Shadow IT: Cultivating the Garden

Shadow IT is an explosion of cloud computing adoption for business use by employees and groups with no IT involvement. Shadow IT can lead to unintended and undesirable security risks, compliance concerns and hidden costs. But through collaborative IT governance processes, it can also be made beneficial.

shadow IT taxonomy & sanctioned or unsanctioned cloud services

If business units are getting what they need in a manner that is quick, cost-effective and/or convenient, then what is wrong with shadow IT anyway? The problem is that although services unsanctioned by IT may satisfy an immediate need from one part of the business, they are not optimized to the all the needs – or risks – of the business.

Left unchecked, shadow IT can lead to higher costs and rising risks. The true cost of public cloud can ultimately become much higher than the nominal cost from providers as the IT organization or the business units struggle with integration, security, and other issues. Just like that higher cable TV bill that snuck up on me a few months ago, initial subscription discounts for shadow IT in the cloud can become false economies.

How Bad is It, Really?

According to the Oracle and KPMG Cloud Threat Report 2019, 92% of 450 IT and security respondents were concerned about shadow IT. Participants found that shadow IT had led to unauthorized use of data, introduction of malware, and other issues. Unfortunately, survey results also indicate policies against the use of unauthorized services are routinely flouted.

On the other hand, Entrust Datacard’s report, “The Upside of Shadow IT: Productivity Meets IT Security” report found that 77% of 1,000 respondents believed shadow IT can make businesses more competitive and that efforts to eradicate it could actually make it more prevalent even among IT users.

Rather than thinking of these as dueling reports we can see them meeting in the middle on the need for a governed enterprise multicloud offering.  Facing a clear and present danger, businesses will often empower security to “come up with a strategy to control shadow IT.” However, security leaders should resist the temptation to come down too hard on the business with draconian policies. Instead they can engage the business leaders and help them understand risks and accountabilities.

With the security team’s support and a business mandate, IT should be able to resolve the shadow IT conundrum.

CASBs and Discovery Tools

Cloud access security broker (CASB) vendors offer tools to discover and control shadow IT. Vendors such as Bitglass, Bluecoat, CloudLock, Imperva, Microsoft, Netskope, Palo Alto Networks, Skyhigh Networks and others provide visibility, data loss prevention and application control over shadow IT.

At the low end, some of these vendors offer clients a free Shadow IT discovery service. Such an engagement may be as simple as scanning network logs to report all cloud usage going through the firewalls. To get the full perspective on shadow IT, however, touching the endpoints outside the firewall via agents, scans or VPN backhauling will be necessary. Control can also be applied via proxies or API mode CASBs.  

Although Shadow IT discovery is a great step forward, control must be tempered with collaboration among IT, business users and the workgroups. Here’s why.

The Deeper Dynamic

Business units are now the major drivers behind technology spend, causing business-wide integration challenges at unprecedented levels. Yet many IT organizations remain wedded to centralized models and don’t have a strategy to influence independently-funded business units. Without coordination, IT systems developed or used at the business unit level may duplicate one another, or not integrate well when the time comes to share data or applications.

Gardening Shadow IT: A Collaborative Approach

As one participant in an online discussion put it: “Cultivating and managing ShadowIT is a lot like gardening. It takes a green thumb, careful weeding, and balancing out the ecosystem.”

Companies can develop a tiered risk assessment process for third parties, something that  can be rather easy for smaller business. Larger business with multiple units and a need for hundreds of third parties should consider obtaining a third party risk management tool, such as BitSight, ProcessUnity, and Security Scorecard.

With the need to provide enterprise multicloud governance, vendor risk management (VRM) aka third party risk management (TPRM) is a growing market category. When I attended the Shared Assessments Summit earlier this year, I found many vendors on exhibit. But without the tiered risk assessment process and a sustained program for engaging the business even the best tool is less effective. As my readers know, lately I’ve been hyper-focused on business alignment through my Rational Cybersecurity for the Business Project.


Whether shadow IT projects become poisonous weeds or nutritious crops is up to risk management. Businesses that can put the pieces together – architecture, project management, procurement, risk management and the cloud – can convert shadow IT into a healthy and manageable phenomena that contributes to operational effectiveness and competitive advantage.

We’ve helped clients address shadow IT issues through our risk program reviews and cloud security architecture improvement projects

If like most companies you’re facing shadow IT issues, please contact us and we’d be happy to answer your questions through a complimentary dialogue. 

Subscribe to Blog Notifications...  HERE