What is Shadow IT?
If you walk the halls of your development wing (or browse their Slack channels), you might find that your organization is running far more databases than you think. They aren’t in your CMDB, they aren’t being backed up by your central backup solution, and they weren’t provisioned by your team. They are running in the public cloud, paid for with a personal credit card or a discretionary project budget.
This is the reality of “Shadow IT.” For years, we have treated this as a discipline problem—a failure of policy adherence. But if we are honest, it is actually a failure of service delivery. Developers don’t bypass IT because they are malicious; they do it because they are blocked. When the choice is between waiting two weeks for a ticket to be processed or swiping a card to get a database in two minutes, speed often wins.
The cost of this convenience, however, is massive corporate risk. Every “shadow” database represents a compliance blind spot. Is that PostgreSQL instance encrypted? Is it patched against the latest CVE? Is sensitive customer data being stored in a region that violates data sovereignty laws? In a zero-trust world, you cannot secure what you cannot see.
The “Best of Both Worlds” Approach
The solution is not to crack down harder with draconian policies, which only drives Shadow IT further underground. The solution is to make your internal platform as easy to consume as the public cloud. This is the core philosophy behind VMware Data Services Manager (DSM).
By deploying DSM as a native VMware Cloud Foundation (VCF) Advanced Service, you can offer your developers the exact same API-driven, self-service experience they get from AWS or Azure, but on your own infrastructure. They get their database in minutes, self-provisioned from a catalog you control. They get the agility they demand, which removes the incentive to go outside the official channels.
Governance by Design: The Guardrail Model
While developers get speed, IT gets control through “Data Service Policies.” Instead of manually approving every request, you define the boundaries of the playground upfront. You set the policies for backup frequency, maintenance windows, storage classes, and compute limits. When a developer requests a database, they can only provision within those pre-approved guardrails.
This effectively automates compliance. You can ensure that every single database deployed in your environment—whether it’s for a dev/test sandbox or a mission-critical app—adheres to your corporate security standards by default. There are no “rogue” instances because the platform itself enforces the rules.
Zero Trust and Infrastructure Integration
Bringing these databases back on-premises via VCF also closes the security gaps inherent in public cloud sprawl. DSM integrates directly with VCF’s security architecture, allowing you to wrap databases in NSX microsegmentation rules automatically. You can isolate workloads at the network level, ensuring that a compromised web front-end cannot arbitrarily scan your entire database fleet.
Furthermore, you eliminate the “compliance blind spots” that keep CISOs up at night. With DSM, you have a centralized view of your entire fleet. You know exactly what versions are running, who owns them, and their patch status. You can audit usage and enforce upgrades without chasing down individual project owners.
The Strategic Pivot
Ultimately, solving the Shadow IT problem requires a shift in mindset. You must move from being a “Gatekeeper” who slows things down to a “Platform Provider” who speeds things up.
By adopting VMware Data Services Manager, you align the goals of Dev and Ops. Developers get the velocity to innovate, and the business gets the security, governance, and cost control of a private cloud. You aren’t just bringing data back on-premises; you are bringing the cloud operating model to your data.
Read more blogs in this ongoing series about VMware Data Services Manager for IT practitioners and managers.
Recent posts include:
| The 75% Productivity Gain: Moving to Policy-Based Database Management | Focuses on the pain of manual ticketing and provisioning. Explains how DSM automates Day 2 operations like patching and scaling, providing cloud-like agility on-premises. |
| The CFO’s Case for On-Premises DBaaS: Repatriation and Cost Control | Analyzes the financial imperative of modernizing private cloud to cut TCO. Discusses leveraging capitalized assets to eliminate egress fees and licensing premiums. |
| “Infrastructure as Code” for Databases: A Guide for Platform Engineers | Explores DSM’s API-first architecture and integration with VCF Automation for CI/CD pipelines, enabling developers to self-serve compliant databases. |
Discover more from VMware Cloud Foundation (VCF) Blog
Subscribe to get the latest posts sent to your email.
