A computer, to me, is the most remarkable tool we [human beings] have ever come up with, and it's the equivalent of a bicycle for our minds
- Steve Jobs
What is the purpose of a computer? Today, we think of computers as an inextricably linked part of humanity. They are explicable forms of magic that allow us all to become magicians and perform feats that deftly defy the diminutive heights set by our ancestors. They are a miracle. And for many, without them, we are forced to return to our mere mortal forms, just chimps in the dirt with sticks.
Unfortunately, in business, we seem to have forgotten this. We like to treat computers and the people using them as resources to be controlled. "Sure, you can have the magic, but only the spells we approve." But for employees, this is an unacceptable and punitive position. So through ignorance or malice, employees ignore what they see as arbitrary restrictions and continue to use what they know even if they have to use their own device to do it. Now everyone loses. Welcome to the world of Shadow IT.
Shadow IT at its core is created when employees use tools and services that they believe provide them with significant value, even when IT believes they could cause greater harm to the business. This often happens beyond the sight of IT teams, hence the name.
In this article we, will try and unpack this phenomenon and its actual risks and find ways to make a dent in solving it.
It's hard to imagine how I could know anything about your company, but for most folks reading this, the following scenarios will likely hit close to home:
We recently wrote about Grammarly. It is an incredible tool that allows folks who may not be comfortable writing grammatically correct English to produce fluid, cogent, and concise writing. The rub? Grammarly sends any text it checks to their cloud. For a business with strict confidentiality agreements, a single employee unknowingly transmitting privileged data to a third party could have severe legal consequences.
Grammarly is a canonical example of Shadow IT in action. The business provides indirect incentives for people to want to write better; a company emerges to fill that need, employees use it unaware of the greater risks to the business.
Another typical example is third-party cloud services like Dropbox. End-users may be concerned about losing their data, syncing personal preferences, or wanting to access useful files they didn't produce on their company laptop. While these all are reasonable use-cases on their surface, dig deeper and major concerns emerge.
Imagine a developer that decides to synchronize their entire home folder
but, in the process, inadvertently syncs their
.ssh/ folder, which includes
keys that allow them to access production services. These files could now
be synchronized to any other of the employee's personal laptops, some of which
may not even have full disk encryption. It's a major security incident waiting
In both situations, employees are reaching for tools they know and trust but don't have the full context of how they could be dangerous for the organization. Shadow IT problems stem from this fundamental constant, a lack of awareness of the real risk to the business.
While the risks of each instance of Shadow IT are specific to the software's capabilities, overtime, we can extrapolate many commonly seen risks.
The undeniable truth of Shadow IT is once you discover it, you also have a second problem, a big visibility gap. Whether it's devices on a network you cannot account for or an inability to answer basic questions like, "What Chrome extensions are installed that only appear on a single device?" a lack of sight is what creates the opportunity for Shadow IT to emerge unchecked. If you can't see that, what else are you missing?
Much of Shadow-IT comes from employee ignorance that other solutions are available. Instead of leveraging economies of scale and getting a great deal on two screen-sharing platforms, your company has twenty (that you know of). Many of these products rely on network effects to provide their value; everyone needs to be using the solution for it to be valuable. An excellent example of this is Slack. These software silos eventually lead to data silos, as each service looking to be "sticky" foists proprietary formats and lacks interoperability. The result is employees cannot share information with their colleagues, while the lack of consistent processes and integrated workflows can impact data governance and operational cost-efficiency.
These costs feel small at first but can add up, especially when a company starts to grow quickly (and acquire other businesses).
More "stuff" (software, services, device) means more stuff to attack. The Attacker's Advantage and the Defender's Dilemma tells us that it takes just one poor decision to create an opportunity for an attacker to subvert millions of dollars of intentional defense. It's an unfair playing field, and Shadow IT tilts the tables even further in the direction of the bad guys.
When IT and Security review vulnerability announcements without a complete understanding of the software/services landscape, they cannot react to critical warnings from vendors. They can't even enumerate the vendors!
Having Shadow IT nearly guarantees sensitive, proprietary, or otherwise valuable data leaves your company devices and production services and ends up in places it shouldn't. Many of the most valuable services generate money not through direct payment but by indiscriminately vacuuming up metadata in the hopes it can be packaged up and sold to others. Other times it's more direct; for example, when employees upload production data to a cloud storage service and back to their personal devices, malicious actors could intercept the files in transit. If the personal device is shared, stolen, or breached, the information may fall into the wrong hands.
