Shadow IT

Last updated January 27, 2024

In big organizations, shadow IT refers to information technology (IT) systems deployed by departments other than the central IT department, to bypass^[1] limitations and restrictions that have been imposed by central information systems.^[2] While it can promote innovation and productivity, shadow IT introduces security risks and compliance concerns, especially when such systems are not aligned with corporate governance.^[3]

Origins

Information systems in large organizations can be a source of frustration for their users.^[2] In order to bypass limitations of solutions provided by a centralized IT department, as well as restrictions that are deemed detrimental to individual productivity, non-IT departments might develop independent IT resources and for the specific or urgent need or requirements.^[4] In some cases, IT specialists could be recruited or software solutions procured outside of the centralized IT department, sometimes without the knowledge, or approval of corporate governance channels.

Modern Shadow IT

Shadow IT has traditionally occurred through various sources of Hardware, such as employees bringing in USB drives or spinning up their own servers in offices. Recently Shadow IT has grown due to businesses adopting the cloud. The result has meant that more and more employees are signing up to Software-as-a-Service (SaaS) products to help them complete their jobs and be more productive. As a result, Shadow IT and SaaS Sprawl are now closely aligned and organisations can end up with 100s of SaaS applications that are not visible or centrally managed by the IT department.

Combatting Modern Shadow IT

There are several approaches that can be taken to mitigate the risks of Shadow IT. One of the main ways is to start creating a security culture and making employees responsible for their departments' tooling. In a distributed world the Heads of Departments are often responsible for managing data in SaaS applications as well as which employees have access to those systems. SaaS Security Posture Management is a modern cybersecurity category that aims to help businesses specifically address security risks associated with SaaS applications. Some focus on identifying sensitive data such as DLP, some are CASB focused, and others specifically address the risks of Shadow IT. The first step to tackling shadow IT is to identify the approved and unapproved applications being used throughout your business.^[5]

Benefits

Although often perceived as attempts to undermine corporate governance, the existence of shadow IT often is an indicator of needs from individual departments not being satisfied from a centrally managed information ecosystem. Thus the immediate benefits of shadow IT are as follows:

Innovation: Shadow IT could be seen as sandbox for potential or prototype solutions in response to evolution of changing business requirements. Also, alignment between departments can be avoided or enhanced dependent on the constraints within the broader business.
Individual productivity: Shadow solutions are customized to the needs of the individual departments and thus allows the individuals involve to be more effectively. A study^[6] confirms that 35% of employees feel they need to work around a security measure or protocol to work efficiently.
Reduced internal costs: Some shadow policies, such as BYOD, reduces direct hardware and software costs, while allowing localized support decreases overhead for IT departments.

Drawbacks

In addition information security risks, some of the implications of Shadow IT are:^[7]^[8]

Costs: Additional time and investment could incurred at a corporate level on additional integration and validation and compliance of discovered shadow IT infrastructures. On the other hand, department choosing the solutions with the lowest price-tag for their shadow solutions might not have considered costs for deployment and maintenance. This also results in diminished return on investment in case of insufficient buy-in.
Consistency: As shadowed technical solutions might beyond centralized version control, they might deviate from standardized methodologies or calculations. Multiple, coexisting shadow infrastructures also introduces a heavily fragmented application landscape. This also makes centralized configuration management more difficult.
Operating inefficiencies: Established shadow solutions might prevent overall implementation of more efficient processes due to widespread use or inadequate documentation. The shadow system might also be beyond the capacity of the centralized IT department for integration and maintenance, especially when it becomes "too big to fail".

Compliance

Shadow IT increases the likelihood of uncontrolled data flows, making it more difficult to comply with various legislations, regulations or sets of best practices. These include, but are not limited to:

Sarbanes-Oxley Act (US)
Basel II (International Standards for Banking)
GLBA (Gramm-Leach-Bliley Act),^[9]
COBIT (Control Objectives for Information and related Technology)
FISMA (Federal Information Security Management Act of 2002)
DFARS (Defense Federal Acquisition Regulation Supplement)
GAAP (Generally Accepted Accounting Principles)
HIPAA (Health Insurance Portability and Accountability Act)
IFRS (International Financial Reporting Standards)
ITIL (Information Technology Infrastructure Library)
PCI DSS (Payment Card Industry Data Security Standard)
GDPR (General Data Protection Regulation),^[10]
CCPA (California Consumer Privacy Act)
NYDFS (New York Department of Financial Services) ^[11]

Prevalence

Within an organization, the amount of shadow IT activity is by definition unknown, especially since departments often hide their shadow IT activities as a preventive measure to ensure their ongoing operations. Even when figures are known, organizations are reluctant to voluntarily admit their existence. As a notable exception, The Boeing Company has published an experience report^[1] describing the alarming numbers of shadow applications which various departments have introduced to work around the limitations of their official information system.

