Shadow IT

Hiral Patel
@gisacouncil
Introduction
Shadow IT refers to information technology systems, applications, or
services used within an organization without explicit approval or oversight
from the IT department. These can include software, hardware, or cloud-
based tools employees use to perform their tasks, often because they
perceive them to be more efficient or user-friendly than the official IT
solutions provided by the organization.
Examples of Shadow IT:

Employees using personal file-sharing platforms like Google

Drive or Dropbox for work purposes.
Team members adopting unapproved project
management tools like Trello or Asana.
Developers deploying unapproved cloud services or
infrastructure without IT's knowledge.
Why Employees use Shadow IT?
Employees often adopt unauthorized tools and systems to enhance
efficiency and overcome the perceived shortcomings of officially approved
IT solutions. This creates a parallel IT infrastructure operating outside the IT
department’s oversight, offering potential benefits in productivity but also
introducing significant risks to enterprise security and compliance.

Here are the most common reasons why employee choose Shadow IT
Employees find approved software and services inefficient
Approved software is complicated and uncomfortable to work with
Allowed solutions are incompatible with employees’ devices
Employees don’t fully understand the security risks posed by shadow IT
Common Sources of shadow IT
1.File Storage Solutions

Employees often resort to unauthorized tools for file sharing and storage,
such as personal accounts on Dropbox or Google Drive, to exchange files,
folders, or screenshots. These tools may not meet organizational security
standards, posing a significant risk. For instance, using services like
WeTransfer for sharing large files. While it is user-friendly, files shared via
WeTransfer may not always be encrypted end-to-end, exposing sensitive
corporate data to potential interception or unauthorized access.
Additionally, if shared links are misused or fall into the wrong hands,
confidential information could be compromised.
2. Productivity, Collaboration, and Project Management Tools

In an effort to improve teamwork and productivity, employees often turn to

online tools like Trello, Asana, or Zoom for collaboration. While these tools
can enhance workflow, using them without proper security measures can
inadvertently lead to data leaks. Sensitive work-related information shared
through unsecured or misconfigured accounts may expose the organization
to privacy risks and compliance violations.
3.Messaging Apps

Employees frequently use messaging apps like WhatsApp, Signal, or

Telegram for both work-related and personal communication. Sharing
sensitive corporate files, data, or credentials over these unsecured
platforms can pose significant cybersecurity risks, including potential data
breaches. To mitigate this, organizations must implement and enforce the
use of consistent, secure communication tools that align with company
policies and safeguard information.
4. Email Services

Most employees manage both personal and corporate email accounts,

managing both personal and corporate email accounts can often lead to
unintentional mistakes, particularly when employees handle a high volume
of emails daily. The risk of accidentally sending sensitive corporate data
from a personal email account, or vice versa, is significant.
Risks associated with the use of Shadow IT
1.Lack of IT Control
When the IT department is unaware of the software being used within
the corporate network, it becomes impossible to assess the security and
safety of those tools. Without this visibility, IT cannot properly secure
corporate assets, increasing the risk of vulnerabilities. This lack of
oversight can significantly expand attack surfaces, creating more entry
points for cybercriminals to exploit. As a result, it becomes harder to
detect and mitigate threats, leaving critical systems and sensitive data
more exposed to attacks.
2. Data Loss and Data Leaks
Using shadow IT solutions can expose organizations to significant risks,
such as unauthorized access to sensitive data. Employees may
inadvertently gain access to information they should not be handling,
which can lead to potential data leaks. Additionally, these unapproved
tools may not have adequate data backup or recovery systems in place.
If an unexpected issue arises—such as a system failure or data breach—
critical business data could be lost, as employees may not have
implemented a proper data recovery strategy. This can result in
significant financial and reputational damage to the organization.
3. Unpatched Vulnerabilities and Errors
Software vendors frequently release patches to address vulnerabilities
and fix errors in their products. Typically, it is the responsibility of an
organization's IT team to monitor these updates and apply them
promptly. However, with shadow IT, this becomes a challenge. Since IT
administrators are unaware of all the unauthorized tools in use, they
cannot ensure that these applications are kept up to date. As a result,
unpatched vulnerabilities and unresolved errors in shadow IT solutions
create additional security risks, leaving the organization open to
potential exploits and cyberattacks. This lack of visibility can severely
impact an organization's overall security posture.
4. Compliance Issues
Shadow IT can lead to significant compliance violations, exposing
organizations to potential fines, lawsuits, and reputational damage. For
example, under regulations like the General Data Protection Regulation
(GDPR), organizations are required to process personal data in a lawful,
fair, and transparent manner. Without full visibility into the software tools
employees are using, companies cannot ensure that only authorized
personnel have access to sensitive data. This lack of control makes it
difficult to maintain compliance with privacy laws and industry
standards, putting the organization at risk of penalties and legal
consequences.
5. Inefficiencies
Although many people turn to shadow IT in an effort to boost
productivity, it often leads to the opposite effect. New technologies and
tools used without IT approval can disrupt existing systems and
processes, creating more challenges than solutions. Before
implementing any new software within the corporate network, it must be
thoroughly tested and vetted by the IT team. This ensures the software
integrates properly, works as expected, and does not cause conflicts with
other software or hardware, which could lead to costly failures or
inefficiencies
6. Financial Risks
Using unapproved software and services can lead to unnecessary costs
because they often do the same job as the approved tools. This causes
your company to waste money. Additionally, shadow IT can lead to
security problems, which might result in expenses for fixing the damage,
fines for not following cybersecurity rules, and legal costs. These risks can
quickly add up, making the use of unauthorized software a much more
expensive choice in the long run. It's important for companies to keep
track of all the tools their employees use to avoid these financial
problems.
Managing Shadow IT - Managing Shadow IT effectively requires a
strategic approach that balances security, compliance, and productivity.
Phase 1: Discover and Identify Shadow IT

