Shadow IT - friend or foe?

Hands typing on a keyboard surrounded by security icons
(Image credit: Shutterstock)

Shadow IT - it’s the bane of every IT and IS department, especially within the enterprise. Workers downloading “not yet” approved or sanctioned applications, many of them cloud based, to work remotely, is a trend that has been ongoing for the past decade but has accelerated greatly since the pandemic hit the world in 2020. While not officially blessed by the policies of an enterprise’s IT department, teams within an organization have had to fend for themselves by utilizing copious cloud apps. It’s a practice that can oftentimes enable teams to work faster and smarter while at the same time weakening the security of the network and exposing sensitive data to major threats.

About the author

Francis Dinha is the CEO of OpenVPN.

According to recent data by Microsoft, the average enterprise is utilizing 1,500 different cloud apps. Thanks to web-based platforms, employees can easily upload work -related information via technology that hasn’t been verified by their IT security teams. Now, think about what that means for the enterprise and the IT departments. It means that there are at LEAST 1,500 additional points of entry into the network. The lack of visibility into each Shadow IT application creates cybersecurity gaps. Although most apps are harmless, others like file sharing and storage can present big risks to an organization and its sensitive data.

This is clearly not sustainable

Layered approach

Only one thing is for certain -there isn’t an easy ‘one size fits all’ solution that will work for everyone. Evidence has shown that managing the remote workforce will require creativity, flexibility and a layered approach - meaning you have to utilize new technology upon legacy systems. This is most evident in the world of VPN.

There has been article after article predicting that remote working is the death knell of the VPN. Each prediction points to how antiquated and out of date the technology looks at this point. Just 2 years ago, Gartner predicted that by 2023, 60% of enterprises will phase out most of their remote access Virtual Private Networks (VPNs). This has been cited over and over again in recent articles, but the stat is being used out of context time and again. The report was published in the second part of 2019. A time that we have started to call ‘before.’ The claims are misleading and in 2021, VPNs have changed drastically. The evolution of the VPN was already in the works, but was sped up due to necessity during the pandemic. This next-generation of VPNs is going to be a crucial component of securing the network in the world of remote working and Shadow IT.

Next-gen VPN

What is a next-gen VPN? A Next-gen VPN, when properly created, can not only be installed as a standalone, but is specifically built to harness the legacy VPN technology that works within the network. Next-gen VPNs have fortified security with enhanced encryption and zero trust security principles to keep access secure. As a result, Zero Trust Networks (ZTN) have a symbiotic relationship to next-gen VPNs. Both technologies need each other. There is a critical interdependency there that some people are forgetting. A next-gen VPN is now a critical component or layer to the success of a ZTN. That is not to say it is the silver bullet to rid yourself of shadow IT. There must always be a multilayered approach when it comes to securing the network. Attention must also be paid to domain filtering capabilities. With domain filtering black listings work in tandem with white listing to ensure safety. This allows for employers to control the various points of entry while also accommodating popular websites that employees visit during the workday. Sites such as Amazon and Youtube have strict internal security policies and are less likely to affect another vendor’s network.

This is only one step in the effort to minimize threats that Shadow IT can and will bring into the network. Visibility into cloud applications on all employee owned devices is a necessary tool. IT and IS departments need to use additional technology including behavior based tools to allow for real time auditing of outside cloud applications and for compliance auditing and data loss protection solutions, CASBs are used. Depending on those applications’ security and safety, IT managers can set security policies that are within reason. The other benefit is that this knowledge could shape policy and acceptance of popular technologies that work well within the work environment that were not previously used.

Shadow IT is a complex issue for companies across the board. While the security threats are very real and dire, there is a benefit to employees downloading productivity tools that can best fulfill their needs while at the same time protecting the network. A layered approach along with next-gen technology like VPNs and visibility tools will help IT departments balance the risk vs. reward because this trend of remote working and unauthorized downloads of cloud based application is not going away.

Francis Dinha

Francis Dinha is the CEO of OpenVPN.