Shadow IT

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free

Shadow IT

by James G. Barr

Docid: 00021036

Publication Date: 2108

Report Type: TUTORIAL


A relatively recent phenomenon, Shadow IT refers to employees’
unauthorized use of third-party software and services, including such
popular cloud apps as Dropbox. Shadow IT operations often compromise
enterprise IT management, especially security management.

Report Contents:

Executive Summary

[return to top of this

A relatively recent phenomenon, Shadow IT refers to employees’
unauthorized use of third-party software and services, including such
popular cloud apps as Dropbox.

Faulkner Reports
Client/Cloud Computing Tutorial

Inspired, at least in part, by the success of the “bring your own device”
(BYOD) movement, employees today feel empowered to download their own
applications, bypassing the enterprise IT and security departments in
their pursuit of personal productivity.

Unfortunately, such renegade behavior, which some charitably call the
“democratization” of IT,1 makes it difficult, if not
impossible, for enterprise officials to exercise control over their IT
infrastructure. Emblematic of the dilemma, unsanctioned software can:

  • Exist in multiple versions simultaneously, with one Shadow IT
    practitioner invoking one software release and a second practitioner a
    second, different release.
  • Contaminate enterprise devices and networks via viruses and other
  • Conflict with enterprise-approved software creating interoperability
  • Result in the loss of enterprise data due to inadequate systems
    management functionality, such as no data encryption or no backup and
  • Violate relevant security and privacy regulations, such as HIPAA which
    helps guarantee the confidentiality of patients’ medical data.

Is the Problem Real?

Yes! As reported by analyst Scott Julio:

  • 80 percent of workers admit to using software-as-a-service (SaaS)
    applications at work without IT approval.
  • 35 percent of employees say they need to work around their company’s
    security policy to get their job done.
  • Worse still, roughly 21 percent of organizations do not have a policy
    around the use of new technology.
  • A recent study from EMC suggests that data loss and downtime cost a
    total of $1.7 trillion each year due to shadow IT security breaches.2

What’s the Solution?

For enterprise officials intent on mitigating the impact of Shadow IT,
and regaining control of their IT environment, several options present.
Among them:

  • Prohibiting employee use of unauthorized applications
    – probably problematic in light of the enterprise experience with BYOD.
  • Supporting employee-preferred applications – taking
    Shadow systems out of the Shadows and conferring full enterprise
  • Enlisting Shadow IT users as “citizen developers” – a
    concept advanced by analyst James Quigley in which “non-IT [specialists
    are] empowered to quickly and easily build and deploy solutions …
    without IT department support.”3 In one possible scenario,
    citizen developers would work with the same autonomy as Shadow IT users,
    but the IT department would be cognizant of their efforts, and raise the
    appropriate “red flags” if any proposed solution threatened the
    stability of enterprise information systems.

Crucially, analyst Anudeep Parhar asserts that “It’s
time for the C-suite to step in and convey the seriousness of the problem,
and help employees understand how failing to follow protocols can impact
the long-term growth of [the] business.”4


[return to top of this

What Is Shadow IT?

Shadow IT refers to employees’ unauthorized use of third-party, usually
cloud, software and services. As with the bring your own device (BYOD)
movement, the danger derives from the fact that Shadow IT applications are
not only unsupported by enterprise IT, but their existence, in many
instances, is unknown.

Shadow IT operations violate, in a fundamental fashion, foundational IT
governance disciplines such as configuration management and change
management – which require knowing precisely which information systems and
applications constitute the official enterprise software environment.

Examples of Shadow IT

Shadow IT encompasses a wide variety of software and hardware, such as:

  • Messaging apps (Snapchat, WhatsApp, etc.) used on enterprise-owned
  • Personal devices (smartphones, laptops, etc.) connected to enterprise
  • Cloud storage (Dropbox, Google Drive, etc.).
  • Workplace efficiency apps (Trello, Airtable, etc.).5

What’s Driving Shadow IT?

Why would enterprise employees install and use non-enterprise-approved
software at work? As analyst Daniel Davis speculates, “They might do so
for several reasons:

  • “Perhaps they aren’t satisfied with their company-approved options, or
    they aren’t even aware there are such options.
  • “Maybe the company doesn’t actually have a sanctioned solution for a
    specific task.
  • “Or maybe the employee just likes the app they’re used to.”6

Whatever the rationale, employees no longer feel constrained to use
enterprise-endorsed applications. Adding to this sense of entitlement,
enterprise IT normally assigns a low priority to applications that serve
employees (versus those that serve customers). As analyst James Quigley
explains, “the IT department logically arranges requests by how
significantly they impact their bottom line, or by whichever metric
matters most to the business at that specific moment. The ‘winners’ tend
to be technology projects that boost sales or improve the customer
experience. Less fortunate are more internally facing requests, such as a
solution to streamline logistics. The outcome of this process is that
priority requests are completed, while the majority of others languish
unfulfilled or are perpetually delayed.”7

Even when an IT department is inclined to respond to employee requests,
IT personnel may be unfamiliar with:

  • The latest application development best practices like DevSecOps, or
  • Current mobile application development trends and techniques.8

As a result,
enterprise employees often elect to
fill the IT support vacuum by becoming their own IT suppliers.

