Shadow IT is the unauthorized use of any digital service or device that is not formally approved of and supported by the IT department. Examples of shadow IT include:
- Creating cloud workloads using personal accounts or credentials
- Purchasing software-as-a-service (SaaS) applications or other cloud services subscriptions that fall below the purchasing thresholds outlined by IT
- Using workflow or productivity apps, such as Trello or Asana
- Leveraging public cloud services, such as Google Drive or Box, to store, access or share data or other assets
- Using messaging platforms or communication applications, such as WhatsApp or Zoom, to conduct work-related communication
While users generally turn to shadow IT to improve the speed at which they can perform their jobs, the use of such services are unknown to the IT team and therefore not protected by the organizations’ cybersecurity solutions or protocols. In the case of cloud workloads and other services used by developers, assets may contain serious vulnerabilities, such as the use of default passwords or misconfigurations. This exponentially increases risk for the organization for data breaches, in particular, as well as noncompliance and other liabilities.
Why is shadow IT a growing problem?
The use of shadow IT has become increasingly prevalent in recent years because of business transformation efforts. A 2019 study from Everest Group estimates that nearly half of all IT spend “lurks in the shadows.” Notably, these figures are pre-pandemic. It is likely that a sudden influx of remote workers due to COVID-19 restrictions have further increased the use of shadow IT as workers struggled to maintain productivity in a new environment with limited resources.
The use of shadow IT is rarely malicious. Rather, it is a practice embraced by employees because their day-to-day roles require fast, flexible, frictionless access to different tools and applications.
2022 Cloud Threat Report
Download this new report to find out which top cloud security threats to watch for in 2022, and learn how best to address them.Download Now
The adoption of DevOps is one major driver of the proliferation of shadow IT. Cloud and DevOps teams like to run fast and without friction. However, obtaining the visibility and management levels that the security teams require will often lead to setbacks and delays within the development cycle. When a developer spawns a cloud workload using their personal credentials, they do so not as a matter of preference or out of malice, but because going through the proper internal channels may delay work and cause the entire team to miss a deadline.
The answer to shadow IT, therefore, is not to figure out how to eliminate its use, but how to provide employees with the resources they need to meet business objectives, at speed and at scale.
Risks and Benefits of Shadow IT
From an IT and cybersecurity perspective, shadow IT is an issue that must be managed to maintain visibility of the network and ensure its security. But what about employees who rely on these assets to do their job and managers who turn a blind eye to such methods? Surely they see some benefit in shadow IT. But does that benefit outweigh the risk?
In this section we take a closer look at the benefits and risks of shadow IT to give organizations a better sense of what’s at stake and why IT teams need to refine processes and procedures to deliver the ease of use and speed of shadow IT without creating undue risk.
Benefits of Shadow IT
While shadow IT introduces significant risk within the business, it also offers several important benefits. These include:
- Faster access to needed resources, which improves efficiency and drives innovation
- Reducing costs through use of free or affordable cloud-based services
- Optimization of limited IT resources, including staff, through self-service of basic requests
- Improved communication and collaboration through highly intuitive and accessible applications and platforms
- A positive user experience through reduction of administration and bureaucracy
Risks of Shadow IT
Though there are many clear benefits to shadow IT, companies cannot underestimate the level of risk created by the use of unauthorized tools, applications or devices — any one of which can serve as an entry point for a cybercriminal. As organizations face an increasingly ominous threat landscape, it is important to limit risk introduced by shadow IT. Risks include:
Visibility and Control
The old saying is true: You can’t protect what you can’t see.
By definition, shadow IT falls outside the view of IT security, which increases the probability that vulnerabilities, misconfigurations and policy violations will go undetected.
While the growth of user self-provisioning may be good for speed, it is not without its drawbacks when it comes to security. By decentralizing the power to provision resources, organizations can create an environment that allows for increased agility but does not compromise visibility.
Another challenge with shadow IT is that data or other assets stored in personal accounts are not accessible to others in the company. If an employee resigns or is terminated, they may still maintain access to those assets stored on the cloud — while the business may lose access to those assets.
Another important consideration is that shadow IT is not subject to corporate policies and procedures. That may mean that data stored in a cloud server is not backed up, archived or encrypted in line with company policy.
Attack Surface Expansion
While data loss is an important concern to organizations, data theft is perhaps an even bigger risk.
With every instance of shadow IT, the organization’s attack surface is expanded. Since shadow IT is not visible to the IT or cybersecurity team, these assets are not protected by the organization’s cybersecurity solutions, such as endpoint detection and response (EDR), next-gen antivirus (NGAV) or threat intelligence services.
Further, in many cases, shadow IT services are created using weak or default credentials or may be subject to misconfigurations, all of which can be exploited by adversaries and used as a pathway into the organization’s broader corporate network.
Shadow IT tends to be a compound problem. By that we mean that when an organization does not provide employees with adequate resources to complete their job and people then self-provision to address a shortcoming, the business is less likely to recognize the need for infrastructure investments, new skills or procedures.
Further, in instances of shadow IT, organizations do not have a single source of truth when it comes to data. This means that data analysis and reporting may be inaccurate, inconsistent or incomplete. This can erode the quality of insights produced from that data, as well as introduce compliance issues.
In many cases, employees turn to shadow IT as a way to reduce costs. However, long-term use of such services — or the scaling of them across the business — may not be cost-effective. For example, a personal cloud storage service scaled to serve an enterprise account is extremely cost prohibitive as compared to services specifically developed to support corporate clients.
Shadow IT also introduces cost indirectly, in the form of noncompliance fines and penalties, reputational harm in the event of a breach, or timely and intensive IT support if and when the service needs to be migrated or deprovisioned.
How to Manage the Risk of Shadow IT
The challenge of reducing instances of shadow IT lies not with employees but the business. Organizations must take steps to understand and fulfill the needs of their employees — and make the approval and provisioning process fast and frictionless.
Even in the most advanced organizations, some instances of shadow IT are inevitable. To that end, businesses need to find ways to effectively identify those cases and manage the risk. Businesses can take the following steps to reduce the use of shadow IT and limit its risk:
- Understand organizational and team needs through comprehensive and regular audits across the business
- Use advanced technology to continuously monitor the network to ensure visibility and control of all devices, applications and systems
- Communicate and collaborate with and train all employees on the safe and secure use of all tools and technologies, as well as the proper protocol for provisioning a new service
- Establish and enforce security posture, policies and compliance
- Create a framework that assesses risks and prioritizes remediation efforts
Eliminating Shadow IT Risk with CrowdStrike Falcon Horizon
CrowdStrike Falcon Horizon™ is a cloud security posture management (CSPM) tool that detects and prevents misconfigurations and control plane threats, eliminates blind spots, and ensures compliance, across all cloud platforms, including AWS, Azure and Google Cloud.
Falcon Horizon delivers complete visibility into your multi-cloud environment through a single source of truth for cloud resources.
Falcon Horizon provides:
- Continuous intelligent monitoring of cloud resources to identify instances of shadow IT and proactively detect misconfigurations and threats
- Secure application deployment in the cloud with greater speed and efficiency
- Unified visibility and control across multi-cloud environments
- Guided remediation to resolve security risks
- Guardrails to help developers avoid costly mistakes
- Targeted threat detection to reduce alert fatigue
- Seamless integration with security information and event management (SIEM) solutions