Whilst no one saw COVID-19 in the tea leaves, remote access has been essential for productivity over the last year. Businesses are shifting to hybrid work environments, and demands for technology to facilitate this are higher than ever. However, the surge in adoption of cloud services for survival was merely an acceleration and, amid the pandemic, organizations deployed SaaS solutions rapidly rather than as a longer, strategic rollout. These hasty deployments created issues with balancing user experience and security leaving both areas becoming overlooked. In turn, this has been a big driver of Shadow IT projects as employees will use their own means of technology for projects ‘just to get the job done’.

When users tire from poor user experience, they resort to using unsanctioned apps just to ‘get the job done.’ For security, this creates a lot of concerns. For example, with Shadow IT, your company data moves beyond the well-managed, safe environment with proper security controls in place, to beyond the purview of IT.

Organizations’ security strategies are changing from the perimeter-oriented castle-and-moat approach to the identity and application-centric model. Workers and applications have now moved outside the traditional boundaries, users are at home and applications are now in the cloud. Businesses must now provide users with connectivity to these applications while maintaining security policies. To do so, requires a holistic approach, incorporating trust and user experience.

Gartner predicts that by 2023, 60% of enterprises will phase out most of their remote access Virtual Private Networks (VPNs) in favor of Zero Trust Network Access (ZTNA). In a modern infrastructure, VPN isn’t a suitable technology for securing applications both in the cloud and on-premises because of the time taken to route the traffic to the data center and split out to the cloud service. ZTNA also has the additional capabilities to enable security teams to detect and mitigate Shadow IT, so we’ll take a closer look at how this can be achieved in this article.

Why are workers resorting to Shadow IT?

Like with any technology, teething issues are to be expected. With cloud services, this can be due to a lack of balance between user experience and connection performance, security, or company policy.

Poor user experience

This can happen for a number of reasons. Firstly, organizations may have introduced a VPN to enable remote work, the problem here is traffic is directed through an encrypted tunnel to the data center, which causes hairpins and latency. As consumers, we get frustrated when web pages or applications don’t load instantly and as a knock-on effect, this affects our employee experience. Employees want a seamless interaction, they don’t want to have to jump through hoops, reauthenticate several times a day, they just want to do their jobs interrupted. For instance, if they experience frustrations with MFA, they may turn to storing and saving data in Google Docs or one on their personal device.

Company policy

End users sometimes view IT as blockers, so they take matters into their own hands and deploy an app anyway. If someone in Marketing wants to adopt a new service like Asana for project management, but the internal process of getting an app sanctioned or even approved is slow or unlikely, they might subscribe to it anyway to get the job done. The issue here is that they breed this app into the marketing team and you suddenly have 10 users using a shadow app with corporate data. A remedy for IT here would be to start brokering a relationship with the rest of the workforce, that they aren’t blockers and are open for new technology requests and can amend policies to improve user experience.

Why is Shadow IT a security risk?

Lack of visibility

IT admins can’t secure assets they’re not aware of, and as a result, they can’t be integrated into security and access processes, and run the risk of basic security mechanisms that are ill-equipped to handle the threats of the internet. With everyone working remotely, you can’t see when users are resorting to Shadow IT applications in the same way you could in the office.


If your users have adopted cloud services to stay productive, they aren’t thinking about crucial security and compliance considerations. For instance, are their communications being encrypted correctly, or at all? Is it correctly licensed? Will the data be securely stored and shared? These are all checks which might seem mundane to the user, but it may make the business liable to GDPR fines or compliance sanctions.

Lifecycle management

When a user, contractor, or partner leaves the organization, the organization needs to remove their access to line-of-business applications where sensitive information is stored. Although you think sensitive data might be safely stored in your enterprise Google Drive, it could be on someone’s personal cloud storage account manifesting information security risks with GDPR and if the wrong person were to gain access.

Access control

Is the person using the device who they say they are? Without the correct authentication and authorization measures, you lack data security. Poorly implemented or maintained access controls have the propensity to lead to disastrous outcomes. The Equifax breach, is a high-profile example, in this case, highly sensitive customer data was leaked through a public-facing web server operating with a software vulnerability, and a lack of proper access controls was a key component here.

Password management

For your cloud services and devices, you may have SSO or MFA in place, but how are you going to secure apps you don’t know to exist? According to Verizon, 80% of data and privacy breaches are due to poor password practices. Credential theft becomes a vulnerability here through social engineering attacks like phishing, over the last year hackers preyed on victims using the pandemic as a way to lure them in. Security Boulevard reported that phishing increased 42% in 2020, over 2019. By mid-2020, the number of daily phishing threats tops 25,000 a day, a 30% increase over 2019 figures.

Detecting data breaches and risk assessment

Shadow IT occurs under the radar of IT, so there is no one to monitor access logs or seek anomalous behavior which may indicate a data breach meaning you could have security threats you aren’t aware of.

How to detect and mitigate Shadow IT

detecting shadow IT

Microsoft recommends this Shadow IT Discovery Lifecycle model, and this is how we would approach it.

Phase 1 – Monitoring and Analytics

You should start by painting a detailed picture of how employees use the cloud. What apps do they use? Where are stored and saving their data? Who are your power users? Do you have any risky apps? These are all essential insights to help develop a cloud security strategy tailored to your organization. Adopting a gateway service can help capture where resources are being accessed allowing admins to gain full transparency of unsanctioned cloud services in use.

Once you know what apps are in your environment, you can monitor user activity and enforce custom policies based on your security requirements. Ideally here you’d adopt a solution that can help you manage this. For instance, if you wanted to add restrictions to specific data types or outline what resources certain user groups can access. Not only does this protect against data loss, but it also adds another layer of protection in the event of an account takeover attack as the attacker would only be able to move laterally.

Phase 2 – Evaluate and Analyze 

After identifying what Shadow applications are being utilized, you should assess whether these are compliant in your organization in terms of GDPR or industry-relevant standards. For example, if someone in sales is storing customer data in their Notes on their iPhone, this technically isn’t protected and would be non-compliant. Similarly, if they were sharing contract information via WhatsApp this would create similar issues where data isn’t accounted for.

You also want to analyze your user behavior, this is essential for highlighting anomalies and potential risks. Your user may be based in the US but has accessed a company resource from Nigeria, this type of unrealistic time travel is a major indicator that there is a security flaw present on a device or application.

Phase 3 – Management and Monitoring

At this stage, you want to manage your cloud apps and start enforcing governance. You might want to introduce MFA to your most sensitive data such as your OneDrive, and SSO on less risky SaaS apps like Google Analytics. You may also want to consider blocking unsanctioned apps, websites, or technologies from your environment if you’re risk-averse.

Lastly, you should engage in continuous monitoring of your environment. Employing a tool that can conduct deeper analysis into app health and risk-level with help with your sanctioning efforts. You’ll also want a solution to identify risks, with on-event alerting and notifications, say for example you have repeated failed logins in a particular department you can investigate and remediate this promptly if it’s an attempted data breach.

Find out more about Wandera’s Zero Trust solution or speak to one of our experts here to see how we can help.