How to find and secure shadow IT

In the first post in this series, we identified four key considerations to securing hybrid workforces: identity, shadow IT and bring-your-own-device (BYOD), security adoption, and security costs.

Today, let’s talk about shadow IT.

In a hybrid world, not only do we work from everywhere, we use a huge number of apps – 130 at the average organization – to get work done. Some apps are sanctioned by the IT/Security team. Many are not.

Those apps not managed by IT/Security are, by definition, a blind spot. And because you can’t secure what you can’t see, those unmanaged apps are known as shadow IT.

What is shadow IT?

Shadow IT is all the apps we use to get things done that haven’t been explicitly approved – and therefore secured – by IT. It’s usually cloud-based apps, or software-as-a-service (SaaS), which means the data (often sensitive data) we’re storing on them is stored on someone else’s server. It’s the Google Sheet you spin up to keep track of expenses for a project, the Microsoft Word file Legal uses to draft a document, the Dropbox folder someone is using to share files with partners or clients.

If IT doesn’t know about it, it’s shadow IT.

By some estimates, shadow IT comprises as much as 50 percent of the apps we use to get work done. And those apps – those cloud services – are being accessed from airports and coffee shops, from employees' homes and on their commute, from their phones and tablets and personal laptops.

That’s the new perimeter businesses are tasked with defending. And that’s why, in the world of hybrid work, securing that perimeter starts with securing identities – i.e verifying that the people accessing those apps are indeed who they say they are.

The benefits of shadow IT

Historically, shadow IT has been something to be feared and fought. It’s an unsanctioned box or server sitting under someone’s desk. But shadow IT is what we use to get things done – and a growing number of CIOs and CISOs see it as an opportunity.

We use shadow IT because we bump up against a limitation in the suite of approved/managed apps at our disposal. Getting things done, after all, is why we work. For that reason, sometimes shadow IT boosts productivity. Sometimes it’s the difference between whether employees complete a task or not.

Of course, there are security risks. But there are also ways to mitigate them. Embracing shadow IT requires a mindset – and a toolset – shift.

The risks of shadow IT

70% of data breaches involved an identity element, which can be as simple as a stolen password. Forrester expects that number to grow to 90% in 2024.

Here’s a simplified version of what’s happening: Sam in Sales needs to share a file with a prospect. There’s no great way to do that with any of the apps sanctioned by IT, so they create an account on a file-sharing service, upload a couple of files, and send the link to the prospect.

Mission accomplished, from a business standpoint. But when Sam signed up for the file-sharing account, they created it with a relatively weak password to do so. It’s also one they’ve used before for other services, because it’s easy for them to remember.

Now that login is vulnerable, because the password protecting it isn’t strong, random, or unique. And Sam uploaded company data to the service, so if attackers stole the password, they could also use it to access other services Sam uses. Now the company is at risk – and IT has no idea.

This kind of thing happens all the time: 1Password research found that 63.5% of respondents had created an account their IT department didn’t know about in the previous 12 months. Gartner estimated that one-third of successful cyberattacks will be on data stored in shadow IT infrastructure. And that was a few years ago. The risk of shadow IT has grown since.

Evolving IT beyond the Department of No

In a perfect world, Sam could have gone to IT and explained what he was trying to accomplish. IT would then provide Sam with a tool to get it done.

But IT’s job in a pre-hybrid world was to secure a well-defined perimeter – often one that they themselves had built. Which is to say the default answer to Sam’s query is, historically, a resounding “No.” If IT can’t secure it, employees can’t use it. (In some cases, especially in large organizations with sufficient resources, IT can sometimes build the application themselves.)

But the role of IT is evolving. Many IT departments are beginning to understand their role as an enabler of the business, rather than being an obstacle to productivity. IT directors are making a deliberate effort to understand the goals of the business, and to leverage the technology available to them to help the business accomplish those goals.

To do that, they need new tools, particularly in their identity and access management (IAM) stack. Tools that will secure every access attempt, regardless of whether access originates on a cell phone in a coffee shop or on a company laptop in the office. Or for a sanctioned app or a non-sanctioned app.

The role of single sign-on

Single sign-on, or SSO, plays a crucial role in the IAM stack. Without it, employees sign up for services, log in to them on their own, and manage all those logins themselves.

With SSO, employees log in to their SSO provider instead. When they do, they see a list of all the services IT has already vetted and approved. They select the service they want to sign in to, and the SSO provider signs them in using a single, strongly vetted identity.

With SSO, then, employees only need to manage a single login: their SSO provider credentials. It’s much easier than managing a ton of credentials, and IT teams get the oversight they need to secure access to those applications.

But SSO doesn’t cover every login – only those IT has vetted and approved. Shadow IT is, by definition, not vetted or approved. So SSO doesn’t help secure shadow IT.

This is where the enterprise password manager (EPM) comes in. EPMs can secure every single set of credentials, first by creating strong, unique, random passwords – or better yet, passkeys – for each login. The EPM can then autofill those credentials, effectively signing in for employees so they don’t have to. Because the EPM both generates and autofills credentials, employees don’t have to remember their passwords, let alone manage them all.

This is how, when the EPM and SSO work together, you fill the holes in your sign-on security model. SSO protects managed applications, and the EPM protects virtually everything else.

That combination mitigates the security risk of shadow IT – not only by protecting each login with stronger, randomly-generated credentials, but by making those logins visible to IT, subject to company security policies, and included in audits. That means that if IT chooses to implement, say, a minimum password length, the EPM can enforce that requirement by automatically generating compliant passwords – and only compliant passwords – when employees sign up for any particular service.

Those policies can be further unified with SSO integration provided by the EPM, meaning the same set of IT policies can apply to services governed by SSO and those managed by the EPM.

This is how IT supports business goals and productivity, rather than inhibiting those goals.

The relationship between security and productivity

But there is a catch: In order to secure shadow IT, strengthen your security posture, and enable productivity, the EPM, like any cybersecurity tool, has to be widely used. And in order to be used, it has to provide a good experience to the worker. If it doesn’t, we’re back to square one: Workers will simply skirt the intended workflow to get things done, and IT will remain in the dark.

Good UX, then, is a boon to security, increasing adoption to help you secure your hybrid workforce without slowing them down. We’ll explore the relationship of productivity and security – along with getting a handle on security costs – in the next post.

Rob Boone

Content Marketing Manager