Skip to main content

Understanding cloud-era Shadow IT and how to stop it

Shadow IT
(Image credit: Image source: Shutterstock/Kzenon)

Public cloud solutions have made valuable services available to individual employees through just a few clicks. Services like Google Drive, OneDrive, DropBox, Box, and other cloud solutions are free and generally only require an email address to set up. And it’s never been easier for users to access specialized applications. This makes these types of services very appealing to employees looking to access certain data anywhere and on any device, especially if they lack a sanctioned way to do this with business-approved solutions. In a post-Covid world, where remote work has become the norm, IT and security departments have far less visibility and control over the services and applications employees adopt and use in their home environments. 

Shadow IT has been a major issue for corporate IT and security departments for decades now. Left unchecked, employees using technologies without company knowledge or approval can introduce grave security and compliance risks. And in the age of cloud- and application-centric operations, and a business environment in which employees are working beyond corporate IT oversight, the problem is growing worse. In fact, nearly 80 percent of IT professionals believe shadow IT will become a massive issue for organizations by 2025, according to Entrust Datacard.

Many with IT and security experience are familiar with this issue, but it’s essential to understand the drivers behind shadow IT. Some users adopt unapproved third-party apps or tools to bypass company restrictions and policies that impede access to types of network traffic or software they see as vital to productivity (or that they simply prefer). Generally speaking, employees often produce shadow IT to access cloud collaboration tools with features like file sharing, cloud-to-cloud file transfer, and online file storage. They might see these solutions as more effective or convenient than corporate-sanctioned options, and to avoid lengthy IT processes and the risk of denial, they’d rather ask for forgiveness than permission. 

Shared responsibility

In most cases, they're aiming to propel the business forward and remove roadblocks to productivity, but users don’t typically understand the associated security vulnerabilities and threats to your company data. Most public cloud vendors operate using some similar form of a shared responsibility model. This means that users can’t absolve themselves of security accountability, and that any data leakage or other security or compliance repercussions caused by shadow IT in cloud environments is your responsibility. Let’s explore a few examples that illustrate the point.  

What if an employee creates an unsanctioned Amazon S3 bucket to remove the limitations of your sanctioned on-premises storage, but inadvertently leaves it open (and your data exposed)? Departments or users who lack technical experience and hold unfounded assumptions often make these dangerous security errors when using unsanctioned software and services. Many mistakenly assume that security is simply built into cloud solutions by default cloud, not realizing the onus is actually on them.

Along with using unsanctioned software and services, shadow IT involves using unapproved hardware to store and access data as well. Using a cloud Software-as-a-Service (SaaS) storage application, employees can easily use personal devices to access, edit, and even share information outside the organization’s purview. For instance, an employee might upload a document containing historical customer data to their personal OneDrive account to access the information on a personal device to work after hours on an annual report. This opens your business up to even further security concerns when devices that may not have the appropriate security software and other protections in place interact with sensitive business-critical data.

Uncontrolled data flows

Additionally, end users often place too much trust in third-party applications for mobile devices. Think of a situation where an employee installs a malicious application on their mobile device that already has access to a personal cloud environment in which they have copied sensitive business data. There’s a good chance the malicious application will have all the permissions needed to access that data by the end-user during installation, which represents a major data leak concern. 

Very often, departing employees try to use cloud-to-cloud data transfer SaaS services to connect their business account with personal ones to transfer company Google Drive files to a personal Google Drive. As a result, that employee might blackmail the company in the future, or may cause new cases of data leakage. 

Shadow IT also increases the likelihood of uncontrolled data flows, leading to serious compliance issues as well. An unsanctioned Amazon S3 bucket your employee misconfigured could lead to a General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA) violation. That’s just one example of user shadow IT behavior with serious compliance risks. These regulations can cause tremendous financial and reputational damage from which some companies never recover. 

How to control cloud-era Shadow IT  

Employees engaging in shadow IT and storing data, sharing data, or collaborating with SaaS applications in the cloud specifically, without implementing proper security measures and configurations can be catastrophic. It’s arguably the most significant cybersecurity risk threatening your cloud environment and business-critical data today.

You cannot manage and secure what you can’t observe, so you must establish heightened cloud visibility and control in order to get a handle on shadow IT. The best way to do this is to extend on-premises shadow IT policies to the cloud. This will require an AI-enabled cloud security platform that can continuously monitor your cloud properties to track how users and third-party applications share, access, and otherwise interact with company data and assets. Prioritize solutions with machine learning algorithms that can detect and alert you to abnormal user behaviors and anomalies that indicate risks such as data leakage, insider threats, ransomware and more. You should also prioritize solutions that enable you to maintain tight control over approved and actively permitted applications to ensure users aren’t able to adopt malicious or unsanctioned services.

Shadow IT continues to be a major problem for organizations of all types and sizes. The good news is that by understanding and addressing those motivations proactively and by establishing the capabilities necessary to monitor and control cloud services, third-party applications and user activities, you can dramatically mitigate the risks.

Dmitry Dontov, CEO and Chief Architect, Spin Technology

Dmitry Dontov is the CTO and Founder of Spin Technology (www.spin.ai), a cloud data protection company based in Palo Alto and a former CEO of Optimum Web Outsourcing, a software development company from Eastern Europe. As a serial entrepreneur and cybersecurity expert with over 20 years of experience in the security and team management, Dmitry has a strong background in the cloud data protection field, making him an expert in SaaS data security who has an ability to influence teams. He is an author of 2 patents and a member of Forbes Business Councils and YEC. AI & Blockchain fan.