In big organizations, shadow IT refers to information technology (IT) systems deployed by departments other than the central IT department, to bypass limitations and restrictions that have been imposed by central information systems. While it can promote innovation and productivity, shadow IT introduces security risks and compliance concerns, especially when such systems are not aligned with corporate governance.
Information systems in large organizations can be a source of frustration for their users. In order to bypass limitations of solutions provided by a centralized IT department, as well as restrictions that are deemed detrimental to individual productivity, non-IT departments might develop independent IT resources and for the specific or urgent need or requirements. In some cases, IT specialists could be recruited or software solutions procured outside of the centralized IT department, sometimes without the knowledge, or approval of corporate governance channels.
Shadow IT has traditionally occurred through various sources of Hardware, such as employees bringing in USB drives or spinning up their own servers in offices. Recently Shadow IT has grown due to businesses adopting the cloud. The result has meant that more and more employees are signing up to Software-as-a-Service (SaaS) products to help them complete their jobs and be more productive. As a result, Shadow IT and SaaS Sprawl are now closely aligned and organisations can end up with 100s of SaaS applications that are not visible or centrally managed by the IT department.
There are several approaches that can be taken to mitigate the risks of Shadow IT. One of the main ways is to start creating a security culture and making employees responsible for their departments' tooling. In a distributed world the Heads of Departments are often responsible for managing data in SaaS applications as well as which employees have access to those systems. SaaS Security Posture Management is a modern cybersecurity category that aims to help businesses specifically address security risks associated with SaaS applications. Some focus on identifying sensitive data such as DLP, some are CASB focused, and others specifically address the risks of Shadow IT. The first step to tackling shadow IT is to identify the approved and unapproved applications being used throughout your business.
Although often perceived as attempts to undermine corporate governance, the existence of shadow IT often is an indicator of needs from individual departments not being satisfied from a centrally managed information ecosystem. Thus the immediate benefits of shadow IT are as follows:
In addition information security risks, some of the implications of Shadow IT are:
Shadow IT increases the likelihood of uncontrolled data flows, making it more difficult to comply with various legislations, regulations or sets of best practices. These include, but are not limited to:
Within an organization, the amount of shadow IT activity is by definition unknown, especially since departments often hide their shadow IT activities as a preventive measure to ensure their ongoing operations. Even when figures are known, organizations are reluctant to voluntarily admit their existence. As a notable exception, The Boeing Company has published an experience report describing the alarming numbers of shadow applications which various departments have introduced to work around the limitations of their official information system.
According to Gartner, by 2015, 35 percent of enterprise IT expenditures for most organizations will be managed outside the central IT department's budget.
A 2012 French survey of 129 IT managers revealed some examples of shadow IT :
Examples of these unofficial data flows include USB flash drives or other portable data storage devices, instant messaging software, Gmail or other online e-mail services, Google Docs or other online document sharing and Skype or other online VOIP software—and other less straightforward products: self-developed Access databases and self-developed Excel spreadsheets and macros. Security risks arise when data or applications move outside protected systems, networks, physical location, or security domains.
Owlapps.net - since 2012 - Les chouettes applications du hibou