Shadow IT is the unauthorized use of any digital service or device that is not formally approved of and supported by the IT department. Examples of shadow IT include:
- Creating cloud workloads using personal accounts or credentials
- Purchasing software-as-a-service (SaaS) applications or other cloud services subscriptions that fall below the purchasing thresholds outlined by IT
- Using workflow or productivity apps, such as Trello or Asana
- Leveraging public cloud services, such as Google Drive or Box, to store, access or share data or other assets
- Using messaging platforms or communication applications, such as WhatsApp or Zoom, to conduct work-related communication
While users generally turn to shadow IT to improve the speed at which they can perform their jobs, the use of such services are unknown to the IT team and therefore not protected by the organizations’ cybersecurity solutions or protocols. In the case of cloud workloads and other services used by developers, assets may contain serious vulnerabilities, such as the use of default passwords or misconfigurations. This exponentially increases risk for the organization for data breaches, in particular, as well as noncompliance and other liabilities.
Learn More
Learn how you can improve your cloud security posture and compliance by addressing the most common cloud security challenges in multiple and hybrid clouds. Download our infographic
Why is shadow IT a growing problem?
The use of shadow IT has become increasingly prevalent in recent years because of business transformation efforts. A 2019 study from Everest Group estimates that nearly half of all IT spend “lurks in the shadows.” Notably, these figures are pre-pandemic. It is likely that a sudden influx of remote workers due to COVID-19 restrictions have further increased the use of shadow IT as workers struggled to maintain productivity in a new environment with limited resources.
The use of shadow IT is rarely malicious. Rather, it is a practice embraced by employees because their day-to-day roles require fast, flexible, frictionless access to different tools and applications.
The adoption of DevOps is one major driver of the proliferation of shadow IT. Cloud and DevOps teams like to run fast and without friction. However, obtaining the visibility and management levels that the security teams require will often lead to setbacks and delays within the development cycle. When a developer spawns a cloud workload using their personal credentials, they do so not as a matter of preference or out of malice, but because going through the proper internal channels may delay work and cause the entire team to miss a deadline.
The answer to shadow IT, therefore, is not to figure out how to eliminate its use, but how to provide employees with the resources they need to meet business objectives, at speed and at scale.
Risks and Benefits of Shadow IT
From an IT and cybersecurity perspective, shadow IT is an issue that must be managed to maintain visibility of the network and ensure its security. But what about employees who rely on these assets to do their job and managers who turn a blind eye to such methods? Surely they see some benefit in shadow IT. But does that benefit outweigh the risk?
In this section we take a closer look at the benefits and risks of shadow IT to give organizations a better sense of what’s at stake and why IT teams need to refine processes and procedures to deliver the ease of use and speed of shadow IT without creating undue risk.
Benefits of Shadow IT
While shadow IT introduces significant risk within the business, it also offers several important benefits. These include:
- Faster access to needed resources, which improves efficiency and drives innovation
- Reducing costs through use of free or affordable cloud-based services
- Optimization of limited IT resources, including staff, through self-service of basic requests
- Improved communication and collaboration through highly intuitive and accessible applications and platforms
- A positive user experience through reduction of administration and bureaucracy
Risks of Shadow IT
Though there are many clear benefits to shadow IT, companies cannot underestimate the level of risk created by the use of unauthorized tools, applications or devices — any one of which can serve as an entry point for a cybercriminal. As organizations face an increasingly ominous threat landscape, it is important to limit risk introduced by shadow IT. Risks include:
Visibility and Control
The old saying is true: You can’t protect what you can’t see.
By definition, shadow IT falls outside the view of IT security, which increases the probability that vulnerabilities, misconfigurations and policy violations will go undetected.
While the growth of user self-provisioning may be good for speed, it is not without its drawbacks when it comes to security. By decentralizing the power to provision resources, organizations can create an environment that allows for increased agility but does not compromise visibility.