According to Gartner, by 2015, 35 percent of enterprise IT expenditures for most organizations will be managed outside the central IT department's budget.^[12]

A 2012 French survey ^[13] of 129 IT managers revealed some examples of shadow IT :

Excel macro 19%
software 17%
cloud solutions 16%
ERP 12%
BI systems 9%
Websites 8%
hardware 6%
VoIP 5%
shadow IT support 5%
shadow IT project 3%
BYOD 3%.

Examples

Examples of these unofficial data flows include USB flash drives or other portable data storage devices, instant messaging software, Gmail or other online e-mail services, Google Docs or other online document sharing and Skype or other online VOIP software—and other less straightforward products: self-developed Access databases and self-developed Excel spreadsheets and macros. Security risks arise when data or applications move outside protected systems, networks, physical location, or security domains.

Related Research Articles

The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is an act of the 106th United States Congress (1999–2001). It repealed part of the Glass–Steagall Act of 1933, removing barriers in the market among banking companies, securities companies, and insurance companies that prohibited any one institution from acting as any combination of an investment bank, a commercial bank, and an insurance company. With the passage of the Gramm–Leach–Bliley Act, commercial banks, investment banks, securities firms, and insurance companies were allowed to consolidate. Furthermore, it failed to give to the SEC or any other financial regulatory agency the authority to regulate large investment bank holding companies. The legislation was signed into law by President Bill Clinton.

Enterprise content management (ECM) extends the concept of content management by adding a timeline for each content item and, possibly, enforcing processes for its creation, approval, and distribution. Systems using ECM generally provide a secure repository for managed items, analog or digital. They also include one methods for importing content to bring manage new items, and several presentation methods to make items available for use. Although ECM content may be protected by digital rights management (DRM), it is not required. ECM is distinguished from general content management by its cognizance of the processes and procedures of the enterprise for which it is created.

Software as a service is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. SaaS is also known as on-demand software, web-based software, or web-hosted software.

Shadow system is a term used in information services for any application relied upon for business processes that is not under the jurisdiction of a centralized information systems department. That is, the information systems department did not create it, was not aware of it, and does not support it.

Software asset management (SAM) is a business practice that involves managing and optimizing the purchase, deployment, maintenance, utilization, and disposal of software applications within an organization. According to ITIL, SAM is defined as “…all of the infrastructure and processes necessary for the effective management, control, and protection of the software assets…throughout all stages of their lifecycle.” Fundamentally intended to be part of an organization's information technology business strategy, the goals of SAM are to reduce information technology (IT) costs and limit business and legal risk related to the ownership and use of software, while maximizing IT responsiveness and end-user productivity. SAM is particularly important for large corporations regarding redistribution of licenses and managing legal risks associated with software ownership and expiration. SAM technologies track license expiration, thus allowing the company to function ethically and within software compliance regulations. This can be important for both eliminating legal costs associated with license agreement violations and as part of a company's reputation management strategy. Both are important forms of risk management and are critical for large corporations' long-term business strategies.

Expense management refers to the systems deployed by a business to process, pay, and audit employee-initiated expenses. These costs include, but are not limited to, expenses incurred for travel and entertainment. Expense management includes the policies and procedures that govern such spending, as well as the technologies and services utilized to process and analyze the data associated with it.

<span class="mw-page-title-main">On-premises software</span> Direct information article

On-premises software is installed and runs on computers on the premises of the person or organization using the software, rather than at a remote facility such as a server farm or cloud. On-premises software is sometimes referred to as "shrinkwrap" software, and off-premises software is commonly called "software as a service" ("SaaS") or "cloud computing".

Mobile device management (MDM) is the administration of mobile devices, such as smartphones, tablet computers, and laptops. MDM is usually implemented with the use of a third-party product that has management features for particular vendors of mobile devices. Though closely related to Enterprise Mobility Management and Unified Endpoint Management, MDM differs slightly from both: unlike MDM, EMM includes mobile information management, BYOD, mobile application management and mobile content management, whereas UEM provides device management for endpoints like desktops, printers, IoT devices, and wearables as well.