Shadow Risks

[return to top of this

Shadow IT Is, Metaphorically, the IT Iceberg

Perhaps the best way to visualize Shadow IT risk – and communicate that
risk to enterprise employees – is to imagine an iceberg composed of
information technology hardware, software, and firmware. A symbolic “water
line” separates the iceberg’s components according to their support
status. The components above the water line – the visible components – are
supported by enterprise IT. The components below the water line – the
invisible components – are not supported, and thus constitute a threat to
enterprise information and information systems, as well as enterprise
customer and employee privacy.

Shadow IT Is More Prevalent Than Generally Believed

As revealed by analyst Adam Marre, “as many as 80 percent of employees
use unauthorized services. What is surprising is that [enterprises] have
known about this threat for a very long time, yet they’re still failing to
address it.”9

Shadow IT Has Actually Evolved Into a Sales Strategy

As observed by analyst Jay Chapel, “With the advent of SaaS, IaaS and
PaaS services with ‘freemium’ offerings that anyone can start using (like
Slack, GitHub, Google Drive, and even AWS), Shadow IT has become an
adoption strategy for new technologies. Many of these services count
on individuals to use and share their applications so they can grow
organically within an organization. When one person or department
decides one of these tools or solutions makes their job easier, shares
that service with their co-workers, and that service grows from there,
[eventually] IT’s hand is forced to [explicitly or implicitly] approve
[the service] through support.”10

Shadow IT Increases Exposure to Cloud Based Malware

Analyst Jordan French summarizes the problem in a simple phrase, “More
apps, More gaps,” labeling “the ‘app sprawl’ phenomenon caused by Shadow
IT a major cybersecurity risk.”

Aggravating the situation, “PC-installed apps used in any Shadow IT
ecosystem will require updates and security patches at some point, and
there’s no guarantee that employees using those apps will take the time
and effort to do so, leaving critical data and systems at risk. Users of
Shadow IT apps may or may not be in compliance with any company-wide
cybersecurity policy, and hackers are more than willing to use those apps
as a gateway to other apps, systems, or databases.”11

Shadow IT Can Enable Technology “Errors and Omissions”

According to The Travelers Indemnity Company, “A company can be held
liable for causing economic loss to others as a result of [the] failure
… of security systems to work as intended due to an error, omission or
negligent act,” such as:

  • Failure to routinely test, allowing unauthorized
    software to escape detection.
  • Use of unapproved software, such as non-vetted open
    source code.
  • Incorporation of flawed code, as might be supplied by
    an unqualified programming partner.12

Complying with the EU GDPR Will Be Challenging Due to Shadow IT

Any organization responsible for collecting, processing, or storing data
belonging to the citizens of the European Union must comply with the EU
General Data Protection Regulation (GDPR).

Analyst Andrada Coos cautions that “companies that process EU data
subjects’ personal information have very clear obligations as data
controllers and processors. Prior authorization for processing is needed
from data controllers and can only be done as per the documented
instructions provided by them. Confidentiality is imposed on personnel
processing sensitive data. Clear measures to protect personal data must be
adopted and sub-processors cannot be engaged without the explicit
authorization of data controllers.

“The GDPR also requires a very clear and specific statement of consent
from EU data subjects. Customers must give explicit consent to concisely
formulated requests. They also have the right to revoke that consent at
any time and request that their data be destroyed by the data controller
and, implicitly, the data processor.

“Shadow IT, by engaging non-authorized third-parties, clearly circumvents
all of these stipulations of the GDPR.”13

In addition to GDPR, compliance with other rigorous statutes, like the
California Consumer Privacy Act (CCPA), is inherently difficult to achieve
in an information infrastructure infected with Shadow IT apps.

As with Most IT Issues, the Coronavirus Is, Regretfully, Relevant

Analyst Michelle Greenlee reports that “Amid the COVID-19 pandemic, the
use of unauthorized software and products is … anticipated to increase
by 65 percent.”14

Undoubtedly, some of the increase can be attributed to efforts aimed at
cobbling together virtual office environments, so any anti-Shadow IT
enforcement measures should be sparingly applied.

