What is Shadow IT and Why is It the Biggest Cybersecurity Risk?

What is shadow IT? Shadow IT is an emerging threat to your business, especially as organizations migrate to the cloud and embrace the application age in all its glory.

How does it pose a risk to your business and your data in the cloud? What can your organization do to effectively stop the threat that shadow IT poses to your environment? Let’s take a closer look.

What is shadow IT?

Shadow IT refers to the use of hardware or software without the knowledge or approval of the organization’s IT department or security team.

You can define Shadow IT as the activities that use products, services, and solutions that don’t follow the organization’s rules for security, compliance, and data governance. It’s like going against the company’s guidelines and doing your own thing with technology.

What are some of the reasons behind the prevalence of shadow IT in most organizations today? The explosion of public cloud technologies has led to a massive increase in shadow IT operations inside most organizations.

The public cloud has transformed what used to be science fiction into reality. Now, accessing services and solutions from anywhere and any device is just a few clicks away. The convenience and accessibility offered by the public cloud are unparalleled, allowing individuals to effortlessly retrieve files from any location. Cloud-hosted solutions and services are easily used and can be provisioned in minutes.

Services like using Google Drive, OneDrive, DropBox, Box, and other cloud services generally only require an email address to set up and have tiers that are free. These services become highly attractive to employees seeking convenience and flexibility in accessing specific data from any device and location. However, it’s important to note that this convenience also brings about potential concerns regarding shadow IT risk management.

Why do employees choose to use shadow IT?

Some employees may resort to using unsanctioned apps or tools with dishonest intentions. They do this to bypass restrictions or policies that may hinder certain types of network traffic or software they desire. Their actions aim to circumvent the established rules and gain unauthorized access to resources.

Another common scenario involves departments seeking to enhance productivity and overcome obstacles in specific projects. They may choose to use new tools that are not approved by the IT department. The intention behind this is to streamline work processes and achieve project objectives more efficiently. These tools may introduce potential risks and vulnerabilities to the organization’s IT infrastructure and data security.

If sanctioned company software and collaboration tools hinder productivity, employees are inclined to utilize certain cloud services to overcome these obstacles. These cloud services assist in removing roadblocks and improving workflow efficiency. These include collaboration tools that feature file sharing, team communication, online file storage, and other features.

While the intention is to propel the business forward and remove roadblocks to productivity, these types of shadow IT operations can lead to many very concerning security vulnerabilities and threats to your company data.

Another concerning aspect that contributes to Shadow IT statistics is that most businesses do not have a strategy for how they will deal with Shadow IT in their organization.

A recent report by Entrust Datacard notes that 37% of IT employees say their organizations do not have clearly outlined internal consequences for employees involved in Shadow IT. Also, 77% of IT professionals say that Shadow IT will become a large problem for organizations by the year 2025 if left unchecked.

Examples of Shadow IT

The most obvious and commonly known examples of shadow IT  are unsanctioned third-party software that includes:

• productivity apps such as Trello and  Asana, 
• cloud storage, file-sharing, and document-editing applications, including Dropbox, Google Drive, 
• communication apps like Slack, WhatsApp, Zoom, or 
• specific applications that employees can use to improve personal productivity and working efficiency, e.g., ChatGPT, Grammarly, etc. 

Less obvious but also common examples of shadow IT are:

• employees’ personal devices and BYOD policies 

Smartphones, laptops, and storage devices such as USBs and external hard drives are other common shadow IT examples. Employees may use their devices to access, store, or transmit network resources remotely or use these devices on-premises as part of a formal BYOD program. At any rate, IT departments often need help to discover, monitor, and manage these devices with traditional asset management systems.

What are the threats to your business with Shadow IT?

A common shadow IT is when a user grants broad OAuth permissions to third-party apps. This inadvertently violates data residency regulations, such as GDPR. In addition, attackers often use third-party add-ons and social engineering to trick people into granting broad access to your approved SaaS apps—such as Office 365, G Suite, and Box—that typically contain sensitive data.

Think about several scenarios:

• An employee begins using personal cloud storage to upload and edit sensitive customer data records from your business
• A document containing credit card numbers is created and uploaded to a personal OneDrive account. It is then shared with other employees by sharing a link.
• An unsanctioned Amazon S3 bucket is created and utilized by one of your business units looking to remove the limits imposed by sanctioned on-premises storage. However, the S3 bucket is inadvertently left open.

