Shadow IT

Don't do it!

Shadow IT isn’t a new thing. Any large corporation has seen it. Sometimes called “server under desk” or “production desktop”.

Sometimes it grows out of a personal project that started on a spare machine and that gradually morphed into a mission critical machine… but without any of the controls and tools normally associated with production infrastructure (patches, backups, DR, access admin, security scanning…).

Other times it grows out of a desire to do things quickly; all of those controls and tools take time and can hinder the developer experience. Let’s hack together something now and then migrate it later… except the migration never happens and that under-desk server stays forever.

We know this is bad but it still happens. Central IT is frequently seen as more of an inhibitor than a facilitator


Despite this, at least this shadow IT was within the corporate boundary; there was some level of protection provided by border firewalls.

The new Shadow IT

These days you don’t even need to rummage up an old desktop to turn it into a server. Just wave your corporate card at Amazon and, just like magic, you have a server. Two servers. Ten servers.

Now the situation is a lot worse. Not only are these unmanaged and uncontrolled servers, but they are also outside of your security perimeter. On the internet, facing attacks. Is your application secure against hacking? Do you have strong passwords? Did you turn off all unnecessary services? How long will it be before someone brute-forces your root account?

The result: data exposure. The personal data of 93 million Mexicans were exposed because of just this type of problem.

The first you may know about it is when your CEO is being contacted by the Wall Street Journal for a quote, or when Troy Hunt adds the data to Have I Been Pwned.


Shadow IT is pernicious. It is hard to stop. Instead we need to lessen the incentive to do it; make it easier to obtain the resources in a controlled manner.

This is a culture change. Abstract away from the Operating System and focus on what the developers need; a PaaS, obtainable by self-service processes; ability to push code into dev and automate promotion to production; automated scanning, backup, resilliency… take all this off their plate and provide it at the click of a button.

Now there’s no need to wave your credit card at Amazon!