Back
Shadow IT is a term used to describe employee use of unauthorized business applications. Quite literally, the IT department is kept ‘in the dark’ about the use of these applications, often not knowing the extent to which they are being used across the company.
This problem starts innocently with a well meaning employee creating an account with an unauthorized system in order to meet a business need such as sharing a document or working with a customer or partner. Over time, more employees create accounts and before long there is a flourishing community of users.
As IT professionals, these shadow IT accounts pose serious security concerns, the most notable being that the accounts are not governed by company access control systems. The company has no ability to terminate access when someone leaves the company; any data in these applications remain accessible to former employees.
There are also no formally applied access control policies such as strong passwords, multi-factor authentication or zero trust policies to restrict access in accordance with company policies. This often means these systems are not secured in a manner that meets company security standards or any applicable regulatory requirements.
Lastly, another major concern is protecting the data within these accounts. Unmanaged business applications may contain sensitive or protected information about customers, partners or intellectual property. These types of information would typically be secured by a corporate data loss prevention (DLP) policy, backed up and retained in journaling systems or made subject to other formal access controls.
Shadow IT and these risks are not new and have been around for quite some time, but recently they have been getting some new attention from regulators in certain industries. In the Fall of 2022, US SEC regulators laid heavy fines on a number of US firms over the use of unmanaged 3rd party accounts for work communications.
This sets a new precedent for organizations to be more aware of shadow IT account usage and take active measures to mitigate existing shadow IT systems and put preventative measures in place to prevent these accounts from being created going forward.
StrataPrime, in partnership with Google, can help organizations understand the magnitude of their shadow IT challenge and resolve it by bringing unmanaged accounts ‘into the light’. We can uncover unauthorized Google accounts and transition them into managed Google Workspace instances that are proactively secured and easy for IT to manage.
Shadow IT is no doubt a complicated issue, but perhaps signifies employees’ desires to use applications they enjoy and love in their personal lives. With over 3 billion users worldwide, Google Workspace – previously known as G Suite – is that familiar and beloved productivity tool.
