The past decade has seen a raft of technology coming into businesses – providing new opportunities to build, grow and innovate. However, while companies try to keep up with the newest trends and tools, employees often find their own ways to do their jobs, without those at the top even knowing about it.
This so-called ‘Shadow IT’ may seem innocuous to many workers, who just want to get the job done quickly and efficiently, but it poses a massive risk to IT and a huge security challenge for firms of all sizes.
So, how big a problem is Shadow IT in the modern enterprise, and what can security professionals do to tackle the issue?
The Rise of Shadow IT
Shadow IT is far from a new problem; it dates back to the birth of PCs in the workplace and early developing, but has continued to plague industries of all shapes and sizes with the growth of the cloud, and the variety of applications available.
Garrett Bekker, principal analyst at 451 Research, says it has grown over the years largely as the result of employees looking to get work done and finding the best apps to do that, without waiting for central IT to approve them.
He also says the workforce may not like what IT provides them, and have their own preferences, be it mobile phones, laptops or even an email service.
“This started becoming such a problem that it led to a new category of security vendors called Cloud Access Security Brokers (CASBs) whose initial purpose was to get a handle on Shadow IT and offer ways to mitigate the risk,” he says.
However, while this seemed to help many firms get a grip on the problem – especially when it came to aligning themselves with new GDPR legislation – with the coronavirus outbreak leading to more and more people working from home, Bekker thinks there is a strong possibility we could see a new wave of Shadow IT.
“Many firms will likely find their existing IT infrastructure for remote access strained, particularly their VPN infrastructure, and many employees may look to find their own applications to get work done without having to access on-prem apps that their firm provides,” he says.
“Many firms will also not have tools in place to control what their employees do on their laptops or desktops at home, which will also open the doors to more use of Shadow IT.”
Paul McKay, senior analyst at Forrester, says there has also been a rise in Shadow IT as separate business units make their own purchasing decisions, without giving the IT team a heads up.
“In the past, IT alone was able to make procurement-related decisions for technology acquisitions,” he says. “This has been eroded over the years, with many services procured by the business involving some level of IT.”
Research by Forrester in 2019 showed business units were heavily involved in about 40% of technology purchases.
McKay adds that Shadow IT is particularly difficult in the area of e-commerce, especially in retail. “Often e-commerce workers operate rapidly and, with cloud services commonly used, can now do quite a lot outside of the sight or direct control of IT,” he says.
“Marketing use of agencies is also another key use case which continues to persist.”
“In the past, IT alone was able to make procurement-related decisions for technology acquisitions”
The Common Apps
Finbarr Goode Begley, senior research analyst at the Cavell Group, says the most commonly used application creating a Shadow IT problem is in the area of communications.
“From the comms side of business, Shadow IT continues to exist because talking and communicating with people in a frictionless way is very important,” he says. “It is a common story that your company might only allow one official communications application on their network/phones/laptops. Yet, if you work in sales and your primary customers all use a different platform, you are going to want to do the same to make it easier to communicate with them.
“Often that is why Shadow IT makes it into businesses, because the solution or approach provided creates too much friction, and employees feel like they need to find an easier approach.”
McKay looks at it more broadly, explaining that Shadow IT comes mainly from the use of cloud services that are unsanctioned by IT and security leaders.
“These are much easier to procure and use directly by business units and their suppliers,” he says. Bekker agrees, pointing particularly to Software-as-a-Service (SaaS) apps.
“Mobility and Bring Your Own Device (BYOD) also present large problems for Shadow IT since it’s really hard to control what employees do on their personal devices, unless you force them to use mobile device management (MDM) or enterprise mobility management (EMM) tools.”
The Risks
So now we know the types of applications and areas where Shadow IT most commonly rears its ugly head, what actual risk does this pose to a business?
Bekker says the biggest risk is that IT “loses control” over what applications their employees are using, which creates several issues.
“One is a management and budgeting issue, since Shadow IT purchases are done at the departmental or even individual level, and so you may not get the economies of scale you might when things are purchased centrally,” he says.
“You also might have your employees using a wide variety of apps, which isn’t necessarily efficient – for example, if some of your employees are using Zoom and some are using Skype, it could present challenges for collaboration.”
