Feb 15, 2024
Table of contents
Back in the day, before the network perimeter had eroded, controlling the use of applications and devices by a business’s employees was fairly straightforward. While staff may have brought devices, such as USB keys, to work, the IT department generally controlled the applications that employees used.
Those days are long gone.
In 2010, cloud computing began to cast its long shadow over the perimeter. BYOD (bring your own device) became a movement, with staff using personal devices to log in to corporate networks. Since then, SaaS apps have become ubiquitous, and shadow IT was not far behind. Around 65% of SaaS apps today are unsanctioned, making shadow IT a massive business issue. In other words, the IT department, and ultimately the C-level, may not know what unauthorized apps are being used for business purposes.
Shadow IT has both positive and negative repercussions in the workplace. Here, AccessOwl looks at shadow IT and how a lack of visibility and control over apps and devices can cause security headaches.
Why “shadow IT” entered the business tech lexicon
The term “shadow IT” can be defined as “unauthorized software or hardware used in a business context.” For example, collaboration or communication apps such as Slack or Zoom are popular shadow IT resources. Shadow IT can also be extended to include actions such as sending a company email from a personal account. While shadow IT may be unauthorized, unsanctioned tech is ubiquitous. The reasons for its popularity and persistence include:
Productivity: A team may feel that an unsanctioned app allows them to do more — for example, they might think that Notion is more flexible than the company sanctioned collaboration tool.
Ease of use: People may prefer an app because they see it as easier to use than the stipulated corporate choices.
Distributed IT responsibilities: In smaller or younger organizations, choosing apps may be left to team managers. This might continue until a mature IT organization is introduced — sometimes until an organization has 200 or more employees.
Low-cost apps that provide a quick benefit: Employees can easily use a personal credit card to access inexpensive apps such as Grammarly.
Applications with free tiers: Some applications, such as Slack and Trello, offer extensive free tiers, allowing users to quickly adopt them.
Preferred apps: People often have preferred web browsers or tools (like Google Docs) or are simply used to specific communication and video conferencing tools, such as Zoom. These choices end up in the shadows of IT.
AccessOwl’s top three shadow IT apps in Q4 2023
AccessOwl surveyed 50 organizations to identify which applications were unmanaged shadow IT within the organization:
66% said ChatGPT by OpenAI
44% said Adobe tools (Creative Cloud and other Adobe apps combined)
42% said Canva
The challenges of shadow IT
Shadow IT may represent the preferred tech choices of staff, but these choices can bring serious issues and challenges:
Security
The decentralized nature of shadow IT makes it more difficult to manage and secure. Shadow IT effectively creates an expanded app and device surface, leading to poor visibility and challenges in enforcing access policies; you can’t protect what you can’t see.
Misconfigurations of apps outside of IT and security reach can lead to security gaps, as many studies have shown:
An Entrust study found that 77% of IT professionals expect shadow IT to become a significant issue in 2023.
A 2023 Capterra study found that 76% of small- to medium-sized organizations reported that shadow IT created moderate to severe cybersecurity threats to the business.
Market research firm Forrester predicts that shadow AI will become a top concern for CISOs in 2024. This is in line with AccessOwl findings, which show thatChatGPT is one of the most popular shadow IT apps.
One of the biggest challenges in security, in general, is that identity and access management (IAM) tools must be able to see an app or a device in order to enforce access privileges. If you’re unsure about what software your employees are using, off-boarding will be extremely challenging. Shadow IT can even lead to data breaches — for instance, if an employee imports restricted data into a non-regulated shadow app and retains access to the app after being off-boarded, that data is at risk.
Data protection gaps appear without full visibility, allowing data leaks. Measures to prevent data loss include:
Single** sign-on (SSO):** SSO allows users to access apps using a single click. Enforcing the use of SSO for all apps, including shadow IT apps, is a way to reduce the risk of data loss. Users may be required to register their shadow IT apps in the SSO portal before they can access them. Alternatively, in the case of applications supported by basic SSO providers, such as Microsoft or Google, there’s no need to re-register a shadow IT app; IT can centrally deactivate an employee’s login, making it impossible to use their login to access other apps.
The principle of least privilege (PoLP): Enforcing this principle means that access to apps and data is granted only to employees who truly need it. (Shadow IT leaves gaps in access management and controls, leading to permission sprawl, which, in turn, leads to data leaks.)
Data loss prevention (DLP) software: DLP software helps to stop sensitive data from leaving corporate control, no matter what app or service an employee uses. DLP can also be used to prevent data from being copied to a USB key or another media device.
Resource access and controls
Data governance and control issues are inherent in shadow IT’s security challenges.
A lack of resource control leads to an increased risk of data loss. For example, if an employee exits an organization but still has access to a platform via password login, continued access may be difficult to discover, and data may be lost. Solutions such as SSO and account monitoring can address this, but only if shadow IT can be incorporated into the visible IT landscape of an organization.
App sprawl
A serious shadow IT issue, at a license and governance level, is the uncontrolled use of apps. This can lead to efficiency and productivity issues over time.
Duplicate tools and cost control
One natural outcome of shadow IT is that teams and departments invest in the same apps and, therefore, spend unnecessary money.
Compliance
Poor visibility, security threats, and license issues lead to regulatory adherence problems. With full visibility of apps and devices, it becomes easier to complete privacy assessments required by regulations such as GDPR. Ultimately, with shadow IT, proof of compliance is difficult to demonstrate, and audits required by regulations such as SOC 2, HIPAA, and ISO 27001 are difficult to carry out confidently.
Fixes for shadow IT challenges
Employees choose shadow IT because it helps with productivity, and it’s likely to remain part of the corporate tech environment. However, there are steps you can take to ensure that shadow IT comes into the light:
Streamline procurement
Remove the barriers to app choice and make it easy for employees to access and request their preferred software.
Accommodate decentralized software and hardware
Add a layer of shadow IT governance, and encourage employees to come forward to register their tech. This provides teams with the ability to manage their own tools while ensuring that the organization has a central overview of those tools and access to them. A good practice is to make it easy for employees to see which applications are already in use, with use cases.
Review and register shadow IT
Once you accommodate decentralized tech onboarding, you can keep a register of shadow IT based on types of software — this allows risk assessments on the shadow IT stack to be carried out: use tools that automate access requests as part of your shadow IT registration and discovery. Features such as the ability to query Google Workspace as to whether an employee has received an invite email can help to identify shadow IT.
Review SSO logs
SSO can help reduce shadow IT risks caused by permission sprawl and uncontrolled permissions. Require that employees register any shadow IT app with an SSO portal for SSO access. This allows logs to be reviewed and PoLP to be enforced. This method also allows IT to monitor any unusual activity to help prevent data loss.
Read more about SSO: What are the Limitations of SSO? | Identity and Access Management
Solving shadow IT challenges using SSO automation
Shadow IT can have positive effects: it can provide employees with choices and help to distribute IT responsibilities to frontline users. However, shadow IT also causes security and governance issues that lead to compliance nightmares. A lack of shadow IT visibility leads to permission sprawl and uncontrolled access, with an increased risk of data loss and misconfiguration opening severe security gaps. Fortunately, these challenges can be surmounted by employing shadow IT governance, discovery, and automation of permission enforcement based on SSO. By balancing the negatives with actionable positives, shadow IT can be embraced and finally come out of the shadows.