Note: This was a paper I wrote last month for a computer information systems class in my MBA program, so it will be a tad executive leaning. Now that I’m finished with my coursework, I’ll have more time to write after some R&R. Enjoy!
An Examination of Shadow IT
Abstract
In its early years, Shadow IT was thought of as a budgetary concern for organizations. As its use grew to encompass network-facing applications and hardware with unclear ownership, so too did its accompanying threats to firms’ computer and network security. Today’s Shadow IT has expanded further to include the use of cloud-based solutions and the data-based threats of Shadow Data. Risks associated with modern Shadow IT have also expanded, and now include much greater levels of risk to the confidentiality, integrity, and availability of data that has been made globally accessible. Shadow IT’s existence can be attributed to misalignments between IT and business units, and individuals’ use can be explained several rationalization techniques. Organizations can work to mitigate the threat presented by Shadow IT and Shadow Data through the use of policy, technical controls, awareness training, and effective identity management.
Introduction and Limitations
Broadly speaking, Shadow IT and terms such as rogue systems encompass any hardware, software, or solution used by a firm’s employees that is neither formally approved by the formal IT department nor prescribed by any policies (M. Silic, A. Back, as cited in Silic, Barlow, & Back, 2017). While enterprise attention given to Shadow IT began with concerns with increasing capital expenditures (Pisello, 2004), today’s Shadow IT presents a widespread threat to organizations and businesses of any size. This paper intends to explore the historical and current trends and risks of Shadow IT, the rise of Shadow Data and its associated risks, examine some of the potential drivers behind the prevalence of Shadow IT, and propose some risk mitigation strategies relevant to Shadow IT.
As stated, today’s Shadow IT is a very broad term. Discussing this topic will encroach on some other information security topics, including the rise of the bring-your-own-device (BYOD) trend, enterprise-level technical controls, data governance, the implications of Shadow Data, and network and systems architecture. In the interest of relative brevity and keep this paper within appropriate scope, these topics will not be explored in great depth. Additionally, risks associated with Shadow IT and potential mitigation strategies are predominantly tailored to organizations within the United States; laws, regulations, and general workplace culture will likely vary in other regions.
History of Shadow IT and Conventional Shadow IT Trends
While “Shadow IT” has been a term in use since the late 1990s and early 2000s, the context surrounding its use has changed since early references. In sectors that change as rapidly as information technology and information security, years-old (if not decades-old) facts and findings may at first appear to not provide much value. However, it is critical for practitioners and decision makers, especially those new to the field, to understand this historical context as it is a driver behind current trends, and may still be in practice today.
In the midst of then-record IT-related capital expenditures, Shadow IT in the late 1990s and early 2000s was generally looked at through lens of “rogue” spending on systems to circumvent backlogged IT projects and other obstacles (Pisello, 2004). Non-IT functional areas in corporations sought to overcome short-term delays by acquiring software and training. Pisello (2004) reported that in the late 1990s, Shadow IT spending was estimated to be 10% of a typical firm’s formal IT budget, and from 2000 to 2003, Shadow IT spending grew to an estimated 20% of total IT spending in average organizations. Even early in the term’s history, the use of Shadow IT extended beyond businesses. According to a 2007 Government Executive article, government workers used Shadow IT applications “to be more productive or, at times, to be entertained” (Noyes, 2007).
A review of available literature and resources suggests that there are few – if any – practitioner surveys regarding Shadow IT usage from the early years of the term’s use. Still, industry analysts and some organizations’ leaders showed concerns in the early to mid 2000s about the data management risks presented by uncontrolled storage media and network vulnerabilities created from unapproved software. As early as 2004, analysts from industry consulting firm Gartner raised concerns about data leakage and malware infections from iPods and other removable media (Contu, 2004 and Leyden, 2004, as cited in Walters, 2013). In 2007, in line with these concerns, the CIO of The Salvation Army took steps to reduce the use of personal hardware for work and work hardware for personal use by branding firm-issued USB drives with the charity’s logo and using endpoint controls to block unauthorized devices (Lacey, 2007, as cited in Walters, 2013).
Despite analysts’ concerns and organizational policies about the use of personal storage media in the workplace, individuals continued to use personal hardware. For example, some firms’ employees went as far as buying ties with special-purpose iPod pockets to circumvent workplace bans on MP3 players (Aughton, 2006, as cited in Walters, 2013). While data are not available on employees’ actual behavior at the time, it stands to reason that the use of unauthorized storage media and other devices was prevalent in the early and mid 2000s.
