The recent increased adoption of SaaS applications, cloud infrastructure and hybrid platforms has triggered an unprecedented rate of innovation among organizations and the multiple business units (BUs) working within them. Services like Google Drive, OneDrive, DropBox and other cloud services can be easily set up and come with free tiers, making them appealing to employees who want to access certain data regardless of location and on any device, especially if they don’t have permission to do so with IT department approval.

This means that BUs can (and often do) bypass IT departments and provision new infrastructure without necessary approval or oversight. This activity can be described as “shadow IT” and is an emerging threat to your organization as businesses migrate to the cloud.

In this blog, we will dive deep into the world of shadow IT, explore its hidden dangers to cloud security and how Unitrends helps counter these risks.

What is shadow IT?

Shadow IT is the unsanctioned use of IT systems, devices, software, applications and services by a department or individual without the knowledge of that organization’s IT or security group. It encompasses cloud services, software and hardware. However, shadow IT extends beyond work applications to employees’ personal devices like smartphones or laptops (Bring Your Own Device or BYOD). Shadow IT may also include cloud services brought on to meet the unique needs of a certain BU that are supported by a third-party service provider or an in-house group instead of by corporate IT.  

Shadow IT can also be described as hardware or software within an enterprise that an organization’s central IT department doesn’t support.

Why is shadow IT important to cloud security?

In this modern IT world, most organizations work in the cloud and leverage various cloud-based services in their day-to-day operations. While most of the services get authorized by their IT, access to some cloud-based services isn’t allowed. This is where shadow IT comes into play.

Often looking for a quick solution, employees take part in shadow IT by jumping onto new, innovative, cloud-based services before IT departments, who generally follow the safe procedure of considering the cost and risk first, sanction them. The growth of shadow IT is proportional to the meteoric rise of cloud-based applications and services and is further exacerbated by the prominence of hybrid business models.

With users becoming more comfortable with downloading and using apps and services from the cloud for work, it’s clear that shadow IT isn’t going anywhere. It will continue to be a significant aspect of cloud security.

Why do people use shadow IT?

Employees engage in shadow IT primarily to work more efficiently. Users can conveniently get tools that make them more productive, helping them interact efficiently with coworkers and partners. They may also feel more comfortable using tools they use on a daily basis. In contrast, using tools provided by the IT department (if they are new) might take more time and effort to get used to.

Also, shadow IT may provide users the opportunity to innovate, experiment, collaborate and foster productivity in an on-demand, self-service fashion rather than working through the learning curves associated with unfamiliar, albeit approved, apps and tools. The recent shift to a remote and flexible work model has pushed people to opt for shadow IT as well.

For employees, it’s ultimately about the path of least resistance. Shadow IT seems to deliver exactly that.

How common is shadow IT?

It is difficult to accurately measure how common shadow IT is. It isn’t visible to the IT and security team, and the people using it usually don’t tell their IT department they’re using it. Sometimes even end users use it unknowingly.

According to a recent survey, around 42% of employees use personal email accounts for work without the approval of their companies’ IT teams. For small companies with less than 500 employees, shadow IT apps make up 68% of the app portfolios.

What are the categories of shadow IT?

Any form of IT-related activities and purchases that don’t involve the IT department fall under shadow IT. This consists of:

Hardware

This includes servers, PCs, laptops, tablets and smartphones. The unauthorized use of these could result in a fragmented, highly inefficient architecture and also give rise to operational risks like outages caused by undocumented systems. 

Software

This includes off-the-shelf (packaged) software that is standardized, mass-produced and available to the general public. By using this software, you put your trust in the security of someone else. It may contain vulnerabilities users are unaware of and can be used to target a large number of users of this software.

Applications

Installation of applications not authorized by a company’s IT team carries the probability of information security risk since they may contain vulnerabilities and malicious code that users are unlikely to notice.

Services

Today, most of shadow IT takes the “as-a-Service” form. This includes Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS). Cloud services like SaaS are now the most prevalent form of shadow IT and have made off-the-shelf software a rare case.

What are examples of shadow IT?

Apart from the four main categories discussed above, we can categorize all technologies and brands associated with shadow IT based on the action performed by the tools/devices.

Productivity tools

Organizational apps/software like Trello, Asana, Dapulse, etc., fall under this category. Flexible tools like these encourage people to work from anywhere. Hence, approval from the IT team is often not considered necessary.

Collaboration tools

When not officially licensed or sanctioned by the IT department, Google Docs, Drive, Gmail and other features of Google Workspace can be put in this bucket.

Communication tools

Employees often use messaging apps like Slack, WhatsApp and VOIP services like Skype, WebEx, Zoom, etc., to carry out conversations outside the organization ecosystem.

Storage platforms and devices

Storage devices, like USBs, external drives, cloud storage and others are often used by employees to store company data or connect to the private networks of an organization.

What is the impact of shadow IT?

With employees continuing to work remotely, the prevalence of shadow IT is growing. This forces IT leaders to consider the pros and cons of unsanctioned technology use. Although shadow IT may make some aspects of employee life easier, there are many drawbacks associated with it that outweigh the benefits. Let’s take a look at both.

What are the benefits of shadow IT?

Employees who regularly leverage digital devices and services not approved by central IT are heavily influenced by the presence of shadow IT. Despite the significant risks shadow IT introduces within a business, it offers several important benefits.

