Shadow IT: A Security Policy and Governance Perspective

Shadow IT, or sometimes called “rogue IT” or “stealth IT,” is the purchase or development of technology services outside the control or oversight of a company’s IT department. It may occur because a business unit believes it has unique needs not met by the company’s standardized computing services, or wants a quicker implementation than it would get from the IT department.[1] The practice pits the IT department, which is charged with securing and controlling IT resources, against employees outside the IT department, who fulfill their needs by creating shadow IT systems.[2] These systems include, but not limited to, unsanctioned business productivity software (e.g., word processing and spreadsheets), social media (Facebook and LinkedIn), document sharing applications (Dropbox and Google Docs), non-IT developed databases (Access databases), and other cloud-based applications (e.g., SaaS.) This occurrence is just scratching the surface as more and more cloud-based applications are being developed. According to research conducted Netskope in March 2014, enterprises have an average of 461 cloud applications in use, and 85% of those applications are not enterprise-ready.[3] These tools are used for business purposes without the input and knowledge of IT resulting to an increasing flow of unapproved, untested, and uncontrolled applications, which process and store corporate data within and beyond the reach of an organization.

Shadow IT is not a new phenomenon as it was discussed as early as 1993 in the technology media.[2] The volume and velocity of applications and cloud solutions, not to mention low cost (often free) is multiplying rapidly, creating an IT snowball effect.[4] However, it has come into its own these past few years as an information security and IT governance matter. The consumerization of IT, along with BYOD policies and SaaS offerings, are closing the gap with on-premises solutions in terms of functionality and cost but have jeopardized the centralized control of IT departments and created many new vulnerabilities.[5] The potential consequences are both positive and negative, although in the long term, there are more risks than benefits.

How will the IT department and company as a whole take control of the growing problems brought by shadow IT? According to studies, one of the main reason for growth of this phenomenon is the lack of clear guidance from the IT department, which is also suffering from negative perceptions in their organizations. My next posts will look at how organizations can mitigate the risks posed by shadow IT, with emphasis on security policies and governance and how to develop, implement, and communicate policies that will help mitigate the adverse effects of shadow IT.


[1] Shedding Light on Shadow IT. Boston, MA: CFO LLC, 2013. Print.

[2] Myers, Noah, Matthew Starliper, Scott L. Summers, and David A. Wood. “Shadow IT and Data Credibility: The Impact of Shadow Systems in an ERP Environment.” (n.d.): n. pag. Web. 2 Feb. 2014.

[3] Netskope Cloud Report. Rep. N.p.: Netskope, 2014. Print.

[4] Hegerberg, Grant. “FIVE Network Security Management Requirements for Controlling BYOD and Shadow IT.” Web log post. N.p., n.d. Web. 20 July 2014.

[5] Web log post. Assessing the Impact of Shadow IT. Trend Micro, 1 Jan. 2013. Web. 22 July 2014.

Featured Post

Motivations towards Shadow IT

A logical place to understand the problems posed by shadow IT is to understand why the practice exists in the first place. One must know the users’ needs and motivations for getting external cloud … Continue Reading