Flexera logo
Image: With Perfect Processes, How Does Shadow IT Happen?
This post originally appeared on the Snow Software blog. Snow Software has been acquired by Flexera.

Shadow IT. It’s a phrase that sends shivers down the spine of any IT leader. It speaks to unknown threats and vulnerabilities with no easy solutions or pathways to mitigation. And while it has expanded recently with the rise of software-as-a-service (SaaS) purchasing, it’s not a new phenomenon.

IT leaders have employed any number of processes and controls to combat shadow IT and impose order, but it seems to be a losing battle for most businesses. Why? Why does shadow IT persist despite the best efforts of organizations to eliminate it? The answer most often lies in the good intentions of high-performing employees just looking to do their jobs as efficiently as possible. 

The go-getter

Often the most successful employees are those predisposed to action. They can go from idea to execution in the blink of an eye, and the last thing they want is some pesky IT roadblock standing in their way. 

Thanks to SaaS delivery, the only thing required to get up and running with new software is an internet connection and a credit card, and even the credit card isn’t necessary when dealing with free or trial software. The go-getter knows that doing his/her primary job effectively is more important than always following the rules – better to ask for forgiveness than permission. 

The result is something between controlled chaos and the Wild West – dozens, if not hundreds, of SaaS applications running in an organization’s environment. IT is unaware of these apps, along with the waste and redundancy, security/regulatory threats, and data loss that typically accompany shadow IT.

Waste and redundancy

When purchasing is decentralized and taking place in silos, waste is almost unavoidable. Typical problems include:

  • An unassigned or unused license purchased by one division can’t be transferred elsewhere in the organization if no one outside of the division knows of its existence. 
  • Multiple divisions individually purchasing the same software miss out on possible discounting and other negotiating leverage that come with volume.
  • Managers come and go, and they may leave behind software that auto-renews when it’s no longer in use by anyone on the team.

Siloed purchasing doesn’t only result in waste. Redundancy is a factor as well. Having multiple tools that address the same use case – file-sharing, instant messaging, project management, etc. – is inefficient for purchasing and results in unnecessary support costs.

In an environment where every dollar counts, this type of waste is something any IT leader is eager to avoid.

Security and regulatory threats

All shadow IT represents a security threat in some form. Software that is unknown to IT presents security risks, because they are:

  • Not accessed via your SSO platform, so there are the threats that come from weak and commonly used passwords
  • Not configured by IT, so misconfigurations open up attack vectors
  • Not vetted by IT, so it’s unlikely anyone has reviewed the security protocols and precautions employed by the software vendor
  • Not subject to standardized offboarding procedures, so (1) ex-employees can retain access to company data via the apps they once used, (2) the service can continue to run, and (3) data can continue to leave the organization without any oversight

Similarly, it’s unlikely anyone has reviewed the data handling and data storage procedures of these vendors. This increases the risk that you’ll run afoul of regulations such as GDPR and HIPAA when dealing with customer information. 

Data loss

Employees share all sorts of data with the apps they use, but who owns that data once it’s sitting on a SaaS vendor’s servers?  What happens to the data when you are no longer a paying customer? These are questions you can’t possibly answer for apps you’re not even aware are in use in your environment. 

Additionally, just as faulty data handling and data storage practices, or lack thereof, can lead to the security threats described above, they can also lead to data loss. There are few assets you have that are more valuable than your data, so it’s critical to be fully aware of how it’s handled, how it’s stored, who owns it and how you get it back once you part ways with the vendor.

How to bring order to chaos

Preventing shadow IT by layering more and more processes and controls on employees is bound to cause dissatisfaction internally and is unlikely to fully address the problem. After all, the more roadblocks you erect, the greater the incentive for the go-getter to find a workaround. 

A better path is to couple reasonable purchase procedures with comprehensive visibility of everything running in your environment. That’s where we come in. Reach out to us now to get started.