Showing results for 
Search instead for 
Did you mean: 
Create Post

Shadow IT, the Threat and How to Respond

Level 15

Shadow IT refers to a trend where users adopt IT tools and solutions outside of the knowledge or control of the official IT department. If the IT department is aware or has policies that allow systems which they don’t manage to be used, then it’s not shadow IT, but if IT doesn’t know about it and offers a comparable service then it is. For example, most IT departments are responsible for providing email. If a user chooses to use Gmail or some other email provider, then IT isn’t able to manage the risk of corporate data getting lost or stolen, email spam, or phishing attacks.

The use of shadow IT can be hard to detect. Although many agencies have network policies blocking certain sites or types of traffic, the sheer quantity and diversity of the services available can easily overwhelm an already overworked IT department. So why should they even bother? If the user is able to find a solution that works on their own, more power to them, right? Unfortunately, it’s not that easy. When users circumvent IT, then something goes wrong – the services goes down, they lose data that was only hosted there, someone steals their credentials, and copies all of the sensitive data – they look to IT for help. This leads to conversations like, “I know I’m not supposed to do this, but will you please help me make sure nobody else was able to access those files on Dropbox?”

The Threat
From our recent State of Government IT Management and Monitoring Survey, the primary concern regarding the use of shadow IT is security issues. And the use of shadow IT is in full force, with 90% of respondents seeing shadow IT being used in their environment today and 58% expect to see it continue to be used.

Shadow IT Use.png

Not only was shadow IT not a top focus area, it actually ranked at the bottom, with only 12% saying it was very important (versus 72% indicating cyber security was very important). Given that 90% of federal and civilian agencies believe shadow IT is in use in their environment, it’s the second ranking area that IT has the least control over, and the highest negative consequences of shadow IT are security issues – it’s shocking that shadow IT isn’t getting more focus.

How to respond
To create a strategy for managing shadow IT, you need to understand why your users are looking to it. Even in networks with no direct connectivity to the Internet, computers systems and critical data can easily be misused and the risk for comprise is real. To manage all of these risks, you need to understand why your users go around you and make it easier for them to work with you instead.

From the survey, we saw that the IT acquisition process is the main trigger for shadow IT, followed by perceived lack of innovation by the IT department. Of course, there is a long tail of other reasons and you should survey your users to understand exactly why they are using systems outside of you purview and specifically what those systems are.

Perceptions Triggering Shadow IT.png

One of the questions we strove to unravel during this survey was what to expect in the future, and as it turns out, there is a lot of confusion around what should be done about shadow IT as a whole. About a quarter of those surveyed believe it should be eliminated, another quarter thinks it should be embraced and the remaining half were somewhere in between.

Shadow IT Preferences and Protection.png

Although this split may appear to be conflicting, it actually makes sense. Some environments are too sensitive to tolerate any IT services that are not strictly controlled by IT. However, in many agencies, particularly civilian ones, the IT department has an opportunity to identify ways of providing better service to their customers by understanding why their users are looking elsewhere. Once a system, service, or tool has been evaluated by IT and put on the acceptable list, it’s no longer considered shadow IT. If IT can leverage these opportunities, they might be able to both deliver better service and create more productive relationships in their agencies.

What is clear, however, is that the more visibility you have in to your environment, the more confident you will be in your ability to protect your agency against the negative consequences of shadow IT.

Full survey results:


Good write-up.

It is certainly a problem at any shop. 

I know that here a group policy was put in place to only allow software to be executed from certain locations on a workstation or laptop.

Those locations are scanned for compliance.

While not perfect it is a step towards what is needed.

Level 15

Found that we had a few areas that are "Shadow IT".  Looking at process changes to real these back into the IT control.  Good article.

Level 9

I believe that the primary challenge is for IT to streamline the solution acquisition process for the customer.  I have witnessed many silos and shadow IT solutions as a result of customers losing patience.

Key considerations include the following:

  • Evaluate if an existing solution can be leveraged for the users
  • Determine if there are Developer resources available to make sure the solution isn't just "dumped" on the end users without configuration and support
  • Create timelines so that solution requests aren't stuck in the approval process for too long
  • Allow  the Business Analyst role to be fully utilized so that IT and customers can fully understand the data flow and process.  Of course, this feeds into determining if an existing solution exists and aligning customer and IT strategies.  Work to provide a new solution (if needed) within a reasonable time frame for the customers and the supporting IT staff.

Once the solution is delivered, there are several pieces that need constant consideration

  • Assigning the necessary IT support for the users and the solution
  • Maintaining a review process to make sure current solutions are functional and responsive to customer needs

A solution should include many different approaches:

  • Implementing a software whitelist solution to weed out Shadow IT applications.  Be ready, however, for a great deal of software review and justification for existing Shadow IT solutions if you go this route.  Have the time and resources to review all of the "rogue software" floating around in your environment.
  • Policy enforcement:  If there are consequences for installing non-approved software, they MUST be enforced.
  • A robust and timely response to requests for new solutions
  • Properly managed "bring your own device" policy.  This policy can lead to a culture where users begin to see that as a green light to bring their own software
  • Provide solutions that are as user friendly as publicly available solutions.  The difference between dropbox and many ftp solutions comes to mind

These were just a few thoughts that I wished to share and is by no means comprehensive.  Take care.

Level 8

This is vital information. we should not hesitate sharing this, it is very timely and it will be here for a while..

This is a very good article and ryan.calhoun‌ makes some good points, but at the end of the day, in order to eliminate/reduce Shadow IT occurrences the IT division needs approval and buy in from executive management.  This may lead to blocking and Dropbox, but if it increasing security while not effecting the operation of the actual workstation then so be it.  I realize it is a fine line and must be discuss and policies adopted to support.

Good Conversation piece!

About the Author
  Mav has been with SW since 2009. He has 10 years of IT experience on both the Network and Systems side. His favorite text editor is vi (if you listen closely, you can hear him muttering command sequence incantations under his breath).