When employees sign up for SaaS services on their own, they cannot integrate the company's centralized SSO. Instead, that could mean they are using traditional email addresses and passwords to access a service that could eventually be the host to essential production data. If they use the same password for multiple accounts, all it takes is one breach to unlock a treasure trove of access for potential attackers.
If you don't know what accounts employees have created to handle company data and business processes, you can't revoke their access when they leave the company. This lack of visibility can become a vulnerability when Shadow IT undermines effective employee off-boarding. How can you be sure that your sensitive data isn't lurking somewhere on the internet, waiting to be stolen?
Unsanctioned integrations to facilitate data sharing are often against security compliance guidelines, while custom configurations can undermine existing security settings. Not to mention, if you can't track and monitor where your data is and how it's used, you can't provide the documentation required to stay compliant with data protection regulations (e.g., GDPR, SOC 2, HIPAA, CCPA, and more.)
Shadow IT left to rot is a big problem, so it's easy to see why IT teams reach for big preventative hammers like depriving users of administrative rights or blocking the installation of all unknown programs. These types of actions can make matters much worse.
As I wrote about in the Honest Security guide, when you create roadblocks that impede employees' ability to do their job, they will often reach for the path of least resistance. In a world dominated by remote work, opening an IT ticket to request new software is no longer necessary. Instead, users can reach for their personal devices and use the tools and services they are used to. While horrifying for IT, it's surprisingly common and perhaps one of the worst outcomes possible.
The problem here is preventative blocking outright often deprives users of the opportunity to understand the rationale for why a program may be harmful. It also deprives users who are trying to swiftly solve a problem of any automatic workflow to plead their case. A human now must intervene on behalf of IT. How frustrating! Instead of extreme proactive measures, we need to be reactive and meet users halfway.
The most effective strategies for Shadow IT preserve end-users autonomy while giving IT and security teams effective automated ways to educate end-users about risks and make them participants in the process. By definition, then, the solution must be reactive. We must wait for an employee to make an error in judgment and quickly correct it. Instead of just shutting it down, we can take the opportunity to see how you can improve processes, technology, or user experience to prevent it from happening again in other parts of the organization. When we approach Shadow IT from this perspective, both sides learn something.
The key to scoping your Shadow IT problem is to invest heavily into the visibility into endpoints while being mindful not to create a surveillance state that drives people to use personal devices. I talk about this at length in the Honest Security Guide, and there are tools like Osquery that can get you started down this path. You can use these tools to identify apps and programs today that are likely causing issues.
All of these must be done while respecting employees' privacy. For example, they should know what device you're monitoring and who has access to their data. After all, if you aren't transparent with your employees, you can't expect them to be honest with you.
Once you have visibility into the situation, the next step is to find ways to contact users when you've found a potential issue. At Kolide, we heavily leverage Slack because it's a place employees are used to receiving important messages, the messages can be actionable, and people tend to read them. The key in any automated messaging is you explain not just the "what" but also the "why." Remember, the key here is to educate so people can extrapolate to other things they might be doing wrong.
A well-crafted message may also suggest IT-approved alternatives. It can encourage users to share red flags they might have encountered when using the unsanctioned software (e.g., data synced to personal devices) so IT can address potential risks proactively.
Part of the benefit of educating end-users is creating conversations for them to push back with reasonable use-cases you may not have thought about. This is important visibility and feedback for the IT team, so this feedback must be captured and actioned in a way that is visible to end-users.
On the other side of the coin, you may have users who refuse (or are afraid) to engage. Now that you have communicated with them, it's okay for the gloves to come off a bit and give the end-user a call, or if that fails, start taking defensive measures to keep the company safe. The key here is that we didn't assume punitive actions were necessary from the get-go, but now, it's the only tool left.
You might wonder if a reactive process is "too little too late." In my view, it is not. In the vast majority of cases, the actual risks of Shadow IT are only realized much later than the initial installation of the offending app. Also, unless a compromise occurs, a willing employee can reverse much of the damage. For example, an employee that accidentally synced their work code folder to Dropbox can be admonished and asked to remove it.
If you don't want just to be reactive, there are preventative measures you can take, but they aren't technical. Instead of treating prevention like a technology problem, it should be treated as an employee education problem.
It's vital to proactively get a pulse of what people's needs are and procure, define, or promote official sanctioned solutions for those needs. In many cases, people are happy to use the official tools, but usually, there isn't a great way to discover what they are or how to acquire them.
Starting with a central wiki with this information can be paired nicely with the reactive approach mentioned above, not just to tell users that they can't do something, but to also direct them to the valuable alternatives (and the location of where they can find information like this next time.)