What Is Shadow IT?
Shadow IT is a term for SaaS applications employees access and use without the knowledge or permission of their information technology departments. Such applications aren’t inherently flawed or dangerous—“shadow IT” simply means an app is being used without IT’s explicit approval or oversight, which increases risk for an organization.
How Did Shadow IT Come to Be?
Before the advent of cloud services, an organization’s end users could only access applications made available by IT, which procured and managed packaged software for the organization as a whole in addition to controlling licensing, software updates, and access rights.
With the onset of the new technology of self-serve applications made possible by the cloud and app stores, users are no longer restricted to applications specifically sanctioned by IT. Instead, they can choose to work with the tools that enable them to get their jobs done more easily or efficiently.
Why Does Shadow IT Occur?
Shadow IT typically occurs when an employee has a particular job to do and a preference about how to get it done. For example, an employee may have previous experience with a specific app, or simply prefer its functionality over the apps sanctioned by the organization. Perhaps the organization doesn’t have a sanctioned option for messaging, file sharing (e.g., Dropbox), or another app category the employee needs.
Shadow IT also occurs when an employee accesses an unsanctioned application used by a third party, such as a supplier, technology partner, or channel partner. Finally, in many instances, shadow IT apps are simply for employees’ entertainment or other personal purposes.
In all these cases, the use of unsanctioned applications creates IT security challenges because IT teams have no visibility or control over these apps.
What Are the Security Risks of Shadow IT?
Shadow IT can lead to cybersecurity concerns, misuse of IT resources, and ultimately, inefficiencies in productivity as well as headaches for IT professionals. Some of the most significant risks include:
- Data exposure: Shadow IT is a significant avenue for data breaches and data loss. Unsanctioned apps, especially when used on smartphones or personal laptops, can easily lead to exposure or inappropriate sharing of sensitive data, whether the user means to do so or not.
- Productivity loss: Using an unsanctioned app—one for social media, for example—can impact collaboration and productivity due to its incompatibility with other apps, and because coworkers may not have access to it or knowledge of how to use it effectively.
- Malware: CIOs and CISOs constantly worry about malware and ransomware penetrating their organization—and shadow IT often enables those threats. An unsanctioned app can easily house malicious files uploaded from unsecured personal devices (BYOD) or third parties.
- Vulnerabilities: According to ZDNet, 60% of Android apps have security vulnerabilities, with 39 bugs per app on average. In some cases, these bugs allow attackers to hijack devices in secret and, once on an organization’s network, infect systems and steal data.
- Noncompliance: Shadow IT introduces the possibility of moving regulated information to places in the cloud that IT can’t see or secure. This can lead to compliance risk around regulations such as GDPR and result in fines as well as a loss of trust.
How Do You Control Shadow IT?
The first thing an IT department must do is discover all the unsanctioned applications running throughout the distributed organization, and then bring a cloud access security broker (CASB) into the picture.
A CASB provides tremendous security value when it comes to shadow IT blocking in management. CASBs:
- Ingest logs and workflows from network devices such as firewalls and proxies
- Comb these logs and workflows for apps
- Detail uncovered apps’ security attributes as well as whether or not they require additional security measures.
While IT may choose to allow certain unsanctioned applications in specific conditions—perhaps when particular users access them—other apps will be prohibited outright. Leading solutions will also provide more granular remediation options for responding to unsanctioned applications.
Many CASBs will claim to be born in the cloud, but they’re often nothing more than virtual machines strapped to legacy security appliances. Only one security service provider builds its products in the cloud, for the cloud, so you can negate the risks of shadow IT and bolster your security posture. That provider is Zscaler.
Eliminating Shadow IT Risk with Zscaler
The Zscaler CASB is a fully inline solution that uses automation to perform shadow IT discovery without demanding that admins manually upload logs from network devices. It provides full visibility both on and off the network, so IT teams get the uninterrupted oversight necessary to identify all shadow IT usage. Zscaler has a catalog of more than 8,500 apps, each scrutinized across 25 risk attributes, to demonstrate trustworthiness in fine detail.
Some of the many benefits of the Zscaler CASB include:
- Granular data protection: Prevents malicious and accidental data leakage across cloud-based resources.
- Complete threat protection: Stops the spread of threats such as ransomware across cloud and user endpoints.
- Comprehensive visibility: Delivers in-depth logging and reporting for the complete oversight of all cloud data.
- Unified compliance: Provides deep compliance visibility and assurance across SaaS applications.
The Zscaler CASB can automatically block risky apps at the moment of access, but it also has more granular options than outright allowing and blocking, which may impede user productivity. Zscaler can provide read-only access to unsanctioned applications to prevent uploads and stop data leakage, as well as set restrictions on employee usage by enforcing bandwidth and time quotas.
Want to learn more about how Zscaler helps protect your organization from the risks of shadow IT? Explore our expansive partner network—including Microsoft, ServiceNow, Google, and more—to see how we provide industry-leading SaaS security.