- Discover all cloud applications in use at your business
- Assess the risk of your applications
- Enable the right applications
What Is Shadow IT
“Shadow IT” is the term used to describe employees of businesses using SaaS applications on their own — using laptops, smartphones, or tablets, outside corporate policies and their employer’s IT departments.
The intentions behind pursuing this route are often good – getting work done more quickly – but what seems to employees as an upside to being productive can be a huge downside to the company. “Shadow IT” opens dangerous security holes that expose the corporate network and private information to theft, malware, or loss.
Sometimes called “BYOD” (Bring Your Own Device) or “BYOC” (Bring Your Own Cloud), employees often resort to obtaining the application services they want or need rather than taking the time to go through company protocol. According to CipherCloud research, 86% of cloud applications used by enterprises are unsanctioned “Shadow IT” (Cloud Adoption and Risk Report for NA and Europe, 2014 Trends). CipherCloud’s study found that enterprises vastly underestimate the extent of Shadow IT cloud applications used by their organizations.
More about "What Shadow IT" is...
Some media sources site a lower percentage of cloud applications that are being used by employees invisibly to IT, but our findings are based on real data gathered by our own customers and extensive cloud risk knowledge base, anonymously gleaned and evaluated to reveal informative trends.
Our recent Gigaom Research Report (Shadow IT: data protection and cloud security) also reveals findings of employees admitting to using unauthorized SaaS applications: ”81 percent of line-of-business employees admitted to using unauthorized SaaS applications with 38 percent deliberately using unsanctioned apps because of the IT-approval process.”
It’s true that Shadow IT poses a big risk to companies and to data security. At the same time, it provides an opportunity for companies to discover the realities of what their employees need and respond with a strategy for offering SaaS solutions that fit their employees needs for productivity, while also being secure and not posing threats to sensitive corporate data.
By increasing its awareness about how employees are using their devices and apps, corporations can bring many benefits to their business. Migration to the cloud and SaaS applications is here to stay and increasing daily. The first step to a successful plan for managing Shadow IT is to gain complete insight into employee activity – the devices and the SaaS applications they need and are using.
Unsanctioned Apps Are Used Prominently in Corporations
Core business process applications: Many core business processes are moving to cloud- based platforms to reduce infrastructure and improve agility and competitiveness. In these cases, the data and uses are well understood, but sensitive or regulated data may require additional protections to ensure security, compliance, and data integrity.
Sanctioned collaboration applications: Businesses are increasingly adopting cloud-based collaboration applications to extend their reach and streamline interaction, but in most cases, there is limited visibility into the data going to the cloud, user activity, and risks to the data. These applications typically involve unstructured data (such as shared files, email, attachments, notes, and messages) that can represent an easy avenue for data loss.
Non-sanctioned shadow IT: Users can easily access thousands of cloud applications and are increasingly using them for business purposes. However, organizations have little visibility or control over what applications are used, what data is stored in these applications, and the security risks involved.
Shadow IT Infographic
Infographic – Shadow IT: Cloud Adoption and Risk Report
Download Report: Shadow IT: Cloud Adoption and Risk Report
Shadow IT is a growing menace—an insidious covert activity undermining a CIO’s ability to run an efficient, safe and coordinated IT department. Read more about what others think about it.
What Experts Are Saying
An organization’s users can now create their own IT infrastructure. Read how in this Briefing Note about CipherCloud and Storage Swiss.
Compliance Impact Zone
Compliance laws impact — and are impacted by — Shadow IT
When employees circumvent IT resources to use cloud-based services without the company being aware, the company loses control of where its data is going. Such loss of control puts the company at risk of data exposure and compliance violations. While Shadow IT did not start with cloud computing or Software as a Service (Saas) offerings, the cloud has made bypassing the IT department easier and has exacerbated compliance difficulties. While Shadow IT did not start with could computing or Software as a Service, the cloud has made bypassing the IT department easier and has exacerbated compliance difficulties. According to Gigaom Research, “Software-as-a-Service (SaaS) is growing at 199 percent. We find that SaaS is the typical home for shadow IT. It is growing because end-users are impatient with IT and looking for alternatives.” The increasing availability, convenience, and low cost of cloud services (SaaS) have made it highly attractive for companies to adopt these services and resources as a fundamental part of their business operations. Doing so has given their employees convenient options for getting their work done more efficiently. But it has also opened the door for employees to find and obtain services and apps for themselves to perform work tasks in ways that bypass their company’s IT department.
When an organization’s employees use personal IT devices, services, and resources outside their company IT department’s management and oversight (non-company-sanctioned), the risks of exposing confidential data to unauthorized parties is tremendously increased. As the risks of data loss and exposure increase, so do the chances an organization will be in violation of regulatory compliance requirements. What initially begins as employees’ intentions to save time and accomplish tasks more expediently creates the potential for security breaches that can cost millions of dollars and ruin a business reputation.
The compliance impact of Shadow IT is global
Shadow IT undermines efforts to comply with federal and state data protection regulations. Many require companies to ensure the paths their information follows be traceable. The use of shadow IT apps and services outside of IT control can violate this requirement right out of the gate (literally). This is not only relevant to national data protection laws, but the laws of numerous countries around the globe as well.
Data loss is known to occur due to employee use of Shadow IT devices
According to the research noted below, a high percentage of data loss does occur from employees using unsanctioned (shadow IT) services.
— Organizations vastly underestimate the level of Shadow IT when it comes to cloud adoption. Hundreds of high-risk cloud applications are in common use across North America and European enterprises. The average global enterprise uses more than 1,100 applications. (CipherCloud Cloud Adoption Risk Report for North America and Europe)
— 70 percent of unauthorized access to data is committed by an organization’s own employees.
(Gigaom Research Report, Q22014)
— Additional facts from CipherCloud’s research:
> 86% of Cloud applications are unsanctioned
> 10% – 50% of Cloud applications are not visible to IT
So what can be done?
Steps can readily be taken to mitigate a company’s risks.
1. Discover all cloud applications in use—find out what you don’t know and learn what your employees need.
2. Assess the risk of your applications—verify which ones are secure.
3. Enable the right applications–saying ‘no’ to your employees will likely not be effective so give them what they need.
For more steps, see our report CIO Guide to Enterprise Cloud Adoption – 9 Steps to Enable the Cloud While Maintaining Visibility and Control
Resources: Insights and Guides for Managing Shadow IT
Reports / Papers