When the organization is growing rapidly and business is expanding, your IT assets - hardware, applications, processes- tend to follow the same path to meet business's growing and “urgent” needs. You start letting go more and more exceptions and signing on special approval. Gradually, exceptions become the standard in your IT organization. When an IT asset is tagged with exception or a “special case”, it goes under the radar of any attempt to manage and control. You gradually end up with half of your IT asset unaccounted for and exposing your organization to all kind of risks: financial risk (paying for services you do not use), operation risk (using an EoL tools), regulatory risks (not paying for expired versions), etc… This is what we call IT proliferation.
How to deal with IT proliferation?
Here are few recommendations
First, make the rules and stick to them.
It is not a bad thing to be the bad guy for the good of everyone. In this world of IT temptation, multiple options, and cheap services just a click away, it is almost impossible to please everyone. So, don't try to be the nice guy.
Second, make sure every asset has an owner. Why?
Think of cars. Have you ever wondered why even big cities with millions of cars do not have any problem tracking cars and making sure they are compliant with city rules? Simple: every car is assigned to a unique number, one owner , and a unique registered address. If you can get every and each asset assigned to one accountable owner, give it a unique identifier, and define its users, you can track and manager it. Of course, this can't be done if you do not have a patrol. Your firewalls, your gateway, and active directory are your patrol. Any asset that is not compliant, should not pass through these checks.
For example, you can set your firewall to block any application from sending/receiving or accessing your system if it is not compliant with your identification and ownership rules. The owner is responsible and accountable for any compliance, be it patching, license, contractual agreement, etc.
Ownership is a key, and will put pressure and, at the same time, motive owners to look after their assets, in terms of processes, management, and maintenance. This can also be linked to performance evaluation and reward system.