Prevent Shadow IT by Modernizing Internal Services

In 2020, both digitally native and traditional enterprises had to rapidly upgrade their internal IT services to meet the needs of an all-remote workforce.

Prior to this year, many enterprises already had the trappings of the tools that would enable their teams to work completely from home – email, online office, file sync, and web conferencing. Often however, these tools would be a patchwork of solutions from different providers, or worse, a proliferation of shadow IT where employees use personal Dropbox, iCloud, Google, or Microsoft accounts for work.

Shadow IT can creep into your organization when your internal services are so woefully outdated that users find it more expedient to store and share work-related documents using their personal cloud accounts. Although most organizations’ Acceptable Use Policies (AUP) require employees to exclusively use work-issued accounts on the job, in reality, such policies are difficult to enforce.

Improve Data Governance by Eliminating Shadow IT

There are technologies such as Data Loss Protection (DLP) agents that can run on endpoints to detect and alert when sensitive data (e.g. Personally Identifiable Information or PII) is exfiltrated from corporate computers, but implementing a DLP solution does nothing to address the root cause of non-compliance.

Most employees do not remove data from company computers because of malice, or intentionally wanting to breach internal policies. It is often a last resort because the collaboration tools provided by the IT department are less user friendly than the modern, cloud-based ecosystem of apps available to anybody with a free email account.

As an IT leader, the best way to consolidate business-sensitive data onto systems that you manage & control is to provide an appealing suite of tools for your employees that match or surpass the functionality of Google Apps or Microsoft 365. Only once you have accomplished this objective can you rest assured that:

  • User accounts are secured by strong authentication, ideally 2FA
  • Audit logs are kept to track accesses and edits to documents
  • Management has visibility into the data being retained by the company
  • Data is backed up based on your organizations’ policies
  • Access can be revoked from lost/stolen devices or departing employees

With the recent EU Court of Justice (CJEU) decision striking down ­­­the US-EU Privacy Shield, organizations should stop handling EU personal data on US based cloud services, especially hosted services, as soon as possible. In the United States, section 702 of the FISA Amendments Act of 2008 gives the power to the US government to compel US based “electronic communications providers” to hand over data stored by their users – even if that data is stored outside the US.

Although the real-world implications of the decision are still not completely clear, the EU is effectively putting the US on notice that the voluntary standard of the Privacy Shield was insufficient to allow EU personal data to be transferred to the US – at least not without having the data subjects give their consent to a set of Standard Contractual Clauses (SCCs).

Self-Hosted Alternatives to Cloud Based Business Applications 

It is therefore advisable to use a European-based hosting service to store and process European customer data. Self-hosted replacements for popular services such as Dropbox, Gmail, and Google Documents are readily available, and they can be entirely hosted on European owned and operated data centers. You’ll notice that many of the self-hosted alternatives below are developed in Europe, with the needs of European enterprises in mind.

  • NextCloud (Germany) – replacement for Box, Dropbox, Google Drive, OneDrive
  • Mailcow (Germany) – replacement for Gmail, Outlook, webhost or ISP email
  • OnlyOffice (Latvia) – replacement for Google Docs and Office 365
  • Mautic (US / Czech Republic) – replacement for HubSpot, Pardot, Marketo
  • Matomo (New Zealand) – replacement for Google Analytics
  • RocketChat (Brazil) – replacement for Slack, Microsoft Teams, Discord
  • Jitsi Meet (US) – replacement for Zoom, Google Meet, Microsoft Teams

European companies may be able to legally host their data in the Europe regions of a cloud provider with a parent company in the US, so long as the provider owns an EU subsidiary that is out of the reach of FISA 702 and bound by the GDPR not to hand over data to the US government. It remains to be seen whether the major cloud providers, AWS, Azure, and Google will restructure their IaaS and PaaS cloud divisions and update their Terms of Service to definitively meet this requirement.

Taking back control with self-hosted applications can be a rewarding, but seemingly insurmountable task for overstretched IT departments supporting more remote users with fewer resources. Fortunately, at a time when most enterprises must “do more with less”, the ongoing cost savings of switching to open source business applications can justify the initial set up & migration cost. Unlike their commercial counterparts, open source business applications are not licensed on a per-user basis – so you only pay for the storage and servers you need.

The Autoize team provides a wealth of experience deploying & migrating open source business apps for small businesses to Fortune 1000 companies. It’s time to stop delaying the inevitable, and provide collaboration tools that your users will love to use. Migrate from G Suite or Microsoft 365 to NextCloud and OnlyOffice hosted in a data center that meets your compliance needs.