For the best web experience, please use IE11+, Chrome, Firefox, or Safari
OneLogin + One Identity delivering IAM together. Learn more

What is Shadow IT?

 

Shadow IT is the use of Information Technology assets, such as devices, software, applications or services that are not authorized or tracked by the organization’s IT department.

In recent years, many organizations have adopted cloud-based applications and services. Some companies also allow employees to use their own devices for work – a system known as Bring Your Own Device (BYOD). Individual functional or business units may also set up their own cloud applications to meet their specific needs, which the IT department either doesn’t know about, or is unable to meet fast enough. Shadow IT has grown exponentially as a result of these developments.

Shadow IT enables employees to leverage the tools and apps they need to do their jobs better, and to improve their productivity and efficiency. Cloud applications in particular provide enhanced user experiences, performance and ease of use that many legacy IT-approved systems and applications do not provide. When teams can access and use such agile, cloud-native services, they can focus their energies on more strategic tasks, which in turn can drive greater innovation and competitiveness within the company. Many of these applications also support mobile and remote work, which is a business-critical requirement in the post-pandemic world. However, Shadow IT can also create serious security blind spots. Since Shadow IT resources are not tracked, managed or secured by the IT team, they make the organization vulnerable to cyberattacks, data leaks, and potential compliance violations.

Different Elements of Shadow IT

In many cases, IT departments are not even aware that employees are using Shadow IT resources. These include:

  • Hardware: Unsanctioned PCs, laptops, mobile devices, etc.
  • Software: Off-the-shelf packaged software, illegal downloads, unauthorized upgrades or patches, etc.
  • Cloud services: Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS)
  • Applications (on-premise or cloud-based): Excel or Word macros, Skype, Google Docs, etc.
  • Cloud storage: Dropbox, Google Drive, etc.
  • Personal email accounts used for work purposes
Shadow It

Why Do Employees Use Shadow IT?

In one survey, 80% of employees said that they use applications that are not approved by IT. These choices are not always malicious or intended to harm the organization. Sometimes organizations don’t provide the technologies that users require to fulfill their job requirements. At other times, employees need a particular application, but the approval and provisioning process is too long or time-consuming. to make their jobs easier, employees turn to Shadow IT.

These can be big challenges, particularly in companies that focus on rapid software development, continuous innovation, and short release cycles. Their employees may need new tools quickly, but don’t want to wait for IT to complete the vetting and approval process. As a result, they end up downloading, installing and using Shadow IT applications, even if these resources are not approved by the IT department.

The Benefits of Shadow IT

Shadow IT resources enable employees to improve work productivity, collaborate with co-workers, and speed up the delivery of critical work deliverables. The organization can also benefit from Shadow IT. When users can choose the tools they need, the solutions usually align better with business goals.

Further, if they have the tools they need, employees spend more time getting things done and less time looking for workarounds or waiting for approvals. This can have a positive impact on their effectiveness, engagement, satisfaction and retention.

Shadow IT can also reduce the IT team’s workload. Instead of getting swamped in help desk tickets and user requests for new solutions, they can focus on other mission-critical tasks and innovation projects that deliver greater business value.

The Security Risks of Shadow IT

When employees use non-sanctioned applications and devices, it introduces numerous risks into the enterprise. These include:

Lack of Visibility Expands the Cyberattack Surface

Shadow IT resources lie outside the enterprise security perimeter, which means that they’re often exposed to the Internet without adequate security to keep bad actors out. This expands the attack surface, and increases the risks of cyberattacks, account compromise, lateral movements, cyber hijacking, and other kinds of serious security events.

Risk of Data breaches and Losses

All organizations have information that they need to protect. It becomes harder to protect this information from malicious external actors if it is stored in locations outside the company’s control.

Employees who use Shadow IT resources and leave the organization at some point also create problems. They may have used applications or services unknown to the IT department and their team members. So once the employee leaves, their colleagues may not be able to access the Shadow IT resources or the critical data stored on them.