  • There are a lot of policies and processes laid down by the IT department that safeguard the organization. However, they also tend to slow down innovation and transformation. Shadow IT helps employees access required resources faster, thus improving efficiency and driving innovation.
  • Shadow IT ensures that the software that better fits business needs gets delivered faster. It encourages free or affordable cloud-based services, ultimately reducing cost.
  • It optimizes limited IT resources, including staff, through basic request self-service and improves overall collaboration and communication with the help of highly intuitive platforms and applications.
  • Various challenges and pain points that workers experience in their daily jobs can also get highlighted because of shadow IT. This gives the IT department and enterprise executives a clear idea of the areas they need to work on.

Although shadow IT may improve employee productivity, it does introduce serious risks into an organization’s environment. Such risks can lead to inefficiencies and ultimately be detrimental to the organization.

What are the risks of shadow IT?

IT and security teams consider shadow IT a risk mainly for two reasons. First, if IT teams cannot track how tools and services are used across the organization, they will be unable to determine how corporate data is being accessed, stored and transferred. Secondly, IT and security teams might have concerns over a disallowed or banned app that contains a known vulnerability, which could serve as an entry point for cybercriminals.

If IT teams cannot track the usage of tools and services across an organization, then data can be hosted, shared and accessed — internally and/or externally — without formally set permissions, security protections or organizational visibility, leading to major security risks.

Shadow IT can also cause difficulties for IT and security teams in the following few ways:

  • App sprawl — As the number of apps and cloud-connected services an enterprise uses increases, it becomes harder to keep track of them. When new tools, apps and services are added by employees impulsively without involving IT, things are likely to spiral out of control.
  • Security — Even if a particular app isn’t unsafe, every piece of IT added without proper planning and consideration can serve as a possible attack point.
  • Rework — When a piece of shadow IT needs to become a formal part of the enterprise, complete rework of the technology infrastructure is required.

Risks from network-accessed shadow IT applications

The growth of shadow IT has sped up the consumerization of IT. As a result, hundreds of apps and services are downloaded from the cloud and used on enterprise networks. A lack of visibility into each of these apps can lead to security gaps that can be exploited by cybercriminals. Although most apps are harmless, others involving file sharing and storage or collaboration can seriously threaten an enterprise and its sensitive data.

Risks from OAuth-enabled shadow IT applications

There are a lot of third-party applications enabled via OAuth that are unknown to the IT department of an organization. These apps include permissions to access information in the core application (Microsoft 365 and Google Workspace), which increases the attack surface and can be used to access sensitive data from file-sharing and communication tools. Since OAuth-enabled apps communicate cloud to cloud, they do not show up on the corporate network, creating blind spots for organizations.

There’s also the common practice of employees reusing credentials. Password reuse increases the likelihood of corporate passwords being available for cybercriminals to purchase on the dark web. Cybercriminals can carry out credential stuffing attacks to exploit password reuse by guessing known credential pairs in the login forms.

How do you protect your organization from shadow IT?

Attempting to completely get rid of shadow IT makes no sense for security and IT professionals since employees will always find ways to use the solutions they want, especially when faced with strict IT policies. What they want is convenience — they want to work faster and smarter.

Following these best practices can help deal with shadow IT in today’s workplaces.

Perform shadow IT discovery

A shadow IT discovery tool can help IT teams discover, track and analyze all the systems and devices that employees are currently using. This includes both the approved and unapproved ones. The creation of policies then follows this to allow, restrict or block the usage of the tools as per requirement. Reviewing budgets and invoices from various business units may reveal one-off purchases of unsanctioned software and applications as well.

Establish a shadow IT policy

A well-crafted shadow IT policy helps set up protocols for adoption, approval and management of new tools within an organization. IT departments divide these tools into three categories (sanctioned, authorized and prohibited) to help employees better understand the risks involved and suggest alternatives. If employees want to use solutions absent from the sanctioned and authorized lists, they should ask the IT department to check for security. Once checked, the IT department can add the solution to the list accordingly.

Train and educate employees

Educating employees about the dangers of using unapproved software is one of the most effective ways to mitigate shadow IT risks. Explaining the true reasons behind shadow IT prohibitions to the employees can significantly lower the number of unapproved software installations. It can also allow workers to be more transparent about their problems with approved solutions and why they opt for alternatives.

Secure your organization with Unitrends

Shadow IT is a cybersecurity issue and can be a symptom of an inefficient IT strategy. You must have a robust business continuity and disaster recovery (BCDR) strategy in place to deal with this. Unitrends Unified BCDR helps your organization prepare for the hidden dangers of shadow IT and ensures proper security of your organization’s critical data. It uses AI-based technology, including integrated dark web monitoring, to identify, analyze and monitor your organization’s compromised or stolen credentials.

Backup and recovery is a significant part of an enterprise’s zero trust model. With the zero trust model, verification is necessary for all users and devices, inside or outside the organization network. This reduces the risks associated with shadow IT and helps IT departments quickly discover, catalog and manage unsanctioned tools. Combining zero trust framework with defense-in-depth makes your organization’s security strategy even more potent.

Spanning 360, our enterprise-class, end-to-end protection for Microsoft 365 and Google Workspace, uses sophisticated dark web monitoring as a part of the defense-in-depth approach to secure accounts, users and data.

See how Unitrends can help your organization manage the risk of shadow IT. Request a demo today.

About Adam Marget

Adam is a Technical Specialist on the Unitrends marketing team supporting digital and in-market events. Over the last 4 years with Unitrends, he has been delighted at the opportunity to work with customers, prospects, and partners alike to help solve challenges around data protection and business continuity. Adam joined Unitrends in 2016, bringing with him experience working with variety of manufacturers’ technology from edge to core as a coworker from national IT solutions provider CDW.