Shadow IT can be a controversial topic for CIOs, and with McAfee estimating that unauthorised cloud usage is at least ten times higher of that known to IT departments, it’s not difficult to see why. The lack of oversight, which results in the inability to enforce security policies and technologies, has earned Shadow IT its reputation in the eyes of many cyber security and IT professionals.
Businesses who have invested time and effort in security policies, or in technology itself such as Multi-Factor Authentication, can find these ineffective due to Shadow IT. Organisations also risk potential data loss when corporate data is processed on unauthorised, potentially insecure applications. Even if the application itself does not suffer a security breach, data can still be at risk where it is processed, unknown to the organisation, by employees who go on to leave the business. This lack of visibility can also cause challenges around reporting and auditing, potentially exposing the business to regulatory and compliance risk.
However, notwithstanding the risk from the practice of Shadow IT, there can be business advantages from it, in the form of innovation, productivity and organisational efficiency.
Shadow IT is increasingly being seen as a potential positive for enterprises. A study from Entrust Datacard found that 77% of IT professionals surveyed believed their organisation could get an advantage from embracing Shadow IT solutions, with 97% stating that employees were more productive when granted more freedom over selecting preferred technologies.
Shadow IT is typically employed with good intentions, after all - employees turn to new applications to solve problems, improve productivity, and drive innovation. If the associated risks can be removed, Shadow IT can provide businesses with the flexibility they require to succeed in highly competitive industries. New, useful applications can be discovered and adopted by organisations using a bottom-up approach rather than always being reliant on, and imposed via, a top-down method. This also allows managers to gain insight into how their employees would like to work, as well as finding new solutions to complex problems.
Ultimately though, in order to receive the benefits from Shadow IT, the concomitant risks need to be mitigated. Here is how Identity and Access Management can enable CIOs to overcome those risks, and leverage the potential business benefits present within Shadow IT.
By adopting a robust IAM solution, businesses can secure themselves against the associated risks of Shadow IT and enable their staff to achieve the flexibility and productivity that allows them to excel in their roles. Here are some of the biggest challenges presented by Shadow IT, and how IAM can overcome them.
By far the biggest issue with Shadow IT is the cyber security risk it creates. With the average enterprise using 277 different cloud applications, employees will frequently turn to insecure practices such as reusing and writing down passwords to accommodate the sheer number of apps in use. Without centralised visibility and control over these apps, security policies and technologies cannot be enforced upon on them, leaving gaps in an organisations defences and greatly increasing the risk of a data breach.
With the visibility of application usage granted by an IAM solution, IT departments gain centralised control. This enables the enforcement of security policies and technologies that protect against data breaches, such as Multi-Factor Authentication and Single Sign-On.
By centralising control and visibility over the applications in use, the business has a clear picture of where its corporate data is being stored and processed, and can take action to ensure that potentially insecure apps, or practices, are not being used. Employees using Shadow IT can also cause data losses when leaving the organisation, either when the data is simply lost due to a lack of awareness from management of the applications used to store it, or the employee deliberately retaining access. An IAM solution can not only ensure the right employee has the right access to the right data, but should that employee leave, their access can be automatically revoked.
Even where applications are being used to process data in a secure manner, a lack of visibility and controls at the point of use can lead to compliance obligation breaches. With the added visibility and user logs, actions and data can easily be controlled, tracked and reported on regardless of the application used, allowing for comprehensive reports to be produced which can satisfy regulatory criteria.
Shadow IT can potentially result in two different applications being used to complete the same task, resulting in either a duplication of efforts, or even worse, multiple sources of truth if the end result differs. The centralised governance provided by an IAM solutions enables organisations to mitigate these risks and ensure there is a single source of truth for business-critical data and no duplication of application resources.
An IAM solution that provides centralised control and governance can eliminate the risks posed by unmanaged applications and turn Shadow IT from a weakness to a strength. With the cyber security risks mitigated, the business can benefit from employee innovation and a more flexible approach to technological solutions, empowering its workforce to use the most effective tools for the job. A comprehensive IAM solution can empower CIOs, aiding the shift from the seemingly perpetual, but required, denial of access to new applications to allowing the business to embrace new, innovative solutions – going from ‘no’ to ‘know’, and driving productivity and flexibility in the organisation in addition to improving its security posture.
Find out more about Identity and Access Management and how it can protect your organisation