Shadow IT is the use of IT-related hardware or software by a department or individual without the knowledge of the IT or security group within the organization. It can encompass cloud services, software, and hardware.
The main area of concern today is the rapid adoption of cloud-based services. The growth of shadow IT has accelerated with the consumerization of information technology. Users have become comfortable downloading and using apps and services from the cloud to assist them in their work.
Cloud access security brokers (CASBs) can help by providing both visibility and control of software-as-a-service (SaaS) apps.
Shadow IT includes all forms of IT-related activities and purchases that the IT department isn’t involved in. These purchases can consist of:
Cloud services, especially SaaS, have become the biggest category of shadow IT. The number of services and apps has increased, and staff members routinely install and use them without involving the IT group.
Empowered users can quickly and easily get tools that make them more productive and help them interact efficiently with co-workers and partners.
Serious security gaps may result when an IT department doesn’t know what services and applications are being adopted. “App sprawl,” wasted time and money, and collaboration inefficiencies are other common problems.
Any application that a department or end user adopts for business purposes without involving the IT group is considered a shadow IT application. These applications fall into three major categories:
With the consumerization of IT, hundreds of these applications are in use at the typical enterprise. The lack of visibility into them represents a security gap. Although some applications are harmless, others include functionality such as file sharing and storage, or collaboration, which can present big risks to an organization and its sensitive data. IT and security departments need to see what applications are being used and what risks they pose.
OAuth-enabled applications are convenient because they use existing credentials. But they also include permissions to access information in the core application (Office 365 and G Suite, for example). These permissions increase the attack surface and can be used to access sensitive data from file-sharing and communication tools. OAuth-enabled applications communicate cloud to cloud, so they don’t hit the corporate network. They are a blind spot for many organizations. Recent OAuth-related attacks have highlighted the need for better visibility and control of these connected apps.