IT Staff Often Violate Their Own Shadow IT Rules

A survey of 1,000 US-based IT professionals, conducted by Entrust
Datacard, reveals that IT staff members often contribute to the Shadow IT
problem, with fully 40 percent of respondents admitting to using an
unapproved device, application, or other technology.15

How can an enterprise count on IT staffers to help enforce Shadow IT
restrictions which they, themselves, frequently ignore? On the other hand,
this dereliction of duty among individuals who should be most cognizant of
Shadow IT dangers only reinforces the need for enlightened Shadow IT

Shadow Management

[return to top of this

Rather than try to prohibit Shadow IT, enterprise officials should
attempt to adapt to this new and expanding IT dynamic.

Hybrid IT

To accommodate the Shadow IT community, some enterprises like Cisco
suggest establishing a Hybrid IT environment, combining regular enterprise
apps with popular – and properly-vetted – Shadow apps. By demonstrating a
willingness to embrace employee-executed apps, enterprise IT can hopefully
slow the pursuit of Shadow IT software, and begin to reclaim its rightful
ownership of the enterprise technology portfolio.16

Citizen Developers

Since Shadow IT users function as unofficial application and product
developers, analyst James Quigley sees an advantage in doubling down:
making the unofficial development role official. “What if Shadow IT could
be converted from a perceived liability to an invaluable tool for rapid
innovation and cost management? What if businesses could turn their
employees into ‘citizen developers’ empowered to see an innovative idea
all the way through to a final product or process?”

According to Quigley, a citizen developer is “best defined as any non-IT
specialist within the organization who is empowered to quickly and easily
build and deploy solutions that address a specific business need/pain
point without IT department support. This innovation can then spread
throughout the organization as other units become aware of a solution and
its positive results.”17

Shadow Discovery

In response to the proliferation of Shadow IT applications, a number of
Shadow IT discovery tools have been developed, including:

  • Microsoft Cloud App Security – A Shadow IT discovery
    and app governance tool.
  • CoreView Multi-SaaS – A tool to discover and manage
    SaaS apps.
  • CloudCodes Shadow IT – A tool to monitor, block, and
    report the use of any authorized and unauthorized apps within the

These solutions may be employed to regulate Shadow IT usage and control
Shadow IT effects.18


[return to top of this

“In the new digital
economy, the reality is that most organizations will support technology
devices, software and services outside the ownership or control of IT
organizations. The only solution to this problem is to improve the ongoing
collaboration and communication between IT and the business so that the
possibility of a surprise is minimized.”

Fitzgerald, research vice president, Gartner19

In formulating a Shadow IT strategy, enterprise officials should

Examining the Shadow IT Mindset

Do not assume that all enterprise employees share the same motivations
relative to Shadow IT use. Meet, informally of course, with a
cross-section of employees to determine – without judgment or consequence
– whether they willfully ignore Shadow IT policy and, if so, why.

Digest the results and incorporate any lessons learned into Shadow IT
policy and procedures.20

Establishing a Shadow IT Policy

Analyst Adam Marre declares that, “Companies need a well-defined policy
on the use of unsanctioned services and the protection of company data.
[But, he reminds,] policy won’t accomplish anything if it isn’t
communicated to employees. Offer regular training, including explanations
of the rationale behind the policy and real-world risks.”21

Creating an Approved Vendor List

Specify all approved IT vendors and applications. As suggested by analyst
Jordan French, “If employees and managers would like to begin using an app
not currently on the list, encourage them to submit that vendor to [their]
IT department [which will] be able to conduct proper vetting and configure
the app with proper security protocols.

“When onboarding a new vendor, formulate a breach notification plan in
the agreement so that [the enterprise will] be able to take swift action
in the event of an actual cyber attack.”22

Conducting a Shadow IT Inventory

Survey employees to determine the extent of Shadow IT operations.
Importantly, ensure those employees who may be engaged in Shadow IT
activity that no disciplinary action will be taken. The purpose of
the poll is to identify – and prioritize – those non-standard applications
and services that employees need to perform their work.

Mainstreaming Common, Secure Shadow Applications

Following the Hybrid IT model, examine the high-priority – and high-use –
Shadow applications and services to assess their enterprise suitability.
Applications and services that are deemed safe, i.e., are relatively
malware-free, should be considered for inclusion within the enterprise
technology portfolio, conditioned, of course, on the availability of
support personnel. Without proper support, moving too fast can be as
harmful as moving too slow.

Working with Shadow Tech Vendors

Citing Ron Temske, vice president of security solutions at Logicalis,
analyst John Edwards suggests engaging with Shadow IT software providers
to produce non-Shadow solutions. “If IT determines there’s a solid
business reason for converting a Shadow IT technology into an approved
business tool, the organization should reach out to the developer to
discuss specific needs and goals.”

