been checked? In most cases, the department that uses the applications is not able to assess the relevance of the provisions and the consequences the contract could have. But with these clicks, the service provider has already received the authorisation to process the data for use and possibly also for evaluation. In the worst case scenario, this can result in infringement of the contract, which can lead to breach of contract with recourse claims. This can cost the company a lot of time and money.

Cost trap

Time and money form one unit in corporate IT. Company management is aware of this, but not all managers are, let alone employees. They are under pressure to perform, which they want to master as quickly and perfectly as they can. That is why, when ordering Cloud services, they don't hesitate for long if it seems promising. The simple billing models offered by providers, such as pay-per-use, make usage appear controllable. But without central cost monitoring and the allocation of fixed budgets that employees are supposed to use, fees can quickly get out of hand.

A typical case in practice: Team leader X purchases Azure with a credit card and gives employee Y full authorisation. The employee wants to initiate a modern data analysis and uses HD Insight as an analysis service for this purpose. This program consists of a cluster of four virtual computers, which should of course be high-performance. Therefore, he chooses a powerful variant. The software is in operation 24 hours a day for two weeks so that the employee always has access and the test analyses can continue, even without anyone actively working on the software. The unpleasant surprise lands in the building at the end of the month in the form of an unexpectedly expensive bill.

Lack of monitoring and support

Operational work such as monitoring and logging, i.e. the automatic creation of a log of software processes for the traceability of errors, is often only performed on a very basic level in shadow IT applications. This can lead to problems, especially when errors occur. In addition, data could be made publicly accessible without the user's intention, so that it can be accessed from the outside.

In shadow IT, audit data is also not collected and stored. However, this data is essential for testing the software's functionality, complying with important quality requirements and documenting results.

Use in daily operation not planned

Cloud applications are sometimes only used by departments for testing; ideas are tried out, functions are checked. If the result of the test is positive and the solution is convincing, it should be used productively as quickly as possible. What this means for day-to-day operations, however, is not always considered. The IT department is involved at the latest when the Cloud service is actually to be used on a permanent basis. The IT department is asked to ensure operation and monitoring relatively quickly. But the prerequisites for this are unfavourable: IT employees are not familiar with the software environment; they lack the specific know-how and the time to deal more intensively with the solution.

The technology may also be incompatible with the IT operation tools that are in use on a daily basis. Then the usual processes do not apply. This means extra work for the IT employees who are already busy, especially if problems arise when using the software.

The capacities required for daily productive use are often underestimated. A web service is relatively easy to assemble and test. However, when it is put into operation, a great number of inquiries can be sent to IT. The department that puts the application into operation is generally not familiar with the corresponding plans and concepts for capacity planning.


There are several factors that lead to the creation of shadow IT: Be it employees acting without thought or departments taking advantage of their liberties. This results in various risks that can cost the company a lot of time and money. To ensure that shadow IT does not jeopardise the innovations that Cloud usage can bring, certain aspects need to be taken into account. We will present these to you next week. 

Would you like to find out more about the topic on the basis of a specific customer story? Then register now for IT Days 2020 from 7 to 10 December and attend Jens' presentation – see you there!



Topics: Microsoft Cloud Computing