article

What is shadow IT?

The steep rise in shadow IT is attributed to the pervasive use of mobile devices and cloud-based applications and services. Although shadow IT can improve employee productivity and drive innovation, it generates serious vulnerabilities and security risks as it expands the unknown parts of an organization’s attack surface, creating opportunities for cyber attacks and compliance violations.

Malware or other malicious assets planted by cybercriminals are not considered shadow IT. Shadow IT only encompasses unsanctioned assets deployed by authorized users.

Definition of shadow IT

Shadow IT refers to digital systems, devices (e.g., personal computers (PCs), laptops, tablets, and smartphones), software, applications (i.e., usually off-the-shelf packaged software), and services (i.e., predominantly software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS) that are used within an organization without the knowledge of the IT department.

Understanding shadow IT

The consumerization of technology is a root cause of shadow IT. The low cost and accessibility of IT resources have led to an explosion of shadow IT.

In some cases, the decision to acquire and use shadow IT is deliberate. Users explicitly circumvent IT to procure solutions that IT has disallowed or to access a solution perceived as better than sanctioned resources. Users may also acquire resources without alerting IT because the approval and procurement process is deemed too onerous.

In many cases, users are not willfully excluding their IT department from evaluating resources; they simply sign up to use a system at the behest of partners or other external entities or use systems they use at home or have used in other organizations.

Shadow IT can also occur when users create websites outside the corporate domain for development or one-off projects. Bring-your-own-device (BYOD) and working from home are other sources of shadow IT.

Differences between sanctioned and unsanctioned IT

At the core of shadow IT are sanctioned and unsanctioned IT (e.g., devices, applications, and services). The difference is simple.

Sanctioned IT solutions have been vetted, approved, and often hardened to eliminate vulnerabilities. On the contrary, unsanctioned IT (i.e., shadow IT) solutions have not.

Unsanctioned IT exposes organizations to threats (e.g., malware and data loss) that can be introduced into networks by cybercriminals, malicious insiders who take advantage of weaknesses, or accidental insiders who inadvertently create vulnerabilities.

Common examples of shadow IT

As the examples below illustrate, shadow IT does not mean the resources are inherently non-secure. The issue with their use lies in the fact that IT does not know they exist and, therefore, cannot protect the organization from them. Common examples of shadow IT include:

Any application used for business purposes without involving the IT group, such as applications for:

  • Cloud storage
  • Collaboration
  • Communication and messaging
  • Document proofreading
  • File sharing
  • Productivity
  • Project management
  • Social media management, as well as

Employees’ personal devices

  • Laptops
  • Phones
  • Storage devices (e.g., USB drives and external hard drives)
  • Tablets

Risks associated with shadow IT

While shadow IT is adopted for the benefits provided by the selected tools, shadow IT assets increase cyber risk by creating vulnerabilities that fall outside the reach of security systems, including the following.

Security vulnerabilities

Shadow IT brings with it a number of vulnerabilities. The security issues usually associated with shadow IT come from a lack of security controls and processes. For instance, shadow IT elements are not included in IT monitoring and maintenance programs and are often found to be behind with software updates and security patches, as well as carrying viruses and other malware.

Additionally, shadow IT solutions often lack the authentication and other access controls required of sanctioned solutions. This makes shadow IT more susceptible to unauthorized access, which can expose sensitive information and unwittingly provide a point of entry to secured networks.

Collaboration inefficiencies

Shadow IT introduces systems that are not used across an organization. This creates collaboration issues related to communications and data sharing since shadow IT is often not integrated with sanctioned systems and workflows.

Compliance issues

Shadow IT rarely meets the stringent compliance requirements of regulations such as the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and General Data Protection Regulation (GDPR). This not only puts data at risk but exposes organizations to fines and penalties related to compliance violations.

Potential for data loss

When sensitive data is stored on, accessed by, or transmitted through shadow IT systems and applications, the risk of data breaches or leaks increases significantly. In addition, data stored outside of sanctioned IT systems is not included in backups, putting it at risk of irrevocable loss in the event of a failure or attack.

Data inconsistency

When data is spread across shadow IT, it falls outside IT’s centralized management. This results in the creation and propagation of unofficial, invalid, or outdated information, and also creates versioning issues.

Lack of IT visibility and control

Because shadow IT often goes undetected by security teams, organizations are exposed to unknown vulnerabilities commonly exploited by cybercriminals.

Operational inefficiencies

Shadow IT often does not integrate easily with sanctioned IT infrastructure. The result is workflow obstacles and challenges in sharing and synchronizing information. In addition, conflicts can arise when IT-sanctioned solutions are introduced that interfere with or interrupt shadow IT that users rely on for day-to-day operations.

Shadow IT benefits

Although shadow IT has risks, its users tout its benefits as a reason for using it, including the following.

Enhanced flexibility and innovation

Because it is quickly accessible and offers virtually limitless options in terms of available solutions, shadow IT is inherently flexible. This flexibility leads to innovation in how work is done by allowing users to experiment with different systems. It also can lead to innovation in other areas, such as communication and even product design. When used judiciously, shadow IT can also facilitate an organization’s digital transformation by bringing more technology to day-to-day operations and processes.

Addressing immediate needs

The accessibility of hardware and software solutions, especially those available as cloud services, opens up a vast array of IT resources. If an employee is not able to accomplish a task with the tools provided by IT, or they find something that seems more efficient, they can order it or sign up for an account and start using the new tool in near real-time.

