Shadow IT definition
Shadow IT is the unauthorized use of any digital service or device that is not formally approved and supported by the IT department.
Though users generally turn to shadow IT to improve the speed at which they can perform their jobs, the use of such services is unknown to the IT team and therefore not protected by the organization’s cybersecurity solutions or protocols. In the case of cloud workloads and other services used by developers, assets may contain serious vulnerabilities, such as the use of default passwords or misconfigurations. This exponentially increases the risk of data breaches, noncompliance, and other liabilities.
Shadow IT examples
Examples of shadow IT include:
- Creating cloud workloads using personal accounts or credentials
- Purchasing software as a service (SaaS) applications or other cloud services subscriptions that fall below the purchasing thresholds outlined by IT
- Using workflow or productivity apps such as Trello or Asana
- Leveraging public cloud services, such as Google Drive or Box, to store, access, or share data or other assets
- Using messaging platforms or communication applications, such as WhatsApp or Zoom, to conduct work-related communication
Why is shadow IT a growing problem?
The use of shadow IT has become increasingly prevalent in recent years because of business transformation efforts. A 2019 study from Everest Group estimates that nearly half of all IT spend “lurks in the shadows.” Notably, these figures are pre-pandemic. It is likely that a sudden influx of remote workers due to COVID-19 restrictions has further increased the use of shadow IT as workers struggle to maintain productivity in a new environment with limited resources.
The use of shadow IT is rarely malicious. Rather, it is a practice embraced by employees because their day-to-day roles require fast, flexible, and frictionless access to different tools and applications.
The adoption of DevOps is one major driver of the proliferation of shadow IT. Cloud and DevOps teams like to run fast and without friction. However, obtaining the visibility and management levels that security teams require often leads to setbacks and delays within the development cycle. When a developer spawns a cloud workload using their personal credentials, they do so not as a matter of preference or out of malice but because going through the proper internal channels may delay work and cause the entire team to miss a deadline.
The answer to shadow IT, therefore, is not to figure out how to eliminate its use but how to provide employees with the resources they need to meet business objectives at speed and at scale.
Risks and benefits of shadow IT
From an IT and cybersecurity perspective, shadow IT is an issue that must be managed to maintain visibility of the network and ensure its security. But what about employees who rely on these assets to do their job and managers who turn a blind eye to such methods? Surely, they see some benefit in shadow IT. But does that benefit outweigh the risk?
In this section, we take a closer look at the benefits and risks of shadow IT to give organizations a better sense of what’s at stake and why IT teams need to refine processes and procedures to deliver the ease of use and speed of shadow IT without creating undue risk.
Benefits of shadow IT
Some of the benefits offered by shadow IT include:
- Faster access to needed resources, which improves efficiency and drives innovation
- Reduced costs through use of free or affordable cloud-based services
- Optimization of limited IT resources, including staff, through self-service of basic requests
- Improved communication and collaboration through highly intuitive and accessible applications and platforms
- A positive user experience through reduction of administration and bureaucracy
Risks of shadow IT
Though there are many benefits to shadow IT, companies cannot underestimate the level of risk created by the use of unauthorized tools, applications, or devices, any one of which can serve as an entry point for a cybercriminal. As organizations face an increasingly ominous threat landscape, it is important to limit risk introduced by shadow IT. These risks include:
1. Visibility and control
The old saying is true: You can’t protect what you can’t see.
By definition, shadow IT falls outside the view of IT security, which increases the probability that vulnerabilities, misconfigurations, and policy violations will go undetected.
Though the growth of user self-provisioning may be good for speed, it is not without its drawbacks when it comes to security. By decentralizing the power to provision resources, organizations can create an environment that allows for increased agility but does not compromise visibility.
2. Data loss
Another challenge with shadow IT is that data or other assets stored in personal accounts are not accessible to others in the company. If an employee resigns or is terminated, they may still maintain access to those assets stored on the cloud, and the business may lose access to these assets.
Another important consideration is that shadow IT is not subject to corporate policies and procedures. This may mean that data stored in a cloud server is not backed up, archived, or encrypted in line with company policy.
3. Attack surface expansion
Though data loss is an important concern for organizations, data theft is perhaps an even bigger risk.
With every instance of shadow IT, the organization’s attack surface is expanded. Since shadow IT is not visible to the IT or cybersecurity team, these assets are not protected by the organization’s cybersecurity solutions, such as endpoint detection and response (EDR), next-generation antivirus (NGAV), or threat intelligence services.
Further, shadow IT services are often created using weak or default credentials and may be subject to misconfigurations, all of which can be exploited by adversaries and used as a pathway into the organization’s broader corporate network.
4. System inefficiencies
Shadow IT tends to be a compound problem. When an organization does not provide employees with adequate resources to complete their job and people self-provision to address a shortcoming, the business is less likely to recognize the need for infrastructure investments, new skills, or procedures.
Further, in instances of shadow IT, organizations do not have a single source of truth when it comes to data. This means that data analysis and reporting may be inaccurate, inconsistent, or incomplete. This can erode the quality of insights produced from this data and introduce compliance issues.
In many cases, employees turn to shadow IT as a way to reduce costs. However, long-term use of such services — or the scaling of them across the business — may not be cost-effective. For example, a personal cloud storage service scaled to serve an enterprise account is extremely cost prohibitive compared to services specifically developed to support corporate clients.
Shadow IT also introduces cost indirectly in the form of noncompliance fines and penalties, reputational harm in the event of a breach, or timely and intensive IT support if and when the service needs to be migrated or deprovisioned.
How to manage the risk of shadow IT
The challenge of reducing instances of shadow IT lies not with employees but the business. Organizations must take steps to understand and fulfill the needs of their employees — and make the approval and provisioning process fast and frictionless.
Even in the most advanced organizations, some instances of shadow IT are inevitable. To that end, businesses need to find ways to effectively identify these cases and manage the risk. Businesses can take the following steps to reduce the use of shadow IT and limit its risk:
- Understand organizational and team needs through comprehensive and regular audits across the business.
- Use advanced technology to continuously monitor the network and ensure visibility and control of all devices, applications, and systems.
- Communicate with, collaborate with, and train all employees on the safe and secure use of all tools and technologies and the proper protocol for provisioning a new service.
- Establish and enforce security posture, policies, and compliance.
- Create a framework that assesses risks and prioritizes remediation efforts
Eliminating shadow IT risk with CrowdStrike Falcon Cloud Security
CrowdStrike Falcon® Cloud Security is a cloud security posture management (CSPM) tool that detects and prevents misconfigurations and control plane threats, eliminates blind spots, and ensures compliance across all cloud platforms, including AWS, Azure, and Google Cloud.
Falcon Cloud Security delivers complete visibility into your multi-cloud environment through a single source of truth for cloud resources.
Falcon Cloud Security provides:
- Continuous intelligent monitoring of cloud resources to identify instances of shadow IT and proactively detect misconfigurations and threats
- Secure application deployment in the cloud with greater speed and efficiency
- Unified visibility and control across multi-cloud environments
- Guided remediation to resolve security risks
- Guardrails to help developers avoid costly mistakes
- Targeted threat detection to reduce alert fatigue
- Seamless integration with security information and event management (SIEM) solutions