Accounting software is a computer program that maintains account books on computers, including recording transactions and account balances. It may depends on virtual thinking. Depending on the purpose, the software can manage budgets, perform accounting tasks for multiple currencies, perform payroll and customer relationship management, and prepare financial reporting. Work to have accounting functions be implemented on computers goes back to the earliest days of electronic data processing. Over time, accounting software has revolutionized from supporting basic accounting operations to performing real-time accounting and supporting financial processing and reporting. Cloud accounting software was first introduced in 2011, and it allowed the performance of all accounting functions through the internet.

Email archiving is the act of preserving and making searchable all email to/from an individual. Email archiving solutions capture email content either directly from the email application itself or during transport. The messages are typically then stored on magnetic disk storage and indexed to simplify future searches. In addition to simply accumulating email messages, these applications index and provide quick, searchable access to archived messages independent of the users of the system using a couple of different technical methods of implementation. The reasons a company may opt to implement an email archiving solution include protection of mission critical data, to meet retention and supervision requirements of applicable regulations, and for e-discovery purposes. It is predicted that the email archiving market will grow from nearly $2.1 billion in 2009 to over $5.1 billion in 2013.

Enterprise mobility management (EMM) is the set of people, processes and technology focused on managing mobile devices, wireless networks, and other mobile computing services in a business context. As more workers have bought smartphone and tablet computing devices and have sought support for using these devices in the workplace, EMM has become increasingly significant.

Information governance, or IG, is the overall strategy for information at an organization. Information governance balances the risk that information presents with the value that information provides. Information governance helps with legal compliance, operational transparency, and reducing expenditures associated with legal discovery. An organization can establish a consistent and logical framework for employees to handle data through their information governance policies and procedures. These policies guide proper behavior regarding how organizations and their employees handle information whether it is physically or electronically created (ESI).

Digital mailroom is the automation of incoming mail processes. Using document scanning and document capture technologies, companies can digitise incoming mail and automate the classification and distribution of mail within the organization. Both paper and electronic mail (email) can be managed through the same process allowing companies to standardize their internal mail distribution procedures and adhere to company compliance policies.

Hewlett Packard Enterprise Networking is the Networking Products division of Hewlett Packard Enterprise. HPE Networking and its predecessor entities have developed and sold networking products since 1979. Currently, it offers networking and switching products for small and medium sized businesses through its wholly owned subsidiary Aruba Networks. Prior to 2015, the entity within HP which offered networking products was called HP Networking.

Mobile application management (MAM) describes the software and services responsible for provisioning and controlling access to internally developed and commercially available mobile apps used in business settings, on both company-provided and 'bring your own' mobile operating systems as used on smartphones and tablet computers.

Bring your own device —also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own personal computer (BYOPC)—refers to being allowed to use one's personally owned device, rather than being required to use an officially provided device.

Dell Software was a former division of Dell with headquarters in Round Rock, Texas, United States. Dell Software was created by merging various acquisitions by Dell Inc., the third-largest maker of PCs and now a privately held company, to build out its software offerings for data center and cloud management, information management, mobile workforce management, security and data protection for organizations of all sizes.

A mobile workspace is a user's portable working environment that gives them access to the applications, files and services they need to do their job no matter where they are.

Enterprise legal management (ELM) is a practice management strategy of corporate legal departments, insurance claims departments, and government legal and contract management departments.

<span class="mw-page-title-main">MaaS 360</span>

IBM MaaS360 is a SaaS Unified Endpoint Management (UEM) solution offered by IBM that manages and protects any existing endpoint including laptops, desktops, mobile devices and apps, wearables, IoT and purpose built devices and allow protected, low risk access to company resources. IBM Security MaaS360 with Watson integrates with current security platforms owned by different companies. It’s AI powered analytics removes friction by reducing actions required from the device user.

