vali_111 - Fotolia


Shadow apps in the cloud threaten IT data governance

Cloud apps have replaced Microsoft Access as the biggest headache in IT, as users take it upon themselves to spin up rogue apps, with zero regard for IT data governance.

The cloud makes it easier than ever for tech-savvy employees to bypass the IT help desk and spin up their own apps, but these shadow apps are bad news for IT data governance.

Part of the concern about the unapproved use of clouds is data security and integrity. Data quality, data accuracy and data controls become that much harder to execute. End users may not be tuned in to these issues, but IT is acutely aware of the impact of rogue actions on IT data governance.

There was a time, not so long ago, when Microsoft Access was the biggest headache in IT. For years, users in the enterprise would need an app or some data-based functionality, and if IT didn't get it done fast enough, users spun up their own apps with Microsoft Access.

Access is powerful, flexible and above all -- true to its name -- accessible. The problem: After years of this underground practice, dozens or even hundreds of Access databases sprawled the organization -- all of them isolated, all of them known to only a handful of users, all of them randomly administrated and secured -- and, often, none of them under the purview of IT.

That same phenomenon is happening again -- this time, with cloud apps.

Rogue cloud instances

Almost every organization of every size has at least considered working on one or more cloud platforms. The pull to embrace the multicloud trend has serious gravity, due largely to its economy: Cloud apps and storage may be less expensive than on-premises apps and storage. It also means that more work can be done with fewer people within IT departments.

Like rogue Access databases, cloud apps are easy to create and deploy -- in far less time than IT takes to do the same work on premises. But shadow apps only work for users until something goes wrong, or until someone else needs the data.

Too many clouds, too little IT data governance

When rogue cloud apps infiltrate the enterprise, several hazardous conditions emerge. These conditions have a negative impact in any number of areas, including -- but not limited to -- security issues, poor quality control over reporting, maintenance issues, lack of data portability and critical gaps in institutional knowledge. The following are some specifics:

No shared administration or security models. When users create shadow apps, it's generally hit-or-miss whether they handle and secure the data generated by those apps in a way that conforms to institutional policy. Few employees are well-versed in the specifics of such policy, and when they are -- even if they implement it -- they are generally not in a position to enforce it.

The results are apps and data that may have serious security issues, and insufficient process in place for granting access to them. The risk is even greater when an app and its data reside in an isolated cloud instance, as user IDs may be custom logins, rather than Active Directory credentials.

Faulty IT data governance standards. When users create their own apps in isolated cloud instances, the data they use is often defined by arbitrary metadata -- descriptions of specific data items that aren't derived from the enterprise, but from a single user's understanding of the data. This circumvents significant safeguards that the modern enterprise takes seriously and invests in deeply: The data dictionary is now a standard in IT process, and creating nonconforming versions spell trouble. This trouble can emerge in something as simple as misformatting a date or money field, or making a multichoice field a free-text entry, rather than a drop-down choice with limited options. And that's before even discussing databases, where normalization issues can make or break an app.

When rogue cloud apps infiltrate the enterprise, several hazardous conditions emerge.

Lack of access to the data. What happens when years of important data are collected in a shadow app, and another system needs to access that data? IT faces the awkward, time-consuming and resource-gobbling task of creating an interface between that app and the legitimate system that needs the data.

This is an even greater issue in cloud deployments, where import and export of data -- especially in large amounts -- can be problematic. Building an interface for an Access app is within the skill set of many people in IT, but doing the same for a cloud platform that no one in IT may be even remotely familiar with is a bigger problem.

Bad documentation. Users who build their own apps and define their own data might not formally document everything. When someone goes to the trouble of actually doing it, it may not conform to organizational standards, so something as simple as application access is a mystery without documentation.

There’s a better way

It is no easier to stop rogue cloud apps than it was to stop rogue Access data apps. They're inevitable. But the following simple guidelines can make the difference between chaos and utility:

  1. Create a knowledge base of cloud options -- detailing costs, features and service-level agreements of the major cloud vendors -- as a user-friendly guide to choosing one that's right for the app and right for the enterprise.
  2. Stipulate that IT can agree to offer support if the department deploying the app makes the cloud choice according to No. 1, and if the users deploying the app undertake a guided documentation process.
  3. Require that each department deploying cloud apps agrees to appoint an IT liaison to coordinate any needed support or interface-building. That person should also be given access to institutional data dictionaries.
  4. Clarify that custom user IDs or other nonstandard access to cloud apps must be reviewed by the IT security officer, and a responsible party in the department be appointed to ensure conformity to policy.

In exchange for this cooperation, IT should agree to make this support a priority, and develop one or two gurus who can provide IT data governance guidance on short notice.

Getting buy-in on these compromises may come down to a carrot-and-stick approach: On the stick side, IT can simply say, "You're on your own," and invalidate shadow apps and cloud data by simply replacing them, with or without the users' approval. On the carrot side, IT can invite those power users to the table, not only by offering support in exchange for conformity to standards, but also by including them in news and events concerning adoption of a new cloud technology and data management policy.

Next Steps

Information governance still immature

New technologies aid records management

Vendors need a reality check on information governance

Dig Deeper on Cloud-SaaS online collaboration tools