It’s quietly lurking in dark recesses of data centers of all sizes. In the back of our minds, we know the odds are that it exists in our facilities, but deep down we want to believe it’s no big deal. Shadow IT is quietly putting our operations at risk, creating new security threats and introducing considerable waste into data operations. Not only is it more prevalent than most businesses realize, it also costs more than they think.
Shadow IT is hardware, software and databases that have not followed company-established protocols. Instead, it’s created without awareness or visibility to executive management and deployed by the company’s IT department. No one intends to create an ecosystem where shadow IT can hide, but it develops over time. It’s important to understand both the impact and the risks shadow IT presents to data center operations as well as, on the physical layer, how it can be uncovered and eliminated.
How Shadow IT Infiltrates the Company
Depending on their structure, midsize and large companies often have an overarching IT-governance department that ensures all IT hardware devices, software and so on conform to security, licensing, asset-life-cycle management and other requirements. Other “non-IT” departments often have their own IT guru who serves as the “go-to person” for customizing internal software, specialized printers, websites or even spreadsheets for the department. These departments may need some quick and flexible development of products and services that are difficult to execute when approval from IT governance is required.
Considering the lengthy internal approval process of some organizations, these individual departments may decide to covertly create their own servers, download software or set up their own database without IT governance review and approval—especially when it’s a small project or a time-sensitive situation. Although doing so might appear to be good for the company, it’s a slippery slope that opens up the entire database to greater risk. First and foremost, circumventing the process increases the organization’s vulnerability to security breaches and unauthorized access to sensitive data.
Beyond the top-line risks, the addition of rogue software and databases makes license management impossible and puts the organization in an embarrassing and costly position if caught exceeding the allowed number of users per license. Another risk is poor network performance owing to bottlenecks from numerous devices sending and receiving multiple data points. From a financial standpoint, accounting departments are unaware of these covert assets and their life-cycle status, causing errors and inaccuracies in bookkeeping.
Shadow IT’s Physical Impact on Data Centers
When rogue departments secretly add equipment to a data center, they are most often throwing the organization’s data center strategy out of alignment without even knowing it. At the physical level, the impact shadow IT has on a data center can cause compounding and potentially dangerous situations. From space issues, power and cooling-capacity needs to unexpected operating costs, neighboring equipment becomes vulnerable to damage and outages if incorrectly racked or cabled. Major points of concern are the poaching of allocated cabinet space, circumventing circuit protection best practices and sabotaging of cabinet cooling strategies.
Poaching allocated cabinet space. To ensure IT equipment is racked in optimal locations, a central team (whether just one data center manager or a large team of technicians) responsible for data center management must be in place. As long as the data center management is aware of all future projects that add or subtract assets, they can properly plan where future equipment can be installed. Data center teams will reserve server cabinet “U” space using data center infrastructure management (DCIM) software or, at a bare minimum, create a spreadsheet and mark off cells that represent server-cabinet U’s as reserved. If a non-data-center team decides to install its own equipment, circumventing the reserved-space process, delays may occur if their equipment consumes space earmarked for another project. If a data center has plenty of empty cabinet space, this situation may not seem like a serious issue. But certain project requirements, such as the need for contiguous space, may jeopardize the success of other projects.
Circumventing circuit protection. An essential element of a data center manager’s responsibilities is to ensure all circuits avoid exceeding 80 percent of their maximum capacity, as dictated by electrical code. Critical to maximizing uptime, data center managers must ensure that each server cabinet or network rack has redundant power sources—typically, supplied by two electrical circuits so that if one loses power, the other can take on the full load. To ensure a failover is successful, rack and server-cabinet circuits are purposely limited to just 40 percent of their maximum capacity so that if one circuit takes on the entire load, it won’t exceed 80 percent. When departments circumvent the process and secretively rack their own equipment, they often overlook such precautions. As they plug in their shadow IT, they may be setting up a situation that exceeds this 40 percent capacity rule, and if a circuit failure occurs, all equipment in the cabinet can lose power. When revenue-generating applications are down, outages of this magnitude can cost millions of dollars and severely damage a company’s reputation.
