1

1

Have you ever accessed a free file storage site on your work computer? Have you ever sent work emails from your own mobile device? Do you use a cloud platform to manage expenses without your IT department’s knowledge? You might not know it, but you’ve entered the realm of shadow IT.

Shadow IT, sometimes referred to as “bring your own cloud” (BYOC), can be any online application or platform used by federal employees outside the scope of their agency’s IT department. Studies suggest it’s much more common than previously thought.1 With the government’s data infrastructure increasingly lagging behind the agility and rapid scalability of cloud-based services, today’s federal workforce faces unprecedented incentives to deviate from IT department-sanctioned apps. Although experimentation with cloud services can lead to innovation,2 if unmanaged, shadow IT can put agency data at greater risk of infiltration by malicious users and software, as well as hide the true cost of federal IT, causing redundant spending and missed opportunities to shave already-tight budgets.

One innovation helping federal agencies shed light on shadow IT is software-defined networking

         

BRINGING YOUR AGENCY’S IT OUT OF THE SHADOWS

2

(SDN). SDN-enabled virtualization can help cut through the network complexity that is stalling performance in federal data centers, a trend that could bring many shadow IT users back from the dark side.

What’s Driving Shadow IT

Over the last decade, federal agencies have witnessed a rise in shadow IT, largely as a function of the widening gap between public sector IT capabilities and those available via the cloud. After years of consolidating the government’s data infrastructure, network complexity remains a bottleneck preventing federal agencies from getting the capabilities they need. According to a July 2014 survey, 68 percent of federal IT managers believe network complexity is on the rise, while 81 percent say it’s a major drag on government IT performance.3 For many federal officials, cloud storage and analytics platforms simply represent workarounds that would be rendered unnecessary by a more modern network infrastructure.

The lengthy IT procurement process certainly

UNAUTHORIZED “SHADOW IT” SERVICES ARE A REALITY, AS WELL AS A DRAIN ON YOUR BUDGET AND A RISK TO SECURITY. SO WHY ARE FOUR IN FIVE END USERS TURNING TO SHADOW IT AND WHAT CAN YOUR AGENCY DO TO KEEP THEM IN-HOUSE?  

  2

3

doesn’t help. According to former CIA and NSA Director, Gen. Michael Hayden, shadow IT is essentially “emergency IT,” most commonly used to achieve mission-critical objectives along timelines too narrow for the standard IT acquisition process.4 The task of specifying requirements, reviewing bids, buying, and eventually standing up traditional IT can take as long as six to nine months. Facing pressure to deliver, employees oftentimes turn to cloud applications and infrastructure as a stopgap measure. Problems arise, says Hayden, when this “emergency IT” becomes “everyday IT.”

How Does Shadow IT Put Federal Agencies at Risk?

Among the most important roles of a federal IT department is vetting potential applications for security vulnerabilities before they access secure government networks and data. Despite that, industry experts estimate that roughly 80 percent of end users run shadow software-as-a-service apps at work.5 By bypassing the IT department, users leave the application’s proprietary encryption as the only defense between cyber criminals and government data. This is an unacceptable risk considering that the number of cyber attacks against government agencies rose by over 30 percent in 2013, while increasingly-sophisticated attacks against cloud service providers resulted in large-scale disclosures of consumer data.6

To make matters worse, shadow IT can derail federal agencies’ efforts to manage their budgets effectively. In interviews with CEB, 165 private sector CIOs estimated that shadow IT added roughly 40 percent on top of their organizations’

     

4

official IT budgets.7 If that figure were to hold true for the public sector as well, it would mean that the federal government could be overspending by more than $30 billion annually.

What You Can Do to Shine a Light on Shadow IT

A new approach known as software-defined networking can offer federal agencies a way to rein in shadow IT without compromising on innovation. SDN works by decoupling the forwarding and control planes within a network switch and then moving the control plane to another centralized device, called a controller. Network administrators can then use the controller to program devices on the network without having to configure hardware as well.8

One of the major causes of shadow IT use is poor configuration of network resources, frequently causing traditional networks to provision bandwidth inefficiently. Switching to SDN allows IT administrators to provision network bandwidth dynamically to applications with the heaviest workloads, delivering unprecedented performance to federal data centers. This translates to faster speeds and greater reliability with fewer service disruptions.9 Overall, greater functionality will help to keep users within the bounds of their agency’s IT department, while also mitigating some of shadow IT’s most harmful effects.

SDN also has benefits for agency security. Long gone are the days when enterprises could rely solely on a fixed perimeter to keep the bad guys out. With the growth of cloud and mobile

SHADOW IT MAY BE COSTING THE FEDERAL GOVERNMENT MORE THAN $30 BILLION ANNUALLY

80 PERCENT OF USERS ACROSS INDUSTRIES RUN SHADOW SOFTWARE-AS-A-SERVICE APPLICATIONS AT WORK - 2013 FROST & SULLIVAN STUDY

  3

                         

   

About GBC

Government Business Council (GBC), the research arm of

Government Executive Media Group, is dedicated to advancing

the business of government through analysis and insight. GBC

partners with industry to share best practices with top

government decision-makers, understanding the deep value

inherent in industry’s experience engaging and supporting

federal agencies.

About Brocade

Brocade® networking solutions help federal agencies achieve

their critical initiatives as they transition to a world where

applications and information reside anywhere. Today, Brocade is

extending its proven data center expertise across the entire

network with open, virtual, and efficient solutions build for

consolidation, virtualization, and cloud computing.

(www.brocade.com)

3

5

multiplying the number of potential threats, each network element must now be secured individually.10 With SDN, the network administrator can provision resources to create a perimeter surrounding each individual device or application.11 This vastly reduces the surface area vulnerable to attack by malicious outsiders and helps to prevent any single application from compromising the entire network.

Although the amount of shadow IT deemed acceptable can vary across organizations, a new understanding of their networks can help agencies achieve optimized performance and security without sacrificing their employeees’ ability to innovate.

  4

                                   

 

Sources 1. Lynda Stadtmueller, “The Hidden Truth Behind Shadow IT: Six Trends Impacting Your Security

Posture”. Frost & Sullivan Stratecast: November 2013 http://www.mcafee.com/us/resources/reports/rp-six-trends-security.pdf

2. Abhinav Srivastava, “Three Misconceptions about Shadow IT”. CEB Blogs: March 7, 2014 https://www.executiveboard.com/blogs/the-three-biggest-misconceptions-about-shadow-it/

3. John Breeden, “Survey Suggests Federal Network Complexity Is Limiting Data Center Consolidation”. Fedscoop: July 17, 2014 http://fedscoop.com/survey-suggests-federal-network-complexity-limiting-data-center-consolidation/; Survey: “Navigating Network Complexity” conducted by Meritalk and Brocade: July 2014 http://www.meritalk.com/federalsimplicity

4. Michael Hayden, “Shadow IT’s Impact on Federal Government”. Webcast, CSC Townhall http://www.csc.com/townhall/insights/93650-shadow_it_s_impact_on_federal_government

5. Stadtmueller, “The Hidden Truth Behind Shadow IT” 2013 6. “Agencies Need to Improve Cyber Incident Response Practices”. Government Accountability Office:

April 30, 2014 http://www.gao.gov/products/GAO-14-35; also, “Kwame Opam”, “Dropbox Website Goes Down, Hackers Claim Responsibility” The Verge: January 10, 2014 http://www.theverge.com/2014/1/10/5297310/dropbox-website-goes-down-hackers-claim-responsibility

7. Paul Taylor, “IT Chiefs Underestimate ‘Shadow Tech’ Spend”. Financial Times: November 22, 2013 http://www.ft.com/cms/s/0/dcff98c8-52fd-11e3-a73e-00144feabdc0.html#axzz3AOOGktgb

8. Jim Metzler, “Understanding Software-Defined Networks” InformationWeek Reports: October 2012 http://www.necam.com/doclibrary/InformationWeek%20Research-Software%20Defined%20Networks-11.2012.pdf

9. “Navigating Network Complexity”. Meritalk and Brocade: 2014 10. Natalie Timms, “Securing the Software-Defined Network”. InfoWeek Network Computing: November

19, 2013 http://www.networkcomputing.com/careers-and-certifications/securing-the-software-defined-network/a/d-id/1234550

11. Rod Stuhlmuller, “4 Ways Network Virtualization Improves Security”. InfoWorld: December 18, 2013 http://www.infoworld.com/t/networking/4-ways-network-virtualization-improves-security-232828?page=0,2

Image: Flickr users Martin Abegglen and Dennis van Zuijlekom

4