What Is Shadow IT in Cyber Security: Guide for Businesses

Recently, Shadow IT became one of the key challenges of cloud adoption for businesses. In this article, we’ll answer the questions: “What are the Shadow IT risks and how to mitigate them?”

With the tremendous number of cloud Software-as-a-Service (SaaS) applications available to organizations today, businesses have access to an infinite number of capabilities in the cloud. In addition, if there is a feature or function in the cloud that does not exist natively, there is a third-party app that can add it to a company’s cloud SaaS environment. While there are tremendous benefits to leveraging cloud SaaS applications in the enterprise, it can lead to cybersecurity challenges. One of those challenges is Shadow IT.

Shadow IT is a growing problem

The largest organizations today are using, on average, 177 SaaS applications. This figure is up from an average of only 8 SaaS applications used in 2015. Moreover, it is a trend that will undoubtedly continue for years to come as businesses make significant transitions to cloud-native technologies across the board.

What has driven the widespread adoption of cloud SaaS applications? While organizations were hesitant to trust cloud platforms 5-7 years ago, that perception has largely changed. Most organizations have come to trust cloud environments and what they offer. Cloud service providers have matured, and the platforms have grown and expanded to include many robust applications.
In addition, business-critical applications on-premises might require purchasing a new server and network infrastructure, configuring the architecture, and deploying the applications in the data center, which might take weeks or months. With cloud SaaS applications, deploying new mission-critical applications for the entire organization takes only a few clicks.

This tremendous shift to cloud SaaS and the ease with which businesses can install third-party cloud SaaS applications has led to the explosion of cloud SaaS apps in the enterprise. However, despite the many advantages that come from this paradigm shift to cloud SaaS, it also opens organizations to a myriad of cybersecurity threats, one of which is Shadow IT.

When you boil down the definition of Shadow IT in the context of cloud SaaS apps, it is any cloud application used by an end-user to perform work-related tasks without the knowledge or approval of your in-house IT team. So, for example, end-users with the default access granted in Google Workspace and Microsoft 365 can install any cloud SaaS application.

Note the statistics:

One-third of Fortune 1000 employees share and upload corporate data on third-party apps
One in four employees links to cloud apps, including personal ones, using corporate logins and passwords
83 percent of corporate employees engage in informal Shadow IT practices

Increased risk of Shadow IT

Suppose organizations migrate to cloud SaaS environments without the security and governance controls. In that case, end-users can easily begin installing third-party applications in the environment without the approval of IT. Furthermore, they may not even realize they are getting involved with Shadow IT operations since they can add an application to the environment with only a few clicks.

Why is this dangerous? Even if a third-party application is not malicious in nature and is a legitimate tool or extension of the cloud SaaS environment, it may go against compliance requirements or other data access restrictions. Due to specific compliance regulations, organizations may need to expressly limit who or what applications have access to certain data types. When users begin installing third-party applications that have not had a proper risk analysis performed, it can lead to compliance violations.

Even worse, Shadow IT operations can lead to specific data getting leaked unintentionally or exposed to third parties that should not have access to the data. The fallout from leaked data can be tremendous, leading to fines, damaged business reputation, legal action, and financial repercussions that can last for years. Some businesses may never fully recover from a data leak incident.

Cloud SaaS applications may include storage services not sanctioned by IT that end-users may use to store work data. Essentially, this is data exfiltration from the sanctioned cloud environment and can lead to data leaks. Additionally, certain cloud apps may not protect data in-flight and at rest with proper encryption, increasing the likelihood of an attacker being able to compromise business-critical data.

Another danger of allowing unmanaged apps to get installed in your cloud SaaS environment is that it opens your organization up to the possibility of malicious applications. Attackers realize that most businesses today are storing large quantities of their production data in cloud environments. Using phishing attacks coupled with OAuth abuse, an attacker can masquerade a malicious app as a legitimate application and entice an unsuspecting end-user into granting access (OAuth token) to a malicious application.

OAuth tokens granted to a third-party cloud application allow the application to access the cloud SaaS environment without a password. By its very nature, OAuth is a token-based authorization mechanism that, when used properly, is a secure, cloud-native authorization protocol. However, its weakest link is the end-user. Unless a user scrutinizes the permissions requested by an application, they may be granting high levels of access to an unknown application and third party.

Key strategies for overcoming Shadow IT

With the dangers presented by Shadow IT, organizations need to use key strategies for overcoming the risks and cybersecurity challenges of Shadow IT, including:

Employee training
Provide sanctioned tools
Have an accurate inventory of cloud SaaS apps
Enforce governance policies for cloud SaaS apps

1. Employee training

As mentioned earlier, many employees engage in Shadow IT operations without even knowing it. They may simply be trying to accomplish day-to-day tasks as efficiently as possible, and installing a third-party cloud SaaS app may seem like the best approach.

Employee cybersecurity training, including training around what constitutes shadow IT operations and how users can avoid using unsanctioned apps, can go a long way in helping to curb their use. Most users want to meet the expectations of the business and align with corporate policies regarding the use of technology and other resources.

Good communication with users from both the business and technology side can help users understand the impact of Shadow IT and how they can avoid becoming involved in using unsanctioned technologies that can compromise business-critical data. In addition, ensure employees have an opportunity to review this information periodically to have the most up-to-date information on corporate technology policies.

2. Provide sanctioned tools

If employees are restricted from using unsanctioned third-party cloud SaaS apps, make sure they have an approved app that allows them to be equally productive. The first step to providing what end-users need is understanding their cloud technology needs. Asking the right questions helps to understand the needs and the proper steps forward:

What functionality and capabilities do they need to carry out business-critical tasks?
Is the functionality already included natively in the cloud SaaS environment?
Have the proper risk assessments been performed on the apps requested? What compliance requirements apply?

Users who feel the business is doing their best to understand their needs and facilitate those with sanctioned applications that align with compliance and governance requirements will be more likely to work in harmony with these requirements.

3. Have an accurate inventory of cloud SaaS apps

Shadow IT is a tremendous problem in the enterprise because businesses often lack the visibility needed to know which apps are installed and used. Additionally, legacy monitoring and security tools cannot provide the visibility and insights needed in cloud SaaS environments as organizations move to the cloud.

Companies need modern cloud-native cybersecurity tools to understand cloud SaaS application usage, which employees are using them, and which data the apps are accessing. Without visibility and understanding of this aspect of technology usage in your cloud SaaS organization, it will undoubtedly lead to Shadow IT.

4. Enforce governance policies for cloud SaaS apps

In addition to employee training, providing sanctioned tools, and having visibility to cloud SaaS apps used in the cloud SaaS environment, businesses must have the technology tools to enforce governance of cloud SaaS apps and their usage. Without the right policies in place, there can still be users who inadvertently use unsanctioned third-party apps. It also helps enforce corporate boundaries for unscrupulous users who may knowingly attempt to use unsanctioned apps.

In addition, many compliance frameworks require appropriate policies and governance guardrails in place to have the correct cybersecurity posture dealing with in-scope or sensitive data. Technology policies help complete the various layers of compliance and security for cloud SaaS environments.

How AI/ML can help automate, monitor, and mitigate issues with Shadow IT

Many organizations may have small or limited IT teams wearing many “hats” of responsibility. Even larger organizations with a security operations center (SOC) can be taxed to perform risk analyses on the thousands of apps available in cloud SaaS marketplaces. In addition to performing risk analyses on cloud SaaS apps, knowing employee behaviors, what they are installing, and which apps they are granting access to would be next to impossible to control using only manual means.

By leveraging next-generation artificial intelligence (AI) and machine learning (ML), organizations can have the technology tools needed to help provide visibility and automated actions required in today’s cloud environments. In addition, AI/ML tools help monitor cloud SaaS environments, detecting anomalies and risks that may be undetected by using manual, human-driven processes.

SpinOne provides an AI/ML-driven solution that helps organizations level the playing field of today’s cloud SaaS apps risks and Shadow IT concerns. It also helps organizations effectively prevent data leaks.

Continuous risk level analysis of applications – SpinAudit provides visibility when users install or uninstall apps in the cloud SaaS environment. It offers automatic reviewing of applications and those that are blocked using SpinOne policies. When SpinOne blocks an app, the app’s access is revoked automatically
User behavior analysis – SpinAudit provides security information about user behavior, including when they are accessing, applications used, which IP address they are connecting from, and geolocation
The shared items control feature helps understand how cloud data is accessed and shared – See which file resources are accessed and any shared files or folders and see if these are shared publicly. You can capture events in historical dashboards. Sensitive information, such as Credit Card Numbers (CCNs), is easily identified
SaaS security policy orchestration – With SpinOne, you can use granular policies to customize SaaS apps, data audits, and domain audit-related policies to customize cloud SaaS security for your environment. Policies allow for specific rule scopes blocklisting and allow listing, exceptions, and notification settings per-rule basis
SaaS Data Audit – Using SpinOne’s SaaS Data Audit dashboard, IT admins have quick and ultimate visibility into data shared organization-wide.
Automated Risk Assessment – SpinOne’s SaaS Risk Assessment module allows businesses to have full visibility into applications integrated into the environment and either allow or block applications based on the continuous risk and scoring provided by SpinOne.
Ransomware protection – The automated Cloud Ransomware Protection module helps stop any cloud ransomware attack using SpinOne’s automated processes, allowing organizations to eliminate data leaks due to ransomware