What is Shadow IT?

Mark WilliamsMon, 03/26/2018 - 11:53

Maybe this scenario is familiar to you.  You are an IT professional within your organization charged with designing, maintaining and even upgrading the organization's information technology resources.  One day, as you are out and about tending to your duties, you notice a computer sitting in the corner of a room that you seldom visit.  Since you are not familiar with this computer, you decide to ask those who work in that room about said computer. 

You: “Excuse me.  What is that computer over there used for?”

Them: “That’s our server.”

You: “Server?  Server for what?”

Them: “I don’t know.  It’s just our server.”

You: “Who installed this server and when?”

Them: “Oh, Bob; the guy over there (and he points).  He installed it about a year ago.  Go talk to him.”

And the conversation goes on. 

What you’ve discovered is “Shadow IT”.  Shadow IT consists of technology that exists within the organization that the IT department is unaware of and may not be authorized to be there.  Gartner defines shadow IT as “IT devices, software, and services outside the ownership or control of IT organizations”. Since it is an unknown to the company, it is also an unknown to the IT department who would ‘normally’ be responsible for the maintenance of the system.  Thus, this system is running an operating system and/or software that may not be on the organizations approved a list of standards.  The system hasn’t been patched since it was installed, AND the system has an untold number of vulnerabilities contained within.

Shadow IT is usually introduced by people who have a “let’s get the job done” mentality.  These people will find a way to accomplish the task or mission and they may not follow all of the corporate protocol and processes typically required.  An example of shadow IT could be an employee that has decided to bring in a personally owned tablet to create customized, animated presentations or when the employee uses Dropbox to store and share corporate data or even the use of personal cell phones to conduct company business.  Shadow IT could also include the use of the multitude of cloud-based applications and services such as social media, file sharing, and collaboration tools.  While this mindset is commendable on one level it is also quite problematic on a different level for the organization. 


Rapid reaction and adaptability to current needs.  Using shadow IT, individual departments can spin up customized solutions that will meet their current IT needs without having to go through the normal business processes to have the IT department deploy those solutions.  Often when presented with the decision of using the in-house IT department or outsourcing to a cloud provider, users often will choose the cloud.  They contend that going through “normal, approved” channels is a slow cumbersome process and in the end, they are provided a solution that does not meet the need or their request is rejected outright.

Reduced burden on IT helpdesk. If the solution is provided by a cloud provider, then, in theory, they will be the ones to call if the solution isn’t working as designed or desired.

Access to newer technologies and solutions.  A typical IT architecture is intended to meet the needs of today and into the foreseeable future.  As such, the architecture is likely to be fairly restrictive when it comes to adding new technologies.  Relying on a cloud solution allow departments to leverage those bleeding edge solutions without having to be restricted and confined to the corporate architecture.


Increased burden on IT helpdesk to support the use of these services. That’s right.  This is a dual-edged sword.  In spite of the fact that we are outsourcing to the cloud and that cloud provider is supposed to provide the necessary support, when that support is inadequate, the users turn to their trusty, in-house help desk to support them.  Unfortunately, those operating the help desk are probably not knowledgeable enough about the solution you are using thus, severely limiting what support they can provide.

Inconsistency in capabilities between department and locations.  This one seems fairly self-explanatory, but it bears mention.  If the musicians in a band or an orchestra are all playing to a different sheet of music, the result is not going to be music, rather it will be noise. The same thing is true when each department within an organization are using different solutions to accomplish their individual tasks.   These inconsistencies foster a number of challenges such as an inconsistent user experience, special skills required at each site/department to use, operate and maintain the solution and maybe even drive up the overall costs.

Securing against breaches and other security incidents. How would the company measure the risks associated with these unknown activities?  The simple answer is that they cannot.  You cannot quantify the unknowns.  (More on this in a future article.)

Proving compliance with applicable laws and regulations. This goes along with the security aspect.  It fits into the realm of the unknown.  Tring to demonstrate compliance with privacy laws becomes an exponential challenge when the organization is using many solutions that are beyond it’s direct control to varying degrees.

In the end, shadow IT is here to stay. Organizations need to adopt policies and procedures governing the use of these technologies, to include regular service reviews where the organization evaluates the current and proposed outsourced activities.  In these review meeting, we are trying to understand how the solution addresses a business requirement and why is the IT department not providing this service directly.