Depending on who you ask, shadow IT, also known as stealth IT, falls somewhere on the spectrum between “persistent headache” and “total mystery.”
If you ask someone on an actual IT team, they might tell you that shadow IT poses an existential threat to security and compliance. But their coworkers – the folks responsible for bringing rogue tech into the company – typically don’t even know what shadow IT is. They’re just seeking out new tools because they’re unsatisfied with their existing stack. Both parties are just trying to do their jobs; but they all need to understand both shadow IT’s risks as well as its benefits.
Shadow IT, defined
Shadow IT refers to any technology – hardware, software, infrastructure, you name it – that is used in an organization, but is not administered by that organization’s IT department.
Because shadow IT does not go through the IT department’s procurement process, it may or may not abide by the organization’s security and compliance policies. This ambiguity is a primary characteristic of shadow IT; not only does the IT team not know whether the tools meet security standards, but they don’t know what the tools do, what data they may contain, or which systems they touch.
Most companies vastly underestimate the volume of data that lives in the shadows. In a survey conducted by Cisco, CIOs estimated on average that they had 51 cloud services running in their organization, while the actual average was 730. The number is even higher for bigger organizations: Cisco found that large enterprises on average use more than 1,200 cloud services, and more than 98 percent of them are shadow IT. This creates a significant security risk; in 2016, Gartner estimated that by 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources. And that means every company should be thinking about shadow IT.
Understand the risks of shadow IT…
The risk can be distilled into three categories: access, insight and integration. These are all related, and it takes more than rigid security policy to mitigate them:
Many shadow IT tools become embedded in an organization when an individual starts using a new tool to collaborate with teammates. Perhaps their company’s database is slow or expensive to query, so they export some tables from Segment to a new AWS instance to more easily analyze that data. As they conduct more analysis and share their results, more users are granted access to those tables.
But when that first person spun up that AWS instance, they weren’t thinking about securing the data they put in it. They didn’t bother setting up two-factor authentication, they just wanted a faster way to get their work done. What if someone they added to the instance accesses it with their personal account, and used the same password as their personal account for another service? What if that other service gets hacked, and all user logins are posted on Pastebin? Or what if the person who started the project leaves the company and their user remains an admin on the account?
These scenarios happen more often than you might think. The 2019 Data Risk Report by Varonis found that 40 percent of companies had more than 1,000 stale but enabled user accounts, and 61 percent of companies had more than 500 users with passwords that never expire.
This is why, when analyzing tools, IT teams typically prioritize the ability to manage who has access to a tool, and enforce rules about how that access works.
Another risk in shadow IT is the inherent lack of insight security teams have into the usage of those tools. Typically, centrally administered tools are analyzed through an audit log, which reveals who accessed a tool, what data they brought in or pulled out, and when those events took place. Audit log data is then imported into a centralized security reporting infrastructure. There, automated analysis can take place to detect and alert the team to anomalies that may suggest security threats, like access by an account owned by a former employee, or an abnormally large amount of data being exported from a sensitive location.
Because shadow IT tools exist outside of that centralized, automated system, it becomes nearly impossible to know when a breach has taken place, much less prevent one from happening in the first place. This is one of the primary reasons security-minded organizations are employing a CASB for additional visibility into their shadow IT landscape.
This insight is particularly important for companies in heavily regulated industries; understanding where your company’s data lives is critical to staying compliant with policies like HIPAA and GDPR.
No one who builds B2B software in good faith wants to create security risks for their customers. Many of the most popular tools that exist as shadow IT, like Dropbox or Slack, offer security features like two-factor authentication and audit logs.
But even when these features are enabled, tools that are not administered by the IT department are therefore not integrated with the rest of the organization’s tech stack. Updates made in the company’s identity provider won’t be pushed to the user list of a shadow IT tool. Threats detectable in audit logs will have to be analyzed separately from the central, automated system.
And though it’s less of a security threat than a threat to productivity, integrating the work that takes place in shadow IT tools with the work of the rest of the company poses another challenge. One of the core benefits of using the company’s centrally administered, centrally integrated tools is that those tools are typically built to enable better crossflow of data.
…But don’t discount the benefits
Shadow IT is a fact of life, a force you couldn’t simply banish with a security policy. And even if you could, you shouldn’t; while shadow IT does pose security and compliance risks, it’s often the primary driver of innovation and productivity gains. 97 percent of IT teams surveyed by Entrust Datacard said their employees were more productive when allowed to use their preferred tools, and 80 percent said their companies should deploy more tools suggested by employees.
The bottoms-up adoption path followed by shadow IT tools can reveal which are true winners and should be standardized across the company, and that process often moves faster than conventional IT procurement.
So the challenge for teams tasked to “do something about all this shadow IT” is therefore not to eliminate it – it’s to analyze it, minimize the risks, and maximize the benefits. This all requires balance; cohesive policy balanced with a strong company culture of collective accountability.