App Sprawl and System Inefficiencies

As more and more applications are included in the Shadow IT ecosystem, it increases costs, creates system inefficiencies, and increases the administrative burden on IT. Moreover, such applications are not a priority for security updates or monitoring, which again, introduces security risks into the enterprise, and allows hackers to sneak into the IT stack. Over time, app sprawl also slows down innovation, creates confusion, and affects org-wide efficiency and productivity.

Data Exfiltration through File Sharing

Some file sharing tools allow users to override normal security policies, which increases the risk of data exfiltration and breaches. Users may mistakenly email sensitive files or data, or accidentally share them on social media without realizing that the information is at risk of leakage, compromise, or theft.

In addition to the security risks highlighted above, Shadow IT also increases the risk of non-compliance, which is an especially big concern for regulated industries like healthcare and financial services. Organizations in such industries must do additional audits to ensure that they remain compliant because non-compliance can incur hefty fines, damage the company’s reputation, and affect its financial position.

How to Manage Shadow IT

There are several strategies that any firm can use to effectively manage Shadow IT and contain its risks:

Assess Risks

All Shadow IT technologies and devices don’t pose the same threat to enterprise security. By regularly assessing the Shadow IT resources used in the workplace, organizations can better understand the risks they face, and take appropriate action to mitigate or eliminate these risks.

Implement Strong Security

Security solutions like OneLogin Single Sign-on (SSO) can help plug the security gaps created by Shadow IT. SSO enables users to access all their apps – whether in the cloud or behind a firewall – with one-click access. If users want to add their Shadow IT applications to the SSO portal they will have to go through IT to do so. IT will then know about these applications and be better able to monitor them. IT can also leverage security solutions to monitor IT usage patterns and identify anomalous or suspicious network activities. They can also keep an eye on unexpected or potentially suspicious IT-related purchases, unplanned or unauthorized workload migrations, etc. They can thus tighten security and stop Shadow IT if it endangers the organization’s assets or data.

Inventory and Categorize Shadow IT Resources

To improve its visibility into Shadow IT, the IT team should discover the various resources being used in the organization. It’s also important to categorize these assets as:

  • Sanctioned: Assets that can be used without harming the organization
  • Authorized: Assets that are not yet sanctioned by IT. However, its risks are either invisible or non-existent, so users can use these assets
  • Prohibited: Assets that are potentially dangerous to the organization and must not be used

Once this list is compiled, it’s easier to make decisions to deal with the various Shadow IT resources. For example, IT may decide that a particular device does no harm to the organization, so it can be moved to the sanctioned list. But another service may be deemed too risky, and therefore may be added to the prohibited list. It’s crucial to inform employees about these lists, so they can help the IT team reduce security risks. It’s also important to regularly review and update these lists as more resources come under the Shadow IT umbrella.

Streamline IT Governance

The governance structure should enable the IT department to rapidly vet and provision new tools to meet user requirements and support greater innovation – without weakening security. By encouraging business users to build a case for a new tool, the IT team can get better visibility into requirements and also assess its potential security risk. If they approve the new tool, they can then work with users to determine the appropriate levels of access, best practices to use it safely, etc.

Educate Users

Employees don’t always realize that they’re introducing risk with Shadow IT. That’s why it’s important to educate them about these risks, and how they can help minimize them. The IT team should also clearly state what is off-limits, and explain how users can meet their technology requirements without bypassing established governance protocols. Open communication between employees and IT will ensure that the technology needs of users are met without compromising the organization’s security.

Conclusion

Shadow IT isn’t all bad. It can help improve employee productivity and efficiency, and create a beneficial culture of disruptive innovation. But if left unchecked, it can also introduce serious security gaps that may lead to cyberattacks or data hacks. To ensure that Shadow IT creates more opportunities and less risks, organizations must manage it well. By understanding their Shadow IT exposure, they can meet the needs of users, increase morale, and drive improvements without compromising security or compliance.

Try OneLogin for Free

Experience OneLogin’s Access Management capabilities first-hand for 30 days