Virtualization Technology News and Information
How to Mitigate the Impacts of Shadow IT on Your Cloud Environments

By Dmitry Dontov, CEO and Chief Architect of Spin Technology

Shadow IT has been a thorn in the side of corporate IT and security departments for decades now. Left unchecked, employees using technologies without company knowledge or approval can introduce grave security and compliance risks. And in the age of cloud- and application-centric operations, and a business environment in which employees are working primarily from home beyond corporate IT oversight, the problem is only growing. In fact, nearly 80% of IT professionals believe shadow IT will become a massive issue for organizations by 2025, according to one Entrust Datacard report.

Public cloud solutions have made valuable services available to individual employees through just a few clicks. Services like Google Drive, OneDrive, DropBox, Box, and other cloud solutions generally only require an email address to set up and are available for free. And it's never been easier for users to access specialized applications. This makes these types of services very appealing to employees looking to have the means to access certain data anywhere and, on any device, especially if they do not have a sanctioned way to do this with business-approved solutions. And in a post-COVID world where remote work has become the norm, IT and security departments have far less visibility and control over the services and applications employees adopt and use in their home environments.

Let's take a closer look at modern shadow IT, the risks it presents for your business and cloud data, and the steps you must take to minimize the threat. 

Understanding Shadow IT

The industry defines shadow IT as any unsanctioned use of products, services, and solutions that do not align with an organization's security, compliance and data governance policies and requirements. Anyone with IT and security experience is all too familiar with this issue, but it's essential to understand the drivers behind it - why employees opt for shadow IT.

Some users adopt unapproved 3rd-party apps or tools to bypass company restrictions and policies that impede access to types of network traffic or software they see as vital to productivity (or that they simply prefer). Generally speaking, employees often produce shadow IT to access cloud collaboration tools with features like file sharing, cloud-to-cloud file transfer, and online file storage. They might see these solutions as more effective or convenient than corporate-sanctioned options, and to avoid lengthy IT processes and the risk of denial, they'd rather ask for forgiveness than permission.

While the intention is often to propel the business forward and remove roadblocks to productivity, what users often overlook is that they're actually introducing security vulnerabilities and threats to your company data in the process.

Shining a Light on the Shadow IT Risks

Let's examine the top shadow IT concerns and security risks associated and why they matter:

  • Mistakes and misconfigurations - Picture an employee that creates an unsanctioned Amazon S3 bucket to remove the limitations of your sanctioned on-premises storage, but inadvertently leaves it open (and your data exposed). Departments or users who lack technical experience and hold unfounded assumptions often make these dangerous security errors when using unsanctioned software and services. Many mistakenly assume that security is simply built into cloud solutions by default cloud, not realizing the onus is actually on them.

  • Sharing sensitive information outside of the organization - Along with using unsanctioned software and services, shadow IT involves using unapproved hardware to store and access data as well. Using a cloud Software-as-a-Service (SaaS) storage application, employees can easily use personal devices to access, edit, and even share information outside the organization's purview. For instance, an employee might upload a document containing historical customer data to their personal OneDrive account to access the information on a personal device to work after hours on an annual report. This opens your business up to even further security concerns when devices that may not have the appropriate security software and other protections in place interact with sensitive business-critical data.

  • Installing malicious mobile apps - End users often place too much trust in third-party applications for mobile devices. Think of a situation where an employee installs a malicious application on their mobile device that already has access to a personal cloud environment in which they have copied sensitive business data. There's a good chance the malicious application will have all the permissions needed to access that data by the end-user during installation, which represents a major data leak concern.

  • Transferring sensitive data from a company cloud account to a personal one - Very often, departing employees try to use cloud-to-cloud data transfer SaaS services to connect their business account with personal ones to transfer company Google Drive files to a personal Google Drive. As a result, that employee might blackmail the company in the future, or may cause new cases of data leakage.

Most public cloud vendors operate using some similar form of a shared responsibility model. This means that users can't absolve themselves of security accountability, and that any data leakage or other security or compliance repercussions caused by shadow IT in cloud environments is your responsibility.

Shadow IT increases the likelihood of uncontrolled data flows, leading to serious compliance issues as well. An unsanctioned Amazon S3 bucket your employee misconfigured could lead to a General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA) violation. That's just one example of user shadow IT behavior with serious compliance risks. These regulations can cause tremendous financial and reputational damage from which some companies never recover.

Establishing Control Over Shadow IT

Employees engaging in shadow IT and storing data, sharing data, or collaborating with SaaS applications in the cloud specifically, without implementing proper security measures and configurations can be catastrophic. It's arguably the most significant cybersecurity risk threatening your cloud environment and business-critical data today. You cannot manage and secure what you can't observe, so you must establish heightened cloud visibility and control in order to get a handle on shadow IT.

The best way to do this is to extend on-premises shadow IT policies to the cloud. This will require an AI-enabled cloud security platform like Spin that can continuously monitor your cloud properties to track how users and third-party applications share, access, and otherwise interact with company data and assets. Prioritize solutions with machine learning algorithms that can detect and alert you to abnormal user behaviors and anomalies that indicate risks such as data leakage, insider threats, ransomware and more. You should also prioritize solutions that enable you to maintain tight control over approved and actively permitted applications to ensure users aren't able to adopt malicious or unsanctioned services.

Managing shadow IT has always been an uphill battle for companies of all types and sizes. And there's no sign that it will vanish any time soon. The good news is that by understanding and addressing those motivations proactively and by establishing the capabilities necessary to monitor and control cloud services, third-party applications and user activities, you can dramatically mitigate the risks. Is your organization equipped to contain shadow IT today?


About the Author

Dmitry Dontov 

Dmitry Dontov is the CEO and Chief Architect of Spin Technology, a cloud data protection company based in Palo Alto, and the former CEO of Optimum Web Outsourcing, a software development company from Eastern Europe. As a serial entrepreneur with over 20 years of experience in security and team management, Dmitry has a strong background in the cloud protection field and is an expert in SaaS data security. Learn more here:

Published Monday, March 22, 2021 7:35 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<March 2021>