References

1 2 Handel, Mark J.; Poltrock, Steven (2011). "Working around official applications: experiences from a large engineering project". CSCW '11: Proceedings of the ACM 2011 conference on Computer supported cooperative work. pp. 309–312. doi:10.1145/1958824.1958870. S2CID 2038883.
1 2 Newell, Sue; Wagner, Eric; David, Gary (2006). Clumsy Information Systems: A Critical Review of Enterprise Systems. Agile Information Systems: Conceptualization, Construction, and Management. p. 163. ISBN 1136430482.
↑ Kopper, Andreas; Westner, Markus; Strahringer, Susanne (2020-06-01). "From Shadow IT to Business-managed IT: a qualitative comparative analysis to determine configurations for successful management of IT by business entities". Information Systems and e-Business Management. 18 (2): 209–257. doi: 10.1007/s10257-020-00472-6 . ISSN 1617-9854.
↑ Zarnekow, R; Brenner, W; Pilgram, U (2006). Integrated Information Management: Applying Successful Industrial Concepts in IT. ISBN 978-3540323068.
↑ What is Shadow IT and Why Should your Business Care | Available at https://www.joinploy.com/blog/what-is-shadow-it-and-why-should-your-business-care
↑ RSA,November 2007,The Confessions Survey: Office Workers Reveal Everyday Behavior That Places Sensitive Information at Risk,available from (PDF), archived from the original (PDF) on February 11, 2012, retrieved September 15, 2017
↑ Myers, Noah and Starliper, Matthew W. and Summers, Scott L. and Wood, David A., The Impact of Shadow IT Systems on Perceived Information Credibility and Managerial Decision Making (March 8, 2016). Available at SSRN: http://ssrn.com/abstract=2334463 or https://dx.doi.org/10.2139/ssrn.2334463
↑ Fábián Tamás, Shadow IT in the New IT Management Triangle (2022). Available at https://doksi.net/en/news.php?order=ShowArticle&id=1909
↑ "Gramm-Leach-Bliley Act".
↑ "Under Construction".
↑ "23 NYCRR 500". govt.westlaw.com. Retrieved 2019-10-17.
↑ "Predictions Show IT Budgets Are Moving Out of the Control of IT Departments". Gartner. Archived from the original on June 29, 2013. Retrieved 2012-04-25.
↑ RESULTATS DE L’ENQUETE SUR LE PHENOMENE DU "SHADOW IT" par Thomas Chejfec : http://chejfec.com/2012/12/18/resultats-complets-de-lenquete-shadow-it/

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Handel-2010-1] 1 2 Handel, Mark J.; Poltrock, Steven (2011). "Working around official applications: experiences from a large engineering project". CSCW '11: Proceedings of the ACM 2011 conference on Computer supported cooperative work. pp. 309–312. doi:10.1145/1958824.1958870. S2CID 2038883.

[Newel-2006-2] 1 2 Newell, Sue; Wagner, Eric; David, Gary (2006). Clumsy Information Systems: A Critical Review of Enterprise Systems. Agile Information Systems: Conceptualization, Construction, and Management. p. 163. ISBN 1136430482.

[3] Kopper, Andreas; Westner, Markus; Strahringer, Susanne (2020-06-01). "From Shadow IT to Business-managed IT: a qualitative comparative analysis to determine configurations for successful management of IT by business entities". Information Systems and e-Business Management. 18 (2): 209–257. doi: 10.1007/s10257-020-00472-6 . ISSN 1617-9854.

[4] Zarnekow, R; Brenner, W; Pilgram, U (2006). Integrated Information Management: Applying Successful Industrial Concepts in IT. ISBN 978-3540323068.

[5] What is Shadow IT and Why Should your Business Care | Available at https://www.joinploy.com/blog/what-is-shadow-it-and-why-should-your-business-care

[6] RSA,November 2007,The Confessions Survey: Office Workers Reveal Everyday Behavior That Places Sensitive Information at Risk,available from (PDF), archived from the original (PDF) on February 11, 2012, retrieved September 15, 2017

[7] Myers, Noah and Starliper, Matthew W. and Summers, Scott L. and Wood, David A., The Impact of Shadow IT Systems on Perceived Information Credibility and Managerial Decision Making (March 8, 2016). Available at SSRN: http://ssrn.com/abstract=2334463 or https://dx.doi.org/10.2139/ssrn.2334463

[8] Fábián Tamás, Shadow IT in the New IT Management Triangle (2022). Available at https://doksi.net/en/news.php?order=ShowArticle&id=1909

[9] "Gramm-Leach-Bliley Act".

[10] "Under Construction".

[11] "23 NYCRR 500". govt.westlaw.com. Retrieved 2019-10-17.

[12] "Predictions Show IT Budgets Are Moving Out of the Control of IT Departments". Gartner. Archived from the original on June 29, 2013. Retrieved 2012-04-25.

[13] RESULTATS DE L’ENQUETE SUR LE PHENOMENE DU "SHADOW IT" par Thomas Chejfec : http://chejfec.com/2012/12/18/resultats-complets-de-lenquete-shadow-it/

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]