In any of the above scenarios, business-critical data that is stored using the unsanctioned Shadow IT mechanisms leave your business open to many dangerous and costly consequences. Let’s list the main ones:

Using unsanctioned software and services

Departments or individual employees may turn to unsanctioned cloud services, driven by their limited technical experience and unfounded assumptions. Unfortunately, this can lead to potentially-harmful security mistakes. Individuals who lack the expertise or experience using cloud services mistakenly assume that the security of cloud solutions is simply built-in and they don’t have to do anything to ensure data is protected. However, this is not the case as we will see below.

Sharing sensitive information outside of the organization

Shadow IT not only involves the use of unsanctioned software and services for storing and accessing data but also enables access to unsanctioned hardware. By using a cloud Software-as-a-Service (SaaS) storage application, employees can easily use personal devices to access, edit, and even share information outside the purview of the organization.

This opens your business up to even further security concerns when devices that may not have the appropriate security software and other protections in place are used to interact with sensitive business-critical data. End users, in general, are also very trusting with third-party applications installed on mobile devices. Risky apps can easily be installed that further threaten your business data.

Installing malicious mobile apps

Think of a situation where an end-user installs a malicious application on their mobile device that already has access to a personal cloud environment where they have copied sensitive business data. There is a good chance the malicious application will be granted all the permissions needed to access that data by the end-user during installation. Data leak concerns certainly come to the forefront in that scenario.

Don’t public vendors take care of data security?

By in large, employees that are not technically minded or are not properly trained in security assume that public cloud vendors take care of all the security holes and proper configurations for you. This is just not the case. Most public cloud vendors have what is called a shared responsibility model.

In the case of Amazon, it states the following:

Amazon’s responsibility

• “AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.”

Customer responsibility

• “Customers that deploy an Amazon EC2 instance are responsible for the management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance. For abstracted services, such as Amazon S3 and Amazon DynamoDB, AWS operates the infrastructure layer, the operating system, and platforms, and customers access the endpoints to store and retrieve data.
  Customers are responsible for managing their data (including encryption options), classifying their assets, and using IAM tools to apply for the appropriate permissions.”

Each public cloud service provider (CSP) will have its own version of the shared responsibility model. However, they all have similar stances on customer responsibilities.

This helps to emphasize the fact that if your employees are leveraging shadow IT in cloud environments under the purview of your organization, then ultimately, it is the responsibility of your business for any data leakage or other security and compliance repercussions that may result.

Case Study: Okta’s Shadow IT Incident

Shadow IT is a quiet enemy, as it may exist within an organization for years and then reveal itself as a devastating threat. Shadow IT can affect a wide range of organizations, from big enterprises to small and medium businesses. Let’s look at a real-world example of a Shadow IT incident and the outcomes it brought to an organization.

Shadow IT was behind a series of damaging breaches at Okta. An Okta employee who accessed their personal Google account on a company-owned device is believed to have been the origin of a breach that ultimately affected 134 downstream customers, including 1Password, BeyondTrust, and Cloudflare.

The breach, which occurred between September 28 and October 17, 2023, involved an unauthorized threat actor gaining access to Okta’s customer support system. This breach allowed the attacker to seize files containing session tokens, which were then used to carry out session hijacking attacks.

Okta remediated the incident arising from Shadow IT use by taking the following actions:

• the compromised customer service account has been deactivated;
• a Chrome Enterprise configuration was implemented to prevent employees from signing into Chrome with a personal profile on Okta-managed laptops;
• enhanced detection and monitoring rules have been added to the customer support system;
• as a further precaution, Okta introduced session token binding based on network location, requiring reauthentication if a network change is detected to protect against session token theft for Okta administrators.

Shadow IT increases the likelihood of uncontrolled data flows, leading to serious compliance issues

At an age when compliance and security regulation implications have shown their teeth, the impact of using Shadow IT is immense. Regulatory compliance concerns arise when Shadow IT lacks strong security measures and proper configurations, potentially leading to unauthorized use of the organization’s sensitive data. Additionally, using unapproved cloud storage can result in data being stored in various locations, potentially violating data residency policies. 

Potential fines and legal consequences of using Shadow IT

Think about the General Data Protection Regulation (GDPR) and its set of data protection principles (Art. 5), including lawfulness, fairness, transparency, purpose limitation, data minimization; integrity and confidentiality (security), etc.

Using Shadow IT puts organizations at risk of violating all these data protection principles. For example, Shadow IT can violate the storage limitation principle as it may involve using cloud services or storage solutions that store data outside of the EU or in locations that do not comply with GDPR’s data residency and transfer rules. Shadow IT almost always violates the data minimization principle, as it can lead to unnecessary or excessive data collection, and unauthorized tools may not follow the organization’s data minimization policies. 