In addition to storage media and other hardware, rogue software was a Shadow IT concern during this time. In a 2007 Government Executive article, potential network- and host-based vulnerabilities caused by Shadow IT applications were cited as the main concerns of its use (Noyes, 2007). Five years later, a private sector security analyst warned “BYOS (Bring Your Own Software) tools cannot be accessible to groups that handle information protected by regulations, and such groups need to be educated that use of such tools is unacceptable” (Roy, 2012, as cited in Walters, 2013).
A 2014 study examining software installed on all computers at one Fortune 500 company provided insight into how prevalent shadow software use was, as well as the types of software used (Silic and Back, 2014). The researchers analyzed an endpoint scan of over 10,000 user computers and found 19,633 different versions software that comprised 527,403 software installations (Silic et al., 2014). After removing entries for software that had been approved by the company’s IT department, the researchers discovered 2,965 unique versions of unapproved software, meaning 15% of all software installed on the company’s endpoints was “illegal” (Silic, et al., 2014).
The same 2014 study grouped the “illegal” software used by employees into several categories (Silic, et al., 2014). The researchers found that the “greynet” or “greyware” applications, software used for collaboration or communication, comprised the top category of rogue software and were used by 58.97% of employees. This category of applications, “which use evasive techniques to traverse the network [often using proprietary protocols]”, includes instant messaging, peer-to-peer file sharing, and web conferencing software (Silic, et al., 2014). The next most-used category of rogue software was content applications, which “enable users to publish, edit, modify, and create content” (Silic, et al., 2014). Content apps such as PDF editors were used by 48% of employees (Silic, et al., 2014). The third category identified by the researches was extranet software, which is “another [type of] content app that allows access to a computer network from the outside in a controlled way” (Silic, et al., 2014). While many of the 268 extranet utilities were “associated with payments, loans/credits, and banks” their use by more than 11% of employees still presents a risk to the organization (Silic, et al., 2014). Finally, the researchers found that 22.5% of employees used “one or more different utilities grouped into three major categories: 1) PC optimization and cleaning utilities, 2) codecs, and 3) video converters” (Silic, et al., 2014).
In addition to increased capital expenditures, conventional Shadow IT expands the overall attack surface of organizations (Pisello, 2004; Noyes, 2007). Shadow software installed on workstations and servers could feature unpatched or undiscovered vulnerabilities that would allow bad actors to infiltrate otherwise secure networks to install malware, exfiltrate data, or take other negative actions against firms (Noyes, 2007). These effects can be seen in broad survey of IT managers, which revealed that “40% of those questioned admitted that their organizations experienced data integrity issues where data had been compromised, and nearly 25% said that accounts were hacked or misused as a consequence of Shadow IT use” (Symantec, 2013 as cited in Silic et al., 2014).
The use of locally installed software that does not regularly connect to other networks or transfer data for users can present risks to organizations. If users are left to find and install software, they may be susceptible to downloading and installing Trojan software from illegitimate sources (Hausman, Alston, & Chapple, 2005). Trojan software may or may not perform the functions it claims to, but it will install other malware that could give bad actors entry into the host to surveil users or exfiltrate data (Hausman, et al., 2005).
Shadow software obtained from legitimate sources can also be an attack vector. In 2017, thousands of users of CCleaner, a desktop utility for Windows used to remove unwanted files to clear disk space and perform other clean up tasks, unexpectedly received malware with an update of the popular software (Gallagher, 2017). In this incident, the “update supply chain” for CCleaner was compromised, allowing malware to be distributed with what appeared to be a legitimate signing certificate for about a month (Gallagher, 2017). The malware installed in this attack targeted several high-profile companies, but this attack method could have affected a much larger number of hosts if a different malware was packaged with the software (Gallagher, 2017).
Silic and Back’s 2014 study only examined the use of software installed on endpoint machines, and did not explore the use of browser-based or cloud applications. The use of these services within firms and practitioners’ attitudes towards such services is, unfortunately, not well documented in the available literature. However, by constructing a timeline of the launch of several popular cloud-based platforms, it can be reasoned that Shadow IT from the late 1990s to the mid-to-late 2000s was mostly limited to software installed on endpoints and servers, and the use of unauthorized hardware such as storage media.
In 2005, two then-popular consumer cloud storage platforms, Carbonite and Mozy, began publically offering their services; in 2006, Amazon first launched its Elastic Cloud 2 (EC2) storage platform and Google made its Docs and Sheets services available; in 2008, Dropbox first began offering its services to the general public; and in 2012, Google launched its Google Drive cloud storage solution (Computer History Museum, n.d.; Hamburger, 2013). These products ushered in the trends seen in today’s Shadow IT.