Shadow IT: How to tame unauthorised apps and services in your business

Shadow IT, or the use of outside tech tools and systems without official approval, is a major problem in the enterprise. Here's what its growth means for your IT department.

Written by Conner Forrest, Contributor Oct. 1, 2015 at 8:46 a.m. PT

Once only a problem confined to rogue techies in the office wanting their own tools, Shadow IT has recently become a broader problem. Consumerization of IT and trends like bring your own device (BYOD) and bring your own application (BYOA) mean that almost every employee is a risk factor for shadow IT.

For the uninitiated, shadow IT is the deployment of technology products and services within an organization without the formal approval of the IT department. Because the shadow IT tools weren't vetted by the proper personnel, they can potentially introduce numerous privacy and security risks within the company.

Shadow IT will continue to affect your organization, so it's essential that you understand its impact, and plan for it. For starters, we have to grasp just how big shadow IT has become.

It's bigger than ever

In addition to trends mentioned earlier such as consumerization and BYOD, users are becoming more adept at procuring new products and services.

As users see their colleagues or friends using shadow IT, it raises their expectations for IT, acording to Jon Mittelhauser of CloudBolt -- filing a helpdesk request and waiting weeks for access to certain servers or applications is becoming less acceptable, he says.

"If the IT group can't provide them the immediate access they desire, they simply pull out a credit card and go to a public cloud provider instead," Mittelhauser said. "Public cloud and SaaS providers have made access to their services simple, quick, and easy."

For example, results from a survey released in 2014 indicated that 61 percent of business units were utilizing cloud services without looping in their IT department. Cloud services are only one aspect of shadow IT, but the results are indicative of the growth of the problem as a whole.

Because shadow IT, by definition, operates outside IT's control, it can be difficult to quantify just how many shadow IT apps a company may be using. However, a recent Cisco report shows that the problem is pervasive, with the actual number of unauthorized apps in use in companies being up to 15 times more than IT leaders originally estimated.

"IT departments estimate their companies are using an average of 51 cloud services, when the reality is that 730 cloud services are being used," the report said. These numbers were broadly similar across all of the industry sectors surveyed.

In the report, Cisco also mentioned that it believes shadow IT will continue to grow. By the end of 2015, the report said, it expects the multiple between expectation and reality to be 20 times, with more than 1,000 unauthorized services in use per company.

So shadow IT, it seems, is growing rapidly -- but it's not that simple, because the the prevalence of shadow IT is changing the relationship between IT and end users.

The relationship is changing

Possibly one of the most difficult questions to answer about shadow IT is whether it's ramping up or dying down. The numbers seem to point to the former, but that doesn't take into account the way that many IT departments are altering their approach to shadow IT.

Currently, many IT leaders and executives are in the dark on shadow IT use within their organization. A Cloud Security Alliance survey found that 72 percent of respondents did not know the number of shadow IT apps used within their organization, but they wanted to.

That last part is key, because it points to a shift in the relationship between IT and end users in the enterprise in terms of how they are approaching new IT tools and services.

Businesses have recognized the problems presented by shadow IT, said CompTIA senior director of technology analysis Seth Robinson, and they have realized that it's better to be in the loop if possible. IT hasn't fully accepted shadow IT, Robinson added, but does recognize that business units know what tools work best for their functions and that they need them quickly.

"As a result, they do not want to regain complete control of the situation, but instead are looking for a partnership to help drive the right solutions in the shortest amount of time," Robinson said.

So, shadow IT may be growing, but in some instances it may be growing with the support of IT. In some ways it goes back to the thought that users will just keep doing it anyway, so it makes sense for IT to be on top of new tech so they can head potential problems off before that tech makes its way into the organization's environment.

"The best way to control shadow IT is to invite it to move inside," said Patrick Hubbard of SolarWinds. This way, you don't have to try to limit the IT budget, or fight it another way, and you can further expand the resources of IT.

To further mitigate shadow IT, said CompTIA's Robinson, IT will move toward composing service catalogs of in-house and third-party applications that can be quickly and securely implemented by business units.

However, this is a transition that will take place over time. In the meantime, tools for detecting shadow IT will continue to improve. Walter O'Brien, founder and CEO of Scorpion Computer Services and executive producer of the television show said improved tools for scanning a network to detect unauthorized apps will combine with whitelists and blacklists to better block shadow IT apps, along with other improvements.

"IT will continue to introduce preconfigured firewalls with better site blocking and blocking based more on intelligent behavior detection and monitoring rather than simply based on a URL," O'Brien said.

Additionally, users will still need education in terms of the effects of shadow IT. Administrators and IT leaders will need to help employees understand the risks of using unauthorized tools and how to implement best practices when it comes to trusting applications with company data.