A key tenet of data security is ensuring that you know where your data is being stored; data moving outside corporate control is the reason why Shadow IT is such a problem for security teams. Without being able to manage authentication and access to shadow applications, it’s likely that they’re being improperly protected and will undermine security.

Unfortunately for security teams, 41% of employees use professional applications without asking IT if it’s alright, with management-level employees almost twice as likely to do this. When you have top-down non-compliance, it makes the challenge of securing data much harder, and becomes a cultural issue that is difficult to correct.

Why is Shadow IT adopted?

Every department wants to adopt new technologies to improve operations and productivity to gain a competitive edge; unfortunately if all technology decisions need the nod from IT. particularly during digital transformation projects, there will inevitably be a bottleneck and some projects will be prioritized or delayed. For instance, deploying an Enterprise Resource Planning platform will likely trump marketing’s need for a social media scheduler. Delays can see business units take matters into their own hands and bypass the official IT procurement process.

Time dependencies can be key in the adoption of Shadow IT. For example, it’s the end of the quarter, a salesperson is about to send a proposal and the prospect asks if it can be sent via Dropbox, an unapproved service, does the salesperson contact IT and wait for a response or use Dropbox to appease the prospect? For a seemingly innocuous task, why wait? The perceived risk is minimal and it’s better to ask for forgiveness, right?

Another example is an HR Manager who has to prepare for several interviews the next day. It’s already late and he needs to get home to put the kids to bed so he decides to send candidate profiles to his personal email for the sake of simplicity. Although well intentioned, data is still being removed from the guard of corporate safety.

When we consider that Shadow IT spawns from wanting to be productive and access certain information efficiently, it’s clear that Shadow IT is partly an access problem.

Shadow IT and Access

Enabling employees to securely access the data they need wherever they are, whatever device they’re using underpins digital transformation, so much so that security and access strategies have had to evolve to accommodate modern business needs. The COVID-19 crisis has forced businesses to re-evaluate how the workforce accesses information, moving away from legacy technologies. If users are unable to access the information they need or suffer continual disconnects over VPN, it’ll inevitably lead to Shadow IT adoption.

Zero Trust Network Access (ZTNA) has been touted as the replacement model for traditional perimeter-based security and access, with Gartner predicting that by 2023, 60% of enterprises will phase out most of their remote access virtual private networks (VPNs) in favor of ZTNA.

Shadow IT undermines ZTNA. ZTNA projects will only be successful if it provides universal protection for an organization’s application infrastructure, not just known apps, without, there will continue to be gaps in security.

Under ZTNA, an organization’s application infrastructure benefits from a host of security and access technologies including Identity & Access Management (IAM), adaptive access controls and privilege management; shadow applications won’t as they aren’t integrated. As well as being advantageous for security, it also alleviates the productivity pains by optimizing connectivity and reducing the burden of re-authentication across multiple services. ZTNA can mitigate Shadow IT adoption by enabling users to be productive.

Companies need to adopt technologies that enable them to get visibility of Shadow IT across platforms and enforce policy across all form factors. While the development and communication of clear cloud governance is important, security teams can’t rely on the entire workforce being prudent or compliant, and an extra layer of protection is needed.