These hypothetical situations can easily occur with any business and lead to serious fines and legal consequences. The fines for non-compliance to GDPR can go up to €20, or 4% of the annual worldwide turnover, whichever is greater (Article 83(5) of the GDPR).

One of the biggest GDPR fines to date was imposed on Amazon Europe. The company paid €746 million ($781 million) for not getting consent from its users before storing advertisement cookies. Shadow IT tools rarely facilitate (or are configured to facilitate) the collection and management of such consent. Thus, using Shadow IT tools largely leads to non-compliance.

Like with GDPR, Shadow IT can lead organizations to inadvertently breach regulations such as PCI-DSS, HIPAA, SOX, and others, keeping organizations’ compliance efforts in the dark.

SpinOne provides visibility and control of Shadow IT

As shown, Shadow IT can be very damaging to your business in many ways. Even though end users might have the right motivation to remove barriers to more effective business productivity, doing this outside of the sanction of proper IT and security blessing is dangerous.

End users outside of IT or security personnel often do not understand the implications of storing data, sharing data, or collaborating with SaaS applications in the cloud without implementing proper security measures and configurations.

If you are already leveraging cloud SaaS environments like Google G Suite or Microsoft Office 365, how do you ensure your end users are only interacting with sensitive and other business-critical data stored there?

There are two very important aspects of getting a handle on Shadow IT operations in your cloud environment. This includes:

• Visibility
• Control

SpinOne provides a comprehensive suite of cybersecurity tools that allow your business to have both visibility and control over what your end users are doing with your business data stored in the cloud. This by extension allows discovering Shadow IT activities.

SpinOne is an API-based Cloud Access Security Broker that integrates with your G Suite or Office 365 environment. This allows your business to extend on-premises Shadow IT policy to the cloud. This includes providing visibility to how your data is shared, accessed, as well as which third-party applications are allowed to interact with your data.

One of the major features of SpinOne is SpinAudit. SpinAudit plays a primary role in helping to protect your cloud SaaS environment. It is an artificial intelligence (AI) based security platform that constantly watches your cloud account, providing security protection 24x7x365. SpinAudit provides a business risk assessment, security risk assessment, and compliance risk assessment offering for SaaS applications, Chrome Extensions, Android Apps, and non-marketplace apps.

It constantly assesses third-party applications and evaluates whether these are safe for use in your organization. Even apps that have previously been deemed safe are reevaluated with each new release or change.

You can also whitelist or blacklist specific applications in your cloud SaaS environment to keep a strict model of sanctioned applications that can be installed. This helps to eliminate Shadow IT risks to your data from third-party applications. You might be wondering though, what if a user is leaking data to theircloud environment that is not controlled by Spin?

This is the beauty of the visibility, control, and protection offered by SpinAudit. With SpinAudit you always have visibility when someone from your organization or the outside:

• Is Leaking data from sanctioned storage, outside the environment
• Is subject to a Man-in-the-middle (MITM) attack
• Is transferring data to a personal cloud account
• Is installing risky third-party applications
• Is a victim of a ransomware attack affecting cloud data company-wide
• Is in possession of an administrator account and has hijacked those permissions
• Is brute forcing login attempts
• Is purposely or accidentally sharing sensitive data outside of the organization
• Is putting your business at risk of unexpected IT costs, fines, and penalties

Be sure to check out SpinAudit with a free fully-featured trial of SpinOne here. 

A typical SaaS environment is invisible to admins. And you cannot manage what you cannot observe. SpinAudit gives you full visibility over your data by monitoring employees who have access to G Suite and using machine learning algorithms to detect abnormal cloud user behavior.

Using the visibility provided by Spin, your organization can use the controls provided by SpinOne to ensure business-critical data is protected and safe from data leaks and other threats such as ransomware.

Try SpinOne for free

Key Takeaways

Shadow IT is the biggest cybersecurity risk threatening your cloud environment and business-critical data. There are many reasons that employees may resort to shadow IT activities either intentionally or accidentally. The end result is the same for your business – security and compliance risk.

The results and penalties for both can be significant. With SpinOne and the SpinAudit module, you gain the visibility and control necessary to tackle the risks associated with shadow IT. This means you can effectively manage the dangers posed by shadow IT operations and risky third-party applications, safeguarding your business.

Read also:

Cyber Security: Work From Home Best Practices

4 Rules and 3 Tools to Manage Shadow IT

Frequently Asked Questions