How to Balance Developer Autonomy and Organizational Security
May 07, 2024

Karthik Krishnaswamy

Gartner predicts that 75% of employees will acquire, modify, or create technology outside IT's visibility by 2027. That statistic is staggering, but it's not new. Developers inherently want to use the best, most efficient tool for the task, even if it's not within the company's approved tech stack. While this certainly isn't malicious, tools used without the knowledge or approval of the IT department can introduce security risks because they aren't vetted, monitored, or updated, making them prime targets for attack.

To date, companies have attempted to enforce strict policies around the use of technology. However, these policies are routinely ignored, causing nearly 7 in 10 organizations to be compromised by shadow IT from 2021 to 2022. To combat this, companies must find a way for developers to choose their tools, and ensure that they are properly vetted and securely integrated with the rest of the stack.

Democratizing Access, Not Security

Instead of letting shadow IT run rampant, companies should leverage Platform Ops teams to democratize access to secure tools. This requires that they stay up to date with the best tools, vet them for security and scalability, and curate a broad selection for developers to choose from. There are a variety of ways to operationalize this, including leveraging an internal developer platform (IDP), which lets developers choose their preferred tools with the knowledge that they will integrate seamlessly with existing workflows and access protocols.

This approach reduces shadow IT and bridges the gap between developer autonomy and organizational security. Developers are empowered to take ownership of how they complete their work and the tools they choose, which results in faster development cycles and a better developer experience. And companies are able to maintain a strong security posture through pre-approved tools and frameworks.

How to Build a Strong Culture of Internal Self-Service

Internal self-service lets developers select from a curated catalog of pre-approved tools and services without requiring explicit approval from a central authority for each tool they wish to use. This approach empowers developers to quickly access the tools they need to be productive while ensuring compliance with organizational standards and security policies. Companies transitioning to this model from a traditional top-down approach may require a cultural shift to be successful.

Here are three things Platform Ops teams should prioritize to build a culture of internal self-service:

Harness the developer voice: When it comes to the latest and greatest tools, developers are a company's most valuable source of information. They are often the early adopters of new technology and will tinker with tools before forming an opinion. Create a way for developers to safely try new tools (think a development sandbox that doesn't include proprietary information or customer data) and streamline the process for them to make recommendations.

Consider an internal developer platform: An IDP is a set of tools, services, and infrastructure that streamlines and enhances the software development process. It can include a wide range of developer tools and frameworks for programming languages, databases, testing, debugging, monitoring, and ingress, so developers can easily access the technology they need to do their jobs.

Centralize access and management: Platform Ops teams should enforce security policies and compliance requirements, including access controls, code scanning, and compliance checks, to reduce the risk of breaches and non-compliance. This may include integrating tools with an identity and management system and using single sign-on, role-based access controls, and just-in-time access.

Platform Ops is Setting the Standard for Self-Service Security

The fact that Gartner expects shadow IT to grow from 41% to 75% by 2027 proves that limiting access to tools doesn't mean they won't be used, just that they won't be secured. Platform Ops teams have the power to change these statistics by offering a range of approved tools for developers to use throughout the software development lifecycle.

If your company is considering adopting an internal self-service model, start by asking your developers what tools they love for networking, testing, and debugging. Chances are, you can transition to an enterprise version of the tools they're already using to add security and access policies without impacting established workflows. Your developers will be happy and you'll get to gloat that you're part of the 30% of companies not compromised by shadow IT.

Karthik Krishnaswamy is Head of Product Marketing at ngrok
Share this

Industry News

May 16, 2024

Pegasystems announced the general availability of Pega Infinity ’24.1™.

May 16, 2024 and Sysdig unveiled a joint solution to help developers, DevOps, and security teams accelerate secure software delivery from development to deployment.

May 16, 2024

GitLab announced new innovations in GitLab 17 to streamline how organizations build, test, secure, and deploy software.

May 16, 2024

Kobiton announced the beta release of mobile test management, a new feature within its test automation platform.

May 15, 2024

Gearset announced its new CI/CD solution, Long Term Projects in Pipelines.

May 15, 2024

Rafay Systems has extended the capabilities of its enterprise PaaS for modern infrastructure to support graphics processing unit- (GPU-) based workloads.

May 15, 2024

NodeScript, a free, low-code developer environment for workflow automation and API integration, is released by UBIO.

May 14, 2024

IBM announced IBM Test Accelerator for Z, a solution designed to revolutionize testing on IBM Z, a tool that expedites the shift-left approach, fostering smooth collaboration between z/OS developers and testers.

May 14, 2024

StreamNative launched Ursa, a Kafka-compatible data streaming engine built on top of lakehouse storage.

May 14, 2024

GitKraken acquired code health innovator, CodeSee.

May 13, 2024

ServiceNow introduced a new no‑code development studio and new automation capabilities to accelerate and scale digital transformation across the enterprise.

May 13, 2024

Security Innovation has added new skills assessments to its Base Camp training platform for software security training.

May 13, 2024

CAST introduced CAST Highlight Extensions Marketplace — an integrated marketplace for the software intelligence product where users can effortlessly browse and download a diverse range of extensions and plugins.

May 09, 2024

Red Hat and Elastic announced an expanded collaboration to deliver next-generation search experiences supporting retrieval augmented generation (RAG) patterns using Elasticsearch as a preferred vector database solution integrated on Red Hat OpenShift AI.

May 09, 2024

Traceable AI announced an Early Access Program for its new Generative AI API Security capabilities.