Sabotaging cabinet cooling strategies. Server-cabinet power draw is directly correlated with heat generated by the cabinet’s equipment. Most data centers have a finite amount of cooling capacity, calculated as kilowatts per cabinet. Similar to managing circuit power loads, data center management will typically make sure each cabinet stays within the combined power rating of all equipment in each cabinet. Another factor in ensuring server cabinets and racks remain cool is airflow. Often, data centers are designed with hot and cold aisles, where IT equipment draws in cool air from the cold aisle, heating it as it processes data. This heated air is ejected out the back of equipment into the hot aisle. Shadow IT is often racked without regard to the rack’s cooling limitations or airflow direction, however. If the power rating is exceeded, a cabinet may overheat and cause equipment failures. Incorrect airflow direction results in mixing of hot and cold air, reducing efficiency and wasting money.
Eliminating Shadow IT
Given the potential risks to available capacity reserved for other legitimate projects, companies plagued by shadow IT should make efforts to eliminate it from their data centers. Fortunately, they can employ several techniques that prevent shadow IT from infiltrating the organization.
First, restrict access to the data center. This step is a data manager’s first line of defense. By limiting badge access to only those responsible for physically supporting the data center, adding equipment without being noticed becomes much harder. Often, anyone with an IT-related job title has badge access to the data center, but given today’s ability to remotely monitor and configure devices, systems and networks, such broad accessibility is harder to justify. In the rare event that network administrators need to physically work on a device, the data center team can escort/support them. Restricting access will eliminate nearly all new shadow IT from creeping into the data center.
In tandem with restricted access is updating and enforcing processes, policies and procedures that address shadow IT. An IT-equipment approval process should show all the steps required before any device is installed. Policies should clearly spell out that no one other than the data center team can rack and cable equipment. Procedures should also explain how other departments can request IT services. These processes, policies and procedures should then be distributed (and posted) companywide so that everyone understands the process.
Other ways to eliminate shadow IT include performing regularly scheduled walk-throughs and installing cameras in the data center. Walk-throughs should involve walking down each aisle and opening the cabinets. The equipment in the cabinets should then be compared with either a drawing or inventory list of all installed equipment. If something new suddenly appears, you can then investigate how it snuck in and by whom. If walk-throughs are performed daily, the time frame of when the mystery device was installed can be narrowed down to just a day. Then, camera footage and badge-access records for 24 hours can yield a list of suspects.
Unfortunately, by restricting access, requiring preapproval and limiting who can rack and cable in the data center, organizational teams that need a test environment will suffer. To meet this unique set of needs, an IT sandbox isolated from the production environment should be considered. If demand for a test environment is small, this environment could be in an empty cubical or workbench. If the demand is high, with multiple people requiring a test environment, the organization should consider creating a lab room, with server cabinets, additional power and cooling, dedicated to the development and test process. Through a lab room or IT sandbox, these teams will have the flexibility to continue their research and development without affecting the production data center.
Preventing the Transformation of Shadow IT
As time passes and the department need is satisfied, new approved software is implemented, or employees leave the company, shadow IT is forgotten and no longer serves a purpose. At this point, it morphs into zombies that sit idle, serving no purpose yet consuming data center space and power. Hidden in plain sight, these zombies drain valuable resources and continue to put data centers at risk. For IT managers, curbing shadow IT activities is an operational priority that leads to more efficient data centers.
About the Author
As Senior Data Center Manager at Parallel Technologies, Nate Josephs is the main client interface for projects pertaining to data center operations and outsourcing. A seasoned data center operations manager, Nate brings to the company more than 25 years of experience in data center development and management. Over the course of his career, he has managed multiple data centers totaling nearly 70,000 square feet. Nate has an undergraduate degree in business information systems from Bellevue University in Omaha, Nebraska.