Everyone who works in a large organization knows it: there are (probably) a lot of IT projects that are not officially sanctioned. Although not a new phenomenon, it is important to understand what shadow IT is and why it matters. With more and more people working from home now during the global Pandemic, shadow IT is on the rise. More than ever, people use their own devices connected to the corporate network through untrusted connections. This reduces visibility and control for corporate IT departments. In this article I will explain what shadow IT is and how you can with it. In the end, security of corporate data is still very important.
What is shadow IT?
Nearly every organization has rules and guidelines for their employees which tools to use and how to exchange information between people and systems. Sometimes the rules are crystal clear, sometimes all is based on tribal knowledge (just the way we do things around here). Corporate IT decide on the usage of IT systems throughout the organization. It makes the company in control of how people work and what happens with corporate information and data.
Shadow IT is the usage of any IT system, (technical) solution like an application or other technology which is not known and/or approved by the corporate IT department. It makes the company less in control of its corporate information.
Typical examples where shadow IT plays a role:
- The usage of unapproved file sharing applications like We-transfer or Dropbox.
- Developers choosing their own development tools (e.g. IDEs, provisioning tools) to do their work instead of using the corporate tools.
- People using their own devices (BYOD) which are out of sight and thus not 100% controlled by the corporate IT department itself.
- Using unofficial (cloud) subscriptions that do not follow the processes of the corporate IT department.
As you can see, shadow IT has a broad scope all across the organization. It also includes custom solutions that are created and maintained outside the formal ones. Sometimes people do not even know they are creating and using shadow IT solutions. These factors make it a challenge to deal with it.
What are the main drivers?
Perhaps the main driver for shadow IT is the desire of people within the organization to do their work correctly and in a timely fashion.
From a DevOps team perspective which focuses on the delivery of business features, they might move away from the formal solutions and processes to:
- deliver their application(s) fast and in their own way
- save costs and resources by eliminating several manual and thus painful processes
- quickly iterate over multiple releases to gain immediate feedback
By doing so, they find a way to become very innovative and experiment with new technologies and validate their solution against business requirements. Results are much faster, since they direct have access to (human) resources.
From the work from home and bring your own device perspective, these might be reasons to avoid the official IT solutions:
- the corporate devices (laptops, smartphones, virtual desktop environments) lack easy to use software. People are more confident with their own choice of software applications.
- corporate IT is too slow to keep up with the features of their own devices and their own software solutions.
- people are not aware of the security risks of shadow IT.
This all leads to people to feel the freedom to do the work how they want it. They do not take care of corporate security rules. Instead, they focus on getting the work done, no matter what.
In an Agile world, is this a bad thing?
Given the main drivers, the business rationale is relatively easy: work is done faster by people who are happier. It boosts productivity since the overhead of too many meetings is reduced. Furthermore, fewer people get frustrated and it might lead to less sick-leaves.
Another business rationale is the fast delivery of business features. Imagine a team who needs to wait one week to request an AWS account from a centralized IT team. And even more time to give every team member access to it. Perhaps this is the reason of a cumbersome internal website which only works in Internet Explorer 6. User with a MacBook which do not have Internet Explorer installed, cannot use it at all. The team in charge might just create their own subscription and pay for it themselves. Every month, they just send out the bill to the business department.
When only looking at the core activities of an organization, this might be a good situation. However, this may sound right on first glance, but there are many more drawbacks that people don’t think of directly.
Risks of shadow IT
Based on the above-mentioned examples there is a clear sign that the tools and processes of corporate IT do not meet the teams’ expectations.
The gap between official IT and unofficial IT is wide:
- Security risks include data loss, unpatched vulnerabilities and compliance issues. For organizations that are bound to regulations, this is a major factor.
- Shadow IT is more difficult/impossible to manage since the corporate IT department has no control over it.
- Higher costs: especially in the long term.
Based on a number of interviews which TechRepublic conducted last summer, they have concluded that people use a lot more file sharing applications and remote access tools. People share sensitive documents with their private accounts, not knowing what happens with the data they send around.
Especially with SaaS solutions, you don’t know exactly where your data will end up. Perhaps it’s not allowed to process sensitive (like privacy) related data outside of your own country. With a file-sharing solution like Dropbox (which is a SaaS) in the USA, you can be at risk if the personal information of your customers has to comply with the GDPR.
Vulnerabilities make devices easier to hack, people might disable their firewall to access specific websites. Since shadow IT is not managed centrally, vulnerabilities can remain open for too long – increasing the possibility a hacker finds a weak spot and exploits it. Sometimes they turn off their VPN (or just forget to enable it) to the corporate network for different reasons.
Since lack of control is a serious issue, consider a scenario in which someone uses their own laptop with an unencrypted filesystem. The organization faces a huge problem if this laptop is stolen and all sensitive data is in the open. From a compliance point of view, this is undesired but this also damages the reputation of the organization. The list goes on and on, but I will stop here 🙂
The previous list of risks was mainly focused on the security perspective. What about the business perspective?
Reinvent the wheel: since corporate IT is not aware of custom solutions by independent teams, they might (and will) create duplicate solutions for the same problem. More similar solutions leads to new problems: which is the best (or preferred one)? This confuses other teams and is a waste of money and efforts.
Shadow IT tend to be a solution for quick wins. However, it can have a devastating effect on other teams. If more teams follow this trend and the management notices it, the initial initiatives can lead to heavy push-back from the management. So while this speeds up things in the short run, in the long run it has a completely different outcome. In the end it’s still best to address and escalate impediments with the appropriate persons and together work on a proper solution.
While not immediately clear, both type of risks pose a thread to the business continuity of the organization and thus they should be avoided as much as possible.
Detection and prevention
There are many ways to detect and prevent shadow IT. A lot of them focus either on the human or technical perspective.
From a human point of view, it’s most important to educate your people. Since people might not be aware of the problem, you have to outline the problem first. Give them useful examples of what can go wrong and what the consequences are. You can invite an external speaker which is not biased about the organization itself.
The more people are aware of the problem, the less likely it is that things become a real issue. Prevent shadow IT before you need to detect it.
Tools provide a great way to detect bad actions. For example, tools can monitor your network and intercept (calls to) SaaS products. If you notice people are using third-party tools, give them the right tools they need. Conduct a feasibility study and assess the new tools quickly, involve the heavy users and let them work with corporate IT to move forward and get the tool approved. This makes sure the new tool is both secure and approved and the initiative is well received.
Best lesson for the security department: don’t say NO but help to find a solution.
In a DevOps world, the popular phrase trust but verify is an important one. Should this also apply to everyone else within the organization? Trends are rising to monitor employee activity. Spying on them to keep track of every step they take violates the trust but verify principle.
Security guardrails are there to prevent security risks and help teams to move quickly but in a secure way. If they feel watched, this might have an effect on their freedom and creativity to push new initiatives. So be very careful with it.
Shadow IT exists for a long time already. However, it’s on the rise. Especially with the recent Pandemic, people bring in their own devices and this creates more opportunities for shadow IT to thrive. Apart from reduced control there are several security risks which can lead to problematic situations. Besides some initial business benefits, there many are more drawbacks on the long term. In this article I also highlighted what you can do to reduce the impact of shadow IT to your organization.