Increased productivity

With shadow IT, employees do show improved productivity. This is attributed to allowing them to use the tools with which they are most comfortable. In some cases, productivity is increased because they bypass cumbersome processes associated with acquiring or accessing IT systems and tools. Additionally, if employees do not have suitable systems or tools, they can get them on their own more quickly than if they had to navigate IT procurement processes.

Additional benefits of shadow IT

  • Allows employees to use the best tools for their jobs
  • Eliminates bottlenecks related to getting approval from IT for new systems
  • Enables teams to be more agile in responding to business changes
  • Facilitates the adoption of new technology more rapidly
  • Facilitates the launch of new systems in just minutes
  • Increases employee satisfaction by letting them use the tools they like

Management strategies for shadow IT

Managing shadow IT can materially mitigate its risks. Organizations can allow shadow IT and benefit from it by adopting and enforcing controls. The following are several tactics that have been successfully employed to manage shadow IT risk.

Establishing clear IT policies

Effective management of shadow IT starts with developing and implementing a comprehensive usage policy. The shadow IT policy should provide details about the acceptable use of unsanctioned technology, establish processes for having a solution approved, and dictate the security controls that are required for its sanctioned use. Shadow IT policies should be made part of employee handbooks, and the penalties for noncompliance should be clearly articulated and enforced.

Shadow IT policies can also include direction for security and IT teams. These sections should cover the approval processes as well as detail what tools should be used to manage and monitor shadow IT.

Providing employee training and awareness

Education and clear communication are vital to managing shadow IT. Employees need to be educated about the risks of shadow IT and how to follow the organization’s security policies when using personal devices or services not provided through the IT department. Training and ongoing communication should include a clear explanation of the process for working with IT to use tools that have not yet been sanctioned and remind employees about the penalties for noncompliance.

Implementing monitoring and reporting tools

Monitoring systems can be used to identify instances of shadow IT by detecting unauthorized use of IT resources. This can be done using purpose-built shadow IT discovery tools as well as monitoring firewall logs and intrusion detection and prevention systems’ activity to identify anomalies. Additionally, cloud access security brokers (CASBs) can detect unauthorized systems. If shadow IT is a significant concern, penetration testing and other ethical hacking measures can be used to identify instances of it.

Compromising to minimize shadow IT risks

Although IT departments want employees to use sanctioned systems so that they can be protected with corporate security controls and included in overarching operational and budgeting plans, some departments have determined that strict control over what systems are sanctioned and how this is achieved has driven users to shadow IT.

As a result, some organizations choose a more open approach to shadow IT systems: IT teams determine what is used and how best to protect it, and users have access to the tools they want and need.

Although this type of compromise is not easy, working together is one way that users and IT can find ways to mitigate the risk of shadow IT.

Shadow IT FAQ

What are examples of shadow IT?

Examples of shadow IT practices include:

  • Downloading unapproved software
  • Sharing access credentials
  • Storing sensitive information on personal devices
  • Using personal devices and services (e.g., personal email accounts) for work
  • Using unauthorized cloud services (e.g., storage and file sharing)
  • Utilizing unauthorized communication tools (e.g., social media accounts and instant messaging platforms)
Is shadow IT a threat?

Without a doubt, shadow IT is a threat if left unmanaged. When IT is completely unaware of what unsanctioned systems and software are being used, the organization’s security posture can be significantly compromised, which can result in compliance violations.

One of the most common shadow IT practices is file sharing, which puts organizations at risk of data exfiltration and exposure to sensitive data. Threat actors also target shadow IT systems and applications to gain unauthorized access as they lack the security controls of those managed by IT. Additionally, shadow IT systems create headaches for helpdesk teams that must address users’ issues that are caused when unsanctioned systems and software interact with sanctioned ones.

Is shadow IT a good thing?

While shadow IT can be a threat, when well managed, it has its merits. Shadow IT can enhance productivity and efficiency. It can even improve the sanctioned portfolio of IT tools.

For the most part, users gravitate to shadow IT to make their jobs easier and not to cause trouble. They turn to tools that they are familiar with and comfortable using so they can focus on their tasks and not have to learn how to use or fight with new technology.

IT teams that engage with users about the tools that they prefer to use gain insights into new solutions that can be added to the organization’s technology portfolio. Often, these are tools unique to specific functions that IT teams would not have known were available, much less the positive impacts that they bring to users.

Why do employees use shadow IT?

Three of the most commonly cited reasons that employees use shadow IT are:

1. IT takes too long to approve new systems.

2. Security policies inhibit them from getting their job done.

3. Shadow IT increases their efficiency.

Are shadow IT and malware the same thing?

Shadow IT and malware are not the same thing. Although shadow IT can be a source of malware infiltration, it is not malware.

Shadow IT is associated with malware because cybercriminals often target shadow IT with malware and ransomware, which is considered to be a weak access point. This is because shadow IT usually lacks the security controls that protect sanctioned IT systems.

How should organizations mitigate shadow IT risk?

Although it is nearly impossible to eradicate shadow IT, best practices for mitigating it include improving the user-friendliness of IT-sanctioned resources by:

  • Educating employees about the risks of shadow IT
  • Ensuring easy access to the resources employees need, including those accessing them remotely
  • Making a list of IT-approved vendors and services that are easily accessible
  • Performing SaaS assessments to detect shadow IT proactively
  • Prioritizing user experience (UX)
  • Providing support for integrating tools
  • Streamlining user accounts
  • Using operating systems with which employees are comfortable
Date: February 10, 2025Reading time: 9 minutes
Security

Get started

See what SailPoint identity security can do for your organization

Discover how our solutions enable modern enterprises today to meet the challenge of ensuring secure access to resources without compromising productivity or innovation.

Request a demoContact us