Shadow IT is any application or other IT resource obtained or built by business users without the knowledge or approval of the IT department, and it's becoming a pervasive problem. In 2012, 77% of businesses were home to shadow cloud deployments, and 40% of these deployments resulted in the exposure of confidential data, according to a 2013 study by security firm Symantec Corp.
Business users say they resort to shadow IT to save time and money, but this practice of surreptitiously bypassing the IT professionals creates increased costs for companies. Because shadow applications -- also called rogue deployments, rogue IT or stealth IT -- are not managed by IT or integrated into an organization's other systems, they aren't subject to the same security controls or other compliance-related safeguards. If the IT team isn't aware of applications or services procured directly by business users, it may not know where data is stored or who can access it.
Shadow IT did not start with cloud computing or Software as a Service, but the cloud has made bypassing the IT department easier and has exacerbated ensuing compliance difficulties. It's tough enough to retain control over data that is held within an organization's own jurisdiction, but the challenge is greatly magnified when data is transmitted, handled or stored by a public cloud provider. And, it's nearly impossible for IT to manage compliance in the cloud if it doesn't have a well-defined relationship with the service provider.
This FAQ is part of SearchCompliance.com's IT Compliance FAQ series.
Table of contents:
What compliance risks does the use of shadow IT introduce?
Shadow IT can expose an organization to a host of data privacy and security-related compliance risks. When cloud-based applications or other IT resources are procured without the knowledge or approval of the IT department, an organization loses the ability to control the data flowing over those services. The cloud service provider may or may not apply identity management, access control or back-up practices required to protect the data, potentially exposing data to unauthorized access and compliance violations. Even if unsanctioned IT resources meet compliance requirements for security, they may be in violation of compliance-related documentation or system reliability requirements.
More than half of the organizations surveyed by Symantec for a 2013 study said they worried about demonstrating compliance when it comes to data in the cloud. Their worries are not unwarranted: Nearly one-fourth of respondents reported having paid a fine for violating data privacy requirements, and 43% lost data that was in the cloud.
Bypassing IT to procure cloud services can also leave an organization in violation of regulatory compliance requirements such as the Payment Card Industry Data Security Standard, the Control Objectives for Information and Related Technology and the Basel II international standards for banking. Also, when software licenses are purchased outside the IT department's knowledge or purview, those licenses aren't managed within the organization's central software management program. This leads to potential licensing compliance complications. If improperly licensed software is discovered, an organization can be subjected to an audit -- which is costly on multiple fronts -- or fines.
How does shadow IT complicate compliance with laws and regulations?
Shadow IT complicates efforts to comply with numerous federal regulations as well as state data protection requirements. The Sarbanes-Oxley Act of 2002, for example, mandates internal controls for ensuring the accuracy and integrity of information in financial reports by requiring that the information is verifiable and traceable. When data flows over systems procured via shadow IT, the data is not necessarily subject to the IT department's controls.
Complying with the 1996 Health Insurance Portability and Accountability Act (HIPAA) can be greatly complicated by shadow IT as well. In the health care industry, as in many others, cloud-based file-sharing applications or collaboration platforms provide a fast and easy way for executives and clinicians to procure tools without any input from IT. However, a lot of popular programs don't necessarily come with the features or functionality needed to comply with HIPAA data privacy and security rules.
How does shadow IT complicate compliance with e-discovery requirements?
The complicated and evolving field of e-discovery -- in which parties in a lawsuit are required to turn over electronic documents and other records prior to a trial -- is aggravated by shadow IT. Locating and retrieving data hosted with cloud providers poses challenges, and trying to retrieve cloud-based data from providers not sanctioned by IT makes the process much harder. A third of businesses surveyed for the 2013 Symantec study said they had received e-discovery demands for data in the cloud. Two-thirds of these respondents missed their deadlines, resulting in fines.
How can organizations mitigate the risks associated with shadow IT?
To reduce the compliance risks associated with shadow IT, executives are advised to meet regularly with business counterparts to review cloud services and performance, as well as new requirements and challenges. Business users should be included when defining a companywide strategy for purchasing Software as a Service, and a checklist can help ensure a consistent method. If you can reduce paperwork or other red tape involved in deploying IT resources and speed the service procurement process, users may be less inclined to bypass the IT department.
Regular vendor communication and application maintenance can help IT departments rein in shadow IT as well. If business users know that the company will save money by procuring cloud-based services through their IT department, they may be less motivated to make the purchases on their own. Increasingly, there are industry-specific cloud services that offer security and other compliance-related features tailored to the customer's needs. Vendors have also been coming up with more tools to facilitate identity and access management for Software as a Service.