However, the biggest issue is security, particularly if your employees are installing apps that haven’t been vetted for security risks, or that may violate company policies.
In this area, Marc Strohlein, research advisor for IDC, says the primary problem is those “inadvertent mistakes or omissions regarding protection of security or privacy” by what he calls “Line of Business” (LOB) developers, that create apps adopted by workers that aren’t built for an enterprise environment.
“LOB developers and technology specialists simply don’t have deep backgrounds in building secure applications,” he says. “Another risk is that of LOB developers creating critical apps that may be fragile and/or poorly documented, making them difficult to maintain and support.”
He says creating or acquiring apps and systems from third-party vendors that don’t adhere to architectures established by IT organizations is problematic as they are difficult to integrate and support.
McKay adds Shadow IT creates the potential loss of data in unsecured cloud infrastructure, and that in turn leads to reputational risks – “for example, a marketing microsite that takes personal data considered overly sensitive gets negative press attention.”
Also, he says there is a risk of loss of service if there is a reliance on Shadow IT to deliver a critical revenue stream.
“From the comms side of business, Shadow IT continues to exist because talking and communicating with people in a frictionless way is very important”
Make a Plan
These read like a list of nightmares for the security professional. So what is the best way to mitigate the risks of Shadow IT?
Strohlein says that historically CIOs have taken more of a ‘stick’ approach, trying to control or even ban Shadow IT by mandating compliance to IT policies and standards, but this has led to limited success.
“A much better approach is the carrot approach,” he says.
In his report, Moving from Shadow IT to Joint Venture LOB IT to Amplify IT Impact, he says CIOs have three choices regarding Shadow IT: ignore it, control and contain it, or find ways to work with developers constructively to ensure optimal outcomes.
Strohlein recommends providing guidance, training and support, development resources and other IT services to make these Shadow IT applications an extension of the IT organization.
“CIOs who try to fight or block LOB IT will come up short at best and unemployed at worst,” he adds. “There is a better answer and one that leads to improved business and IT performance.
“Supporting LOB IT is one of the biggest opportunities available for CIOs to firmly establish IT relevance. CIOs who figure out how to leverage – and not just sanction or control – their relationship will prosper, as will their enterprises.”
McKay says the challenge has now moved from the archetypal “servers underneath desks” to cloud usage, meaning security teams need to do two things.
“One is to use solutions aimed at gaining visibility of cloud services usage such as Cloud Security Gateways (CSGs, also called CASBs).
“These will help identify cloud services in use, identify risk levels associated with the services and give a view of data that is being held within them by the business. This allows you to get a handle on the problem and deal with it.”
However, this alone is not enough, adds McKay, saying that firms also need to design lightweight processes for approving business usage of cloud services.
“The process needs to be lightweight and uncomplicated or the business and other stakeholders will begin to find ways around it,” he says.
“The process needs to allow for a review of the service proposed (the CASB could help give a quick assessment here) and allow the security team to suggest safeguards and practices to follow to allow the business to use the services safely.”
Bekker agrees that using CASBs and their skills of running discovery processes to find out how many apps their employees are using is a good first step.
“Most firms are surprised to find that number is much higher than they expected, often running in the hundreds, or even thousands,” he says.
After discovering what apps there are, Bekker says the next step is to perform some sort of scoring to help IT teams understand the risk to the company and what steps they may take, such as blocking some SaaS apps altogether, or sanctioning some apps for employees to continue to use.
That brings us to a key point. With all the tools in the world to tackle Shadow IT or work with developers, there is a mentality case to be examined as well.
Goode Begley says before companies use technologies like software-defined networking in a wide area network (SD WAN) to completely turn off all Shadow IT, they need to understand the reasons why employees are trying to use these tools on the network in the first place.
He adds: “If you make it too difficult, they may just keep using Shadow IT on a mobile network, or using a mobile data connection.
“Instead, you should check what Shadow IT is being used, and ask why, and then try and find an incentive or alternative approach that meets the needs that your employees are filling with Shadow IT.”
Infosecurity explores the concept of Shadow IT in 2020 and assesses its implications for modern organizations.