Shadow IT - Unapproved Technology Use

About 2 min read

Shadow IT is a collective term for the IT services, applications, and devices that employees adopt and use on their own, without the approval or oversight of the organization's IT or security department. Storing work files in a personal Google Drive, managing projects with an unapproved SaaS tool, or reading work email on a personally owned smartphone all qualify as shadow IT. According to a Gartner survey, 30 to 40% of an enterprise's IT spending occurs outside the IT department's visibility, posing serious risks for both compliance and security.

Why Does Shadow IT Arise?

The root cause of shadow IT is the gap between official tools and the needs of the front line. When the approval process takes weeks, the official tool's UI is hard to use, or a needed feature is unavailable, employees prioritize work efficiency and turn to unofficial means. Especially since the spread of remote work, the business use of personal devices and personally contracted cloud services has surged, further reducing the IT department's visibility.

The Risks Shadow IT Brings

The greatest risk is data leakage. When work data is stored on services the IT department is unaware of, recovering data upon an employee's departure, auditing access rights, and investigating incidents all become difficult. Cases where customer information is left behind in a personal cloud storage account are endless. Moreover, if an unapproved service does not comply with regulations such as GDPR, the entire organization bears the risk of a compliance violation.

Visibility and Control with CASB

CASB (Cloud Access Security Broker) is a solution for gaining visibility into the cloud services employees use and controlling them according to policy. It analyzes network traffic to detect unapproved SaaS usage and blocks or warns about access based on a risk score. By integrating it with IAM, it becomes possible to provide single sign-on to approved services while preventing data uploads to unapproved services, enabling unified management.

The Shadow IT Management Flow

Shifting from a Ban to a Management Approach

An approach that uniformly bans shadow IT is not realistic. Even with a ban, employees simply find another means, and visibility actually drops further as activity goes underground. Advanced organizations shift their policy from "ban" to "manage" and put in place a process to quickly evaluate and approve the tools employees want to use. It is effective to actively adopt tools that meet security requirements as official, and to provide approved alternatives with equivalent functionality for tools that do not.

Shadow IT in Password Management

Password management is a classic breeding ground for shadow IT. When a company has not officially deployed a password manager, employees manage their credentials with the browser's save feature, a personally contracted password manager, or even a spreadsheet or notepad. Because these are outside the IT department's control, problems arise such as being unable to recover account information when an employee leaves, or a shared account's password being stored only on an individual's device. From the perspective of access control as well, deploying a unified password management foundation across the organization is essential. For details, see the article on shadow IT and password risks.information security books on Amazon are also helpful for building your organization's security posture.

Real-World Use Cases

"After introducing a CASB, we discovered that more than 200 unapproved SaaS services were in use within the company. Customer data was stored in 30 of them, so we immediately migrated the data and closed the accounts. At the same time, we officially adopted the frequently used tools through a fast-track review, significantly reducing risk while maintaining employee convenience."

Security measures for remote work environments are explained in detail in the article on remote work security, and building a security foundation across the entire organization is covered in the startup security checklist.