What is shadow IT?
Shadow IT refers to the software-as-a-service (SaaS) applications accessed and used by employees without the knowledge or permission of their IT departments. It isn’t necessarily the case that any such application is inherently flawed or dangerous; “shadow IT” simply means that an app is being used without IT’s explicit approval or oversight (which does create risk for an organization).
Prior to the cloud, enterprise employees could access only applications made available by IT, which procured and managed packaged software for the organization as a whole. Licensing, software updates, and access rights were all controlled by IT.
With the onset of self-serve applications made possible by the cloud and app stores, users were no longer restricted to applications specifically sanctioned by IT. They could choose to work with the tools that enabled them to get their jobs done more easily or efficiently, and so they did.
Why does shadow IT occur?
Shadow IT typically occurs when an employee has a particular job to do and has a preference about how to get it done—perhaps the employee has previous experience with a specific app or prefers it because it has better features than the apps sanctioned by the organization. It could also be the case that the organization does not have a sanctioned option at all in a specific app category needed by an employee.
Shadow IT also occurs when an employee accesses an application used by a third party (such as a supplier, technology partner, or channel partner) that is unsanctioned by the employee’s IT department. Of course, in many instances, shadow IT simply consists of apps that employees access in the enterprise for entertainment or personal purposes.
In all of these cases, the use of unsanctioned applications creates security challenges. This is because IT teams have no visibility or control over such apps.
What are the risks of shadow IT?
Data exposure: Shadow IT is a significant avenue through which data can be exposed or shared inappropriately, either intentionally or unintentionally. Because IT lacks visibility and control over shadow IT, any sensitive data uploaded to these applications cannot properly be managed. In other words, if IT does not know how these apps are used or by whom, and it has no control over the type of traffic going into and coming out of them, data leakage can easily occur.
Productivity loss: Many unsanctioned applications are used for personal activities or entertainment, including apps designed for streaming, social media, games, and so on. Naturally, this impacts enterprise productivity. In addition, sanctioned apps are often selected by IT specifically because they work well together, such as OneDrive and other Microsoft 365 apps, for example. Using an unsanctioned app can impact collaboration and productivity due to its incompatibility with other apps, and because coworkers may not have access to it or knowledge of how to use it effectively.
Malware: Malware and ransomware are constantly looking to penetrate organizations, and shadow IT often enables them to do so. An unsanctioned app can easily house malicious files that were uploaded from unsecured personal devices (BYOD) or from the unmanaged devices of third parties that also access the app. As a result, malware easily can be downloaded and spread across other devices and sanctioned cloud resources.
Additionally, app developers often neglect security in favor of features and usability—particularly for mobile apps. According to ZDNet, 60 percent of Android apps have security vulnerabilities, with 39 bugs per app on average. In some cases, these bugs allow attackers to hijack devices in secret and, once on the network, infect systems and steal data. The problem isn’t limited to niche or malicious apps; this type of bug was recently discovered in the Android app itself, which has been downloaded onto billions of devices.
Regulatory noncompliance: In many industries, the handling of data is strictly regulated. Additionally, some regulations, such as GDPR, transcend industry verticals entirely. Shadow IT creates the possibility of moving regulated information to places in the cloud that IT cannot see or secure. This can lead to regulatory non-compliance and result in fines as well as a loss of trust by stakeholders.
How can an organization protect itself from risky shadow IT?
The first thing an IT department has to be able to do is discover all the unsanctioned applications running throughout the distributed organization, and that’s where a cloud access security broker (CASB) comes into the picture. A CASB ingests logs from network devices, such as firewalls or proxies, combs them for apps, and details uncovered apps’ security attributes as well as whether or not they meet the security standards required by the organization. While IT may choose to allow certain unsanctioned applications in certain conditions—perhaps when they are accessed by particular users—other apps will be prohibited outright. Leading solutions will also provide more granular remediation options for responding to unsanctioned applications.
How does Zscaler address shadow IT?
As a fully inline solution, Zscaler CASB automatically performs shadow IT discovery—without demanding that admins manually upload logs from network devices. It provides full visibility both on and off the network, so IT teams get the uninterrupted oversight necessary to identify all shadow IT usage. Zscaler has a catalog of over 8,500 apps, each of which is scrutinized across 25 risk attributes to demonstrate trustworthiness in fine detail.
Zscaler also issues an overall risk score for each app to enable quick decision-making, and it simplifies control with the ability to set automated policies for individual apps as well as categories of apps. Because Zscaler sits directly in the path of traffic, these policies are enforced consistently and in real time across all user connections. Zscaler can automatically block risky apps at the moment of access, but also has more granular options than black-and-white allowing and blocking, which may impede user productivity. Zscaler can provide read-only access to unsanctioned applications in order to prevent uploads and stop data leakage, as well as set restrictions on employee usage by enforcing bandwidth and time quotas.