DEVOPSdigest

Gartner predicts that 75% of employees will acquire, modify, or create technology outside IT's visibility by 2027. That statistic is staggering, but it's not new. Developers inherently want to use the best, most efficient tool for the task, even if it's not within the company's approved tech stack. While this certainly isn't malicious, tools used without the knowledge or approval of the IT department can introduce security risks because they aren't vetted, monitored, or updated, making them prime targets for attack.

To date, companies have attempted to enforce strict policies around the use of technology. However, these policies are routinely ignored, causing nearly 7 in 10 organizations to be compromised by shadow IT from 2021 to 2022. To combat this, companies must find a way for developers to choose their tools, and ensure that they are properly vetted and securely integrated with the rest of the stack.

Democratizing Access, Not Security

Instead of letting shadow IT run rampant, companies should leverage Platform Ops teams to democratize access to secure tools. This requires that they stay up to date with the best tools, vet them for security and scalability, and curate a broad selection for developers to choose from. There are a variety of ways to operationalize this, including leveraging an internal developer platform (IDP), which lets developers choose their preferred tools with the knowledge that they will integrate seamlessly with existing workflows and access protocols.

This approach reduces shadow IT and bridges the gap between developer autonomy and organizational security. Developers are empowered to take ownership of how they complete their work and the tools they choose, which results in faster development cycles and a better developer experience. And companies are able to maintain a strong security posture through pre-approved tools and frameworks.

How to Build a Strong Culture of Internal Self-Service

Internal self-service lets developers select from a curated catalog of pre-approved tools and services without requiring explicit approval from a central authority for each tool they wish to use. This approach empowers developers to quickly access the tools they need to be productive while ensuring compliance with organizational standards and security policies. Companies transitioning to this model from a traditional top-down approach may require a cultural shift to be successful.

Here are three things Platform Ops teams should prioritize to build a culture of internal self-service:

■ Harness the developer voice: When it comes to the latest and greatest tools, developers are a company's most valuable source of information. They are often the early adopters of new technology and will tinker with tools before forming an opinion. Create a way for developers to safely try new tools (think a development sandbox that doesn't include proprietary information or customer data) and streamline the process for them to make recommendations.

■ Consider an internal developer platform: An IDP is a set of tools, services, and infrastructure that streamlines and enhances the software development process. It can include a wide range of developer tools and frameworks for programming languages, databases, testing, debugging, monitoring, and ingress, so developers can easily access the technology they need to do their jobs.

■ Centralize access and management: Platform Ops teams should enforce security policies and compliance requirements, including access controls, code scanning, and compliance checks, to reduce the risk of breaches and non-compliance. This may include integrating tools with an identity and management system and using single sign-on, role-based access controls, and just-in-time access.

Platform Ops is Setting the Standard for Self-Service Security

The fact that Gartner expects shadow IT to grow from 41% to 75% by 2027 proves that limiting access to tools doesn't mean they won't be used, just that they won't be secured. Platform Ops teams have the power to change these statistics by offering a range of approved tools for developers to use throughout the software development lifecycle.

If your company is considering adopting an internal self-service model, start by asking your developers what tools they love for networking, testing, and debugging. Chances are, you can transition to an enterprise version of the tools they're already using to add security and access policies without impacting established workflows. Your developers will be happy and you'll get to gloat that you're part of the 30% of companies not compromised by shadow IT.