On ‘shadow IT,’ organizations largely still in the dark

A new survey found that IT practitioners are increasingly unaware of what cloud applications workers in their offices are using.

A new survey from the Cloud Security Alliance found that IT practitioners are increasingly unaware of unapproved cloud applications being used in their office, a practice otherwise known as “shadow IT.”

A survey of more than 