What is shadow IT?
SHARE:
Shadow IT is the use of unsanctioned devices and software by employees to access company data and perform their work duties. It is an ongoing risk for organizations of every size, and should be directly addressed to ensure the operational security of your IT systems, as well as the security of your data.
This guide explains what shadow IT is, how it proliferates within organizations, and what you can do to reduce its occurrence and mitigate its effects.
What is shadow IT?
Shadow IT exists within every organization, and by its definition is hard to identify. The use of legitimate software and hardware that isn’t approved by your IT department (and thus, exists in the ‘shadows’) makes these systems impossible to vet and monitor for security and compliance issues — you can’t control access to or the use of websites, applications, and platforms that you aren’t aware of.
It’s worth noting that shadow IT doesn’t refer to malware that makes its way onto mobile devices, workstations, or into workloads and their dependencies. While malware is unauthorized software running on your IT infrastructure, it has no legitimate use, and it is a separate, intentionally harmful threat.
Causes of shadow IT: Why employees adopt their own tools
Generally, employees are not intentionally trying to cause damage by using unauthorized systems for work purposes — they’re just trying to fulfill their work role using tools that may be missing from their tool chain, or trying to improve their efficiency. Most of the time, they aren’t even aware that what they are doing is a problem.
Shadow IT can also occur without the explicit adoption of a new system. For example, productivity software may introduce new features (such as cloud storage) that is enabled by default, and unintentionally used by staff to store sensitive documents, causing a potential compliance breach.
Shadow IT also extends to software development lifecycles: developers may intentionally or unintentionally pull packages that have not been vetted, or deploy to a cloud environment outside their organization’s perimeter to quickly solve a problem.
Examples of shadow IT
There are several common examples of shadow IT that provide benefits to users:
- Cloud storage: Employees frequently use unapproved cloud storage so that they can more easily share files and collaborate with others both internal and external to their organization.
- Communication tools: Instant messaging and video conferencing software is rarely consistent between different organizations, leading users to use other platforms so that they can interact with clients.
- Productivity tools and services: Apps and online tools used for specific purposes (like converting images or editing PDFs) provide vital functionality that may not be available to users through their approved tools.
- AI and automation tools: For almost every use-case, AI and automation tools are an increasing cause of shadow IT, as they can greatly improve efficiency by reducing manual tasks.
- Cloud computing platforms: Developers who need to meet deadlines can leverage cloud computing platforms outside their organization to quickly deploy workloads and apps without having to spin up their own infrastructure.
The use of personal devices is also a shadow IT threat: unmanaged devices may not be up-to-date or secure, creating invisible cybersecurity attack vectors.
Risks of shadow IT
The benefits of shadow IT are often offset by the dangers they pose to your infrastructure and data, including:
- Data breaches and compliance issues: The use of unapproved cloud storage and communication platforms places data beyond your control and vulnerable to unauthorized access or loss. This also affects compliance with privacy regulations such as GDPR, CCPA, and HIPAA. Cloud storage services accidentally sharing user information has happened in the past — in 2020 Google Photos accidentally sent people’s photos and videos to strangers when they tried to export their data.
- Unknown attack vectors: The use of any software or online service that hasn’t been assessed by your IT department could introduce vulnerabilities — while many online tools are useful, their data privacy and security practices may not be robust or have the user’s best interests in mind (especially in the case of free tools). An example of this is the Canva breach in 2019, where user credentials were exposed, decrypted, and shared online.
- Supply chain attacks: Developers who do not carefully vet their packages and dependencies, or keep them up to date, put infrastructure and data at risk by increasing the number of vulnerabilities. This problem is significant in popular public package repositories, and will be an ongoing problem for all development teams that rely on open-source libraries.
- Cloud platform misconfiguration: Cloud platforms can be complex to configure, and without proper planning and configuration, can expose assets to breaches. LastPass was famously caught in a cybersecurity incident when hackers gained access to cloud environments and then used that information to further breach the services’ infrastructure.
While shadow IT usually occurs in an attempt by staff to improve efficiency, it can also have the opposite effect: inconsistent tools, inaccurate information provided by AI platforms, and the overheads of having to deal with the decreased visibility and control can decrease overall operational efficiency of teams. Remediating cybersecurity incidents can also lead to increased costs and reputational damage to an organization.
Reduce shadow IT by enabling users to safely adopt new tools
Reducing shadow IT is all about visibility and education. Visibility over what your staff is using, including devices, desktop applications, mobile apps, and online platforms must be maintained. Additionally, users must be aware of what tools they are allowed to use, and where the line between encouraged self-service and shadow IT is in your organization.
Complex procurement processes may discourage employees from engaging with them, leading them to just go ahead and use unauthorized systems to “get the job done”. Regularly assessing your users’ needs, asking if there are any tools they are using that could be sanctioned and officially adopted, and educating them about the risks and repercussions of using shadow IT are key ways to reduce its occurrence.
Endpoint protection can detect suspicious behavior and the installation of packages, while network monitoring solutions can limit access to unauthorized web applications and cloud storage services.
Software developers in particular will be keen to self-service their own problems. Problem-solving is one of their key skills, and hindering this will lead to development drag, or the outright rejection of procurement processes. Vulnerability management, and automating the creation of a software bill of materials (SBOM) for each project means that developers can get on with their job, and any dependencies that they have incorporated can be vetted and flagged before they enter production.
While in production, a cloud-native application protection platform (CNAPP) can detect suspicious behavior and unauthorized code within workloads so that it can then be assessed, reducing shadow IT concerns and ensuring fast remediation of any identified issues.
Mitigating cloud-native shadow IT risks with Sysdig
Shadow IT presents a significant risk to organizations that develop software and run their workloads in the cloud. This is especially evident when working with distributed workforces and cloud architectures with poorly defined perimeters.
Sysdig Secure centrally monitors your cloud environments and containerized workloads for unauthorized software and dependencies, as well as misconfigurations and suspicious behavior that could lead to a breach. It prioritizes threats in real-time from runtime activity, supply chain vulnerabilities, and misconfiguration so that you can make informed and strategic decisions.
Sysdig can automatically take inventory of your entire cloud environment and alert you of unauthorized software use, supply chain vulnerabilities, and compliance issues — all without having to install agents that can increase complexity and decrease performance. Sysdig can also monitor for unexpected usage and costs in complex scaling environments, further assisting in identifying unauthorized software or resource usage.
Read our Securing multi-cloud infrastructure brief to find out what you need to do to secure your multi-cloud environments against threats such as shadow IT. You can also download our Cloud Security 101 eBook for an overview of the cloud cybersecurity tools you need to protect your data and remain compliant.
FAQs
Shadow IT is the use of software or devices within an organization without approval. This commonly includes staff using their own phones, tablets, and computers for work purposes, as well as online services, communication, and messaging apps.
Shadow IT increases the risk of data leaks and compliance issues, as IT departments have no oversight over its usage. It can also introduce attack vectors into an organization’s network that are invisible to IT and security teams.
One of the most common shadow IT violations is the use of unapproved cloud storage by employees so that they can share files with colleagues and work from home. The use of personal devices and instant messaging for communicating sensitive business information is also a common breach.
Shadow IT can be detected by monitoring network traffic, and implementing endpoint protection that can identify the use of unauthorized software. A cloud access security broker (CASB) can be deployed to further protect against unauthorized use of cloud services.
Educating staff about the dangers of using unapproved tools is the first step to reducing shadow IT. You should also address your users’ needs with approved software so that they don’t resort to using unvetted tools.
