Blog - Rencore

Keeping shadow IT in check with a cloud governance strategy

Written by Jasper Oosterveld | Sep 1, 2023 1:08:25 PM

Not too long ago, Shadow IT was a buzzword within the IT sector. Mainly due to the rise of mobile devices, accessible and fast internet, and social media. But what does it mean?

What is Shadow IT?

Shadow IT refers to the use of software, applications, or services within an organization without the explicit approval or knowledge of the IT department or the organization’s official technology governance processes.

It typically involves employees independently adopting and utilizing technology solutions to fulfil their specific needs. Let’s be honest with each other. This didn’t happen without a valid reason. IT departments weren’t, compared to these days, in a facilitator role. They basically determined, without real involvement of the employees, how employees worked in relationship to IT services.

This caused frustration due to the availability of easy-to-use solutions outside the company walls. Famous examples include Box and Dropbox. The use of these services skyrocketed. One day, I visited a customer who used Dropbox, with one account used by multiple employees, to save blueprints of their products. We can all see the danger this situation posed for the future of this company. Just imagine these blueprints ending up in the hands of their competitor.

Shadow IT present serious compliance, security challenges, and risks to an organization. We highly recommend defining a cloud governance strategy to keep Shadow IT within your organization in check. The scope of this article is the productivity services within the Microsoft 365 suite. We focus on the following topics:

  • Roles and responsibilities
  • Sensitive Information Types
  • Information Protection Policy
  • New features & updates

Roles and responsibilities

There needs to be a clear understanding of who has the role of a specific Microsoft 365 administrator within your organization. For example, SharePoint or Microsoft Teams. This reduces internal miscommunication, and your employees know whom to talk to in case of any questions in relation to the productivity services and its features.

Imagine, your employees are looking for a specific feature for their business needs. When they don’t know who to address this issue, this could lead to frustration and potentially lead to shadow IT by them acquiring external cloud services. I advise to start looking at the current Microsoft 365 services your organization is using and find the related administrator roles. Once you assigned the roles, you communicate this within your organization. For example, on the public facing intranet site of your IT department.

Sensitive Information Types

Sensitive information types refer to data or information that is considered confidential, private, or valuable, and requires special protection due to its potential misuse, unauthorized disclosure, or potential harm to the organization. In the introduction of this article, I talked about the customer I paid a visit. Their sensitive information type was the blueprints of their products. The storage of the blueprints left them unprotected and potentially endangered the entire future of the company. Once you gathered all the sensitive information, you define a classification and protection policy and include this in your governance strategy.

Identifying sensitive information isn’t always an easy task. We have a couple of tips:

  • Talk to your stakeholders
  • Microsoft Purview Sensitive Information Types
  • Law & regulation
  • Impact data loss
Stakeholders

You should talk to one or more stakeholders per department. These people are familiar with the primary business process and potentially existing sensitive information. They can provide you with an overview of sensitive information types.

Microsoft Purview Sensitive Information Types

Microsoft provides out-of-the-box sensitive information types within the Microsoft Purview service. You can find, and use this as an inspiration, through resources from Microsoft.

Law & regulation

Each organization needs to comply with certain laws and regulations related to its location or type of industry. For example, EU GDPR and ISO 27001. These contain sensitive information types. For example, EU Drivers License Number and EU Passport Number.

Impact data loss

One last tip, think about the worst-case scenario when certain sensitive information is included in, for example, a data leak. What would happen to your organization? What would the financial impact be? This results in a lists of your sensitive information types.

Information Protection Policy

An information protection policy is a document that provides guidelines to your employees on the processing, storage, and transmission of sensitive information. I advise including the risks of not complying with this policy by using shadow IT. The main risks are fines, reputational damage and loss of trust. This should deter most employees from using external cloud services for their productivity needs.

New Features & Updates

One of the reasons employees found their way to external services and caused shadow IT was the lack of innovation and new features within existing IT systems. In my experience, this was often related to external file-sharing requirements. Especially SharePoint and OneDrive were very limited on this front.

Microsoft stepped up its game and now releases new features & updates on a weekly basis. This should prevent the need for external cloud services and prevent shadow IT. I advise you to use the following two features to keep innovating your productivity landscape with the support of Microsoft 365:

  • Microsoft 365 Message Center
  • Targeted release
Microsoft 365 Message Center

Microsoft frequently shares messages about new features & updates in the Microsoft 365 message center. This helps your organization to stay in the loop and maintain control over new features & updates.

Targeted Release

Instead of waiting for new features & updates to arrive in your Microsoft 365 tenant, you can assign the role of targeted release to a selection of employees. They receive new features & updates before the other employees. I advise including employees who are early adapters of new technology and could be part of shadow IT.

Conclusion

I can’t emphasize enough how important it is for your organization to proactively address shadow IT by implementing a clear governance strategy, enabling open communication with your employees, providing appropriate Microsoft 365 productivity solutions, and promoting awareness of the risks associated with shadow IT. By doing so, your organization can minimize the negative impact of shadow IT while maintaining a secure and efficient technology landscape.

A note from Rencore

To get a comprehensive understanding of Microsoft 365 governance strategy and read an overview of the governance challenges to prepare for, download our whitepaper and learn ways to build a robust governance strategy that suites your organization.