According to Temske, “Many software vendors have different versions of
their products or will be willing to work cooperatively to make sure their
product meets an organization’s requirements.”23

Practicing Transparency in Application Development

Shadow IT owes its momentum to two factors:

  1. The proliferation of cloud-based software, readily accessible via web
  2. The failure of enterprise IT to keep pace with employee computing

To prevent employee frustration with enterprise IT from manifesting as
Shadow IT usage, enterprise officials should promote transparency in
application development, even enabling rank-and-file employees to
participate in development decision-making.

Employees should also have a vehicle for recommending enterprise adoption
of new and innovative cloud applications.

Pursuing a Practical, Pragmatic Approach

Finally, analyst Andrew Froehlich advises that: “However you ultimately
decide to handle the situation, know that the likelihood that Shadow IT
can be completely eradicated from enterprise organizations is extremely
slim. Rather, the goal for CIOs and IT departments should be to
significantly reduce the need for employees to circumvent IT in order to
perform their work duties. Ultimately, this will mean that IT departments
will have to dramatically expand their portfolio of approved applications
and cloud services they offer their end users.”24


1 Anudeep Parhar. “It’s Time for the C-Suite to Take the Reins
on Shadow IT.” Forbes. December 12, 2019.

2 Scott Julio. “21 Shadow IT Management Statistics You Need to
Know.”, Inc
. October 28, 2020.

3 James Quigley. “It’s Time to Embrace, Not Fear, Shadow IT.”
TechCrunch. September 25, 2015.

4 Anudeep Parhar. “It’s Time for the C-Suite to Take the Reins
on Shadow IT.” Forbes. December 12, 2019.

5 Kaitlyn Graham. “Shadow IT: Your Urgent Questions Answered.”

BitSight Technologies
. March 4, 2021.

6 Daniel Davis. “What Is Shadow IT? How IT Leaders Can
Overcome the Top Five Collaboration Challenges.”
IBM. March
30, 2016.

7 James Quigley. “It’s Time to Embrace, Not Fear, Shadow IT.”
TechCrunch. September 25, 2015.

8 Jacek Materna. “Shadow IT: It’s Not What You Think.”
December 5, 2017.

9 Adam Marre. “Shadow IT: Every Company’s Three Hidden
Security Risks.” Dark Reading. August 7, 2018.

10 Jay Chapel. “Shadow IT: Not a Problem or Worse Than Ever?”

Dataversity Digital LLC
. March 2, 2021.

11 Jordan French. “Why Shadow IT Is the Next Looming
Cybersecurity Threat.” TNW. April 25, 2019.

12 “Shining a Light on Shadow IT.” The Travelers
Indemnity Company
. 2017:9.

13 Andrada Coos. “Shadow IT in the Age of GDPR Compliance.”
. February 15, 2018.

14 Michelle Greenlee. “Fix Shadow IT in Your Organization.”

. July 7, 2020.

15 Anudeep Parhar. “It’s Time for the C-Suite to Take the
Reins on Shadow IT.” Forbes. December 12, 2019.

16 Andrew Froehlich. “Shadow IT: It’s Much Worse Than You
Think.” InformationWeek. August 6, 2015.

17 James Quigley. “It’s Time to Embrace, Not Fear, Shadow IT.”
TechCrunch. September 25, 2015.

18 Michael Cobb. “Protect Your Enterprise Against Shadow IT in
the Cloud.” TechTarget. March 26, 2019.

19 Kasey Panetta. “Make the Best of Shadow IT.”
January 25, 2017.

20 Michelle Greenlee. “Fix Shadow IT In Your Organization.”

. July 7, 2020.

21 Adam Marre. “Shadow IT: Every Company’s Three Hidden
Security Risks.” Dark Reading. August 7, 2018.

22 Jordan French. “Why Shadow IT Is the Next Looming
Cybersecurity Threat.” TNW. April 25, 2019.

23 John Edwards. “Seven Ways to Embrace Shadow IT and Win.” CIO.
Communications, Inc.
May 3, 2018.

24 Andrew Froehlich. “Shadow IT: It’s Much Worse Than You
Think.” InformationWeek. August 6, 2015.

[return to top of this

About the Author

[return to top of this

James G. Barr is a leading business continuity analyst
and business writer with more than 30 years’ IT experience. A member of
“Who’s Who in Finance and Industry,” Mr. Barr has designed, developed, and
deployed business continuity plans for a number of Fortune 500 firms. He
is the author of several books, including How to Succeed in Business
BY Really Trying
, a member of Faulkner’s Advisory Panel, and a
senior editor for Faulkner’s Security Management Practices.
Mr. Barr can be reached via e-mail at

[return to top of this