During my college years, I worked for a major US airline. It was a great job but could get a little rough when faced with cancellations, overbookings, missed connections, etc. However, when faced with challenging situations I was always very calm. I recognized the passengers emotions associated with the situation were mostly because they had somewhere to be: vacation, home, a graduation, a wedding, perhaps even a funeral.

I had to do my best to get them where they needed to be and a number of times I operated outside the box and broke a rule or two. I did not always know what to do and sometimes made mistakes. But my goal was to support the customer and my mantra was “it’s easier to ask forgiveness then to get permission.”

The Rise of Shadow IT – Blame the Navy

“It’s easier to ask forgiveness than it is to get permission”, is a quote attributed to Grace Hopper, Rear Admiral U.S Navy. Hopper developed the first programming language compiler as well as a number of other significant achievements during her Naval career. In a way I think her quote is very representative of my airline career and Shadow IT.

IT “Called” the Shots

There was a time when IT was the keeper of all things (compute, network, storage). Getting a resource was a process of paper, purchase, procure, process, plan, prepare, and on, and on, and on. Your project needed time built into it for those processes and procedures. These processes and procedures are important to corporate accounting, security and resource management. However with Cloud services you can get the resource you need whenever you want it – and not have to worry about any of the corporate guidelines. Pay with a credit card, submit an expense report, and you’re ready to go.

This ability has given rise to the dichotomy of “just get it done”, but “within the guidelines of corporate processes.” The former is the driver of Shadow IT and the latter can be solved with Cisco Cloud Consumption & Cisco Intercloud Fabric and turn dichotomy into harmony. Here’s how. 

Find and Identify Shadow IT

The first challenge is to identify what cloud services your organization is using – which I guarantee will be more than you are aware. As much as 15-22 times more. Cisco Cloud Consumption Services can help organizations discover and monitor cloud services.

Cisco Hybrid Cloud Architecture
Cisco Hybrid Cloud Architecture – Shadow IT Control

Provide Unlimited Cloud Resources

With a clear picture of cloud use, organizations can then harness Intercloud Fabric to add unlimited cloud resources to their enterprise datacenters and have those resources work like they are actually in the datacenter. Through Intercloud Fabric’s secure network extension, security policy capabilities, workload on-boarding, and user portal, Shadow IT can potentially be eliminated.

InterCloud Fabric enables IT to add unlimited Cloud resources to the enterprise datacenter. Through secure network extension, enterprise VLANs and IP addressing can be utilized by cloud VMs allowing access to enterprise resources (DNS, AD/LDAP, DBs, load balancers, etc.) from the Cloud.

Utilizing Internet connectivity to the cloud provider or a provider specific link (e.g. AWS Direct Connect, Azure Express Route) Intercloud Fabric forms an encrypted link between the enterprise and the Cloud. The levels of encryption and the transport protocol can be adjusted to suit the needs of the enterprise.

Enforce Security Policies

Cloud security is only as good as the cloud provider provides. InterCloud Fabric provides implicit workload security. Virtual machines (VM) communicate securely via an encrypted enterprise to cloud connection, the InterCloud Fabric site-to-site connection and with the InterCloud Switch via the encrypted access tunnel, access to the VM interfaces is only allowed through the network overlay interface and never through the VMs public facing cloud interface. No data ever moves between the enterprise and the Cloud or within the Cloud unencrypted.

Corral Rouge Virtual Machines

Shadow IT is not resolved just by creating a secure extension, existing Cloud workloads, need to be brought into the InterCloud Fabric secure extension. VM on boarding is a process that allows for existing Cloud VMs to be added to the Intercloud Fabric secure extension. The Intercloud Fabric secure extension utilizes an Intercloud adapter; a combination of SSH along with network overlay technology to securely communicate with Cloud VMs. By placing the Intercloud Adapter on existing Cloud VMs, those VMs will be able to communicate to the enterprise datacenter via the secure extension.

User Access

To complete InterCloud Fabric’s ability to defeat Shadow IT, a user portal giving the user access to instantiate, migrate, terminate, on board, and manage VM power is included in InterCloud Fabric. The user portal with the ability to manage VMs in a consistent manner across all connected cloud providers would be sufficient in itself, however the user portal is also completely API accessible. Every user operation has a corresponding REST API. The power of the InterCloud Fabric REST API is shown by creating VM management scripts that function the same way regardless of which provider the VM resides. Cloud providers may have their own API calls for VM management or no API at all. InterCloud Fabric VM management REST APIs are consistent across all cloud providers, abstracting the existing cloud provider APIs or providing VM management APIs where none existed previously. The Intercloud Fabric REST APIs can also be integrated into existing enterprise orchestration.

Bringing it ALL Together

Through the use of Intercloud Fabric features and proper planning enterprise IT organizations can offer the on-demand Cloud resources that users are looking for but still maintain corporate policies without burdening the user with the application of those polices.

There are several side benefits to utilizing Intercloud Fabric for Shadow IT control.

  • Consolidation of Cloud Service Accounts – If the users are already expensing their consumed cloud services separately, consolidating these accounts gives the enterprise visibility into Cloud utilization and potentially the ability to negotiate provider rates or take advantage of bulk purchasing based on projected utilization.
  • Workload Image Control – Users may be utilizing images for their VMs that are not correctly licensed, patched or compliant with corporate policy. Intercloud Fabric image management enables the users to instantiate IT provided images in the cloud.
  • Enterprise Datacenter Augmentation – Intercloud Fabric is a means to securely extend enterprise networking to the Cloud, however Intercloud Fabric can provide the enterprise an awareness of when they need to augment their existing datacenter. Cloud resource utilization may not always be the answer for long running applications or significant amounts of cloud resource utilization. Enterprises can determine a cost benefit ratio that makes sense for them, to determine when it is appropriate to continue to utilize cloud or to augment their datacenter resources and migrate Intercloud Fabric workloads to the enterprise.

So what can IT do to address Shadow IT? Led by @CiscoCloud, Ray Wang, principle analyst from Constellation Research, Bob Dimicco, leader of Cisco’s Cloud Consumption Service Practice, along with Ken Hankoff, leader of Cisco IT’s Cloud Application and Service Provider Remediation (CASPR) Group,  will answerquestions and field responses regarding managing Shadow IT from our online community during a #CiscoChat on Tuesday, September 22 at 10:00 a.m. PDT/1:00 p.m. EDT.

Be sure to join us during the upcoming #CiscoChat to gain more insights, post questions and get the answers you need to cast some light on this critical subject.

Thanks for reading, tweeting, liking, inning, pinning, gramming, etc… 


John McDonough

Developer Advocate