How to Discover and Rein in Shadow IT…and Satisfy Users

Written by Cortney Thompson on Wednesday, January 20th 2016 — Categories: Cloud Hosting, Security

The Cloud Security Alliance’s official definition of “shadow cloud” services is “cloud applications and services adopted by individual employees, teams, and business units with no formal involvement from the organization’s IT department.”

Because cloud is easy to buy and use without oversight, it can be adopted by single users or small groups to solve business problems without extensive effort.

Business teams will therefore adopt cloud without engaging with IT. Have you ever discovered employees keeping password lists in Google Docs? I know I have.

More than 70% of executives and IT managers said that they were unaware how many unauthorized cloud or shadow cloud apps and services their employees were using, according to CSA’s 2014 Cloud Adoption Practices and Priorities report.

While 72% of respondents said they would like to know the number of unauthorized cloud technologies their employees were using, only 8% of them actually knew.

Filling a suppressed business need

shadow IT is when users go around IT to get cloud or consumer servicesShadow IT often shows a suppressed demand for something users need to solve a business challenge. Listen to them and give them a better option.

This diagram just shows a typical provisioning process. The users want to share and collaborate on this folder.

They could pass it to IT, who needs to configure a solution, set it up in the data center or in the cloud, and make sure it is secure and tested, before it can be used.

But with shadow cloud, the users can quickly set up a solution themselves through Software as a Service or consumer hardware. Different departments can pay for this out of their own budget without involving accounting or IT.

77% of businesses were home to shadow cloud deployments, 40% of these deployments resulted in the exposure of confidential data, according to a 2013 study by Symantec.

Security & compliance problems with Shadow Cloud

The cloud service provider may or may not apply the identity management, access control, or back-up practices required to protect data, potentially exposing it to unauthorized access and compliance violations.

employee security and cloud sprawl are problems

The biggest cloud security risk of shadow IT is the employee.

The services themselves are often secure and regularly monitored, much like any custom cloud deployment or in-house IT. The employee practices poor password management, or stays logged in at a public place, or is sniffed out on insecure wifi, or their device gets stolen. You get the picture. Sensitive data is then exposed.

Ultimately shadow IT leads to:

Forgetting to turn off shadow systems can also cause security problems as these virtual machines are rarely patched, making them vulnerable to new security threats and hacker exploits.

Example: Users deploy public instances and give them public IPs out of convenience. These soon to be forgotten assets are outside the company firewall but able to connect behind the firewall.

Compliance challenges with shadow IT include:

How to Discover Shadow Cloud

Some vendors offer cloud discovery services or software, including Skyfence, Azure App Discovery, CipherCloud, and NetSkope. But there are other technical approaches to sniff out shadow cloud and IT services yourself, including:

You can set up an automated process with any combination of these tools to alert admins about new cloud usage as soon as it's discovered. However, there might be areas where visibility is limited.

Mobile throws a wrench into alerts as the SaaS application does not travel through the enterprise network.

Non-technical ways to find shadow cloud:

So what now? Mitigate, Educate, and Execute

don't just remove shadow cloud - replace itOK, so you found some shadow services. What do you do about them? Work with and educate users about security policies rather than simply shutting down shadow IT deployments.

You can’t remove the service without a viable replacement. Employees will be frustrated and you will eliminate any efficiencies. However, the security risk may necessitate shutdown of some services.

Bundling new services into existing vendor contracts can save money. If savvy business users know that going through the IT department will ultimately save the company money, they might make the effort.

Ultimately you must offer solutions that are secure and monitored by IT, but easy to use.

Identify vital business data first. A small portion, maybe 1/5, of your data is sensitive, mandated by compliance, etc (unless you are in a strict compliance mandated industry like healthcare or finance). That 20% of your data holds the majority of the security risk.

Set up a data classification process for what needs to be retained where. Based on this classification, create a clear policy for cloud services and approval.

Once you have documentation and a process in place, hold regular training sessions and continue to ask employees about their needs. Stress the importance of security.

Document sharing and collaboration, mobile access, e-mail, even industry-specific applications can all be run in your own cloud. After polling users, develop these platforms around your current technology.

Increasingly, there are industry-specific cloud services and applications that can be installed in your existing virtual environment or data center.

Some vendors are developing single sign-on and identity management systems for SaaS applications, including OneLogin, Ping Identity, and Oracle Identity Management.

Use a questionnaire for vendors to ensure clear guidelines around data ownership, data tracking, backup and recovery, appropriate logical access controls, and evidence of compliance and certification.

Ultimately this will make everyone in your organization more comfortable in the cloud, lead to tighter integration between disparate IT systems, and improve productivity.


While this is a time consuming process, remember that Shadow IT is not necessarily the enemy, but rather an opportunity for you to discover business needs and empower employees via technology.

Cortney Thompson, Green House Data CTO

Posted by:
Green House Data CTO Cortney Thompson