Step 1: Discover Shadow IT

The first step in managing Shadow IT is to discover unauthorized software
and systems in use within the organization. This can be done through
several methods, including network monitoring, software discovery tools,
and employee surveys. Network monitoring tools can help identify devices
connected to the network and the applications being used, allowing IT
teams to spot any unauthorized software. Cloud access security brokers
(CASBs) can provide visibility into cloud services being used, while endpoint
detection and response (EDR) systems can track unauthorized applications
on employee devices.
Step 2: Identify the Risk Levels of Your Apps
After discovering shadow IT, the next step is to evaluate the risk level of each
unauthorized app. This involves assessing the potential security,
compliance, and operational risks associated with each application. Factors
to consider include the sensitivity of the data being processed, the app's
security features, its integration with other systems, and its compliance with
relevant regulations (e.g., GDPR, HIPAA). Tools like risk assessment
frameworks, security ratings, and vulnerability scanners can help classify
the risk levels. High-risk apps should be addressed immediately, while
lower-risk apps may be monitored or approved with additional safeguards
in place. This evaluation helps prioritize which apps require action and
ensures a balanced approach to managing shadow IT.
Phase 2: Evaluate and analyze

Step:1 Evaluate Compliance

To assess whether apps meet your organization's compliance standards,

such as HIPAA or SOC2, begin by checking their certification and compliance
status. In the Microsoft Defender Portal, navigate to Cloud Apps and select
Cloud Discovery. Then, go to the Discovered Apps tab and filter the list
based on compliance risk factors of concern. For example, use the
suggested query to exclude non-compliant apps. You can further explore an
app's compliance details by selecting its name and viewing the Info tab,
where you'll find specific information on its compliance risk factors. This
process helps ensure that only compliant apps are allowed within your
network.
Step:2 Analyze Usage

Once you've determined whether an app is suitable for your organization, it's
essential to investigate how it's being used and by whom. If its usage is
limited, it may be acceptable, but if its use is increasing, you should monitor
it more closely to decide whether to block the app. In the Microsoft Defender
Portal, go to Cloud Apps and select Cloud Discovery, then navigate to the
Discovered Apps tab. Drill down into specific apps and check the Usage tab
for details on active users and traffic levels. To see which users are
engaging with the app, click on Total active users. If an app's usage is
concentrated in a department, such as Marketing, it may indicate a
business need, and you may need to find a safer alternative.
For deeper insights, explore subdomains and resources
to track specific activities, data access, and resource usage
within cloud services.
Step:3 Identify Alternative Apps

To find safer alternatives to risky apps, use the cloud app catalog to
discover applications that provide similar business functionality while
complying with your organization’s security policies. You can utilize
advanced filters to search for apps within the same category that meet
specific security controls, ensuring they align with your organization's
standards. This approach helps you identify compliant tools that can
replace non-compliant ones, maintaining productivity while reducing
security risks.
Phase 3: Manage your apps

Step:1 Manage Cloud Apps

Defender for Cloud Apps helps streamline the management of app usage
within your organization. Once you've identified usage patterns and
behaviors, you can create custom app tags to classify apps based on their
business relevance or justification. These tags can then be utilized for
monitoring specific activities, such as tracking high traffic to apps tagged
as risky, like cloud storage services. App tags are managed under Settings >
Cloud Apps > Cloud Discovery > App Tags and can be applied for filtering
apps in the cloud discovery pages. Additionally, these tags can be used to
create targeted policies for better security and compliance management.
Step:2 Continuous Monitoring

After thoroughly investigating the apps, it's important to set up monitoring

policies to maintain control. You can create policies to automatically alert
you when certain activities or behaviors are detected. For instance, you may
want to create an app discovery policy that notifies you of sudden spikes in
downloads or traffic for apps of concern. To do this, enable policies like
Anomalous Behavior in Discovered Users, Cloud Storage App Compliance
Check, and New Risky App. Ensure that notifications are sent via email for
timely alerts. For more detailed guidance, refer to the policy template
reference, cloud discovery policies, and instructions on Configuring App
Discovery Policies.

1 3

2 4
Food for Thought
How can organizations reduce the risks of Shadow IT?
A) Encourage the use of non-cloud applications
B) Monitor unauthorized apps and create policies to block high-risk ones
C) Limit employee access to cloud services entirely
D) Disallow the use of personal devices for work
 Thank You
I hope it was useful

Follow me on LinkedIn for more content

CONTACT INFO
+91 960-110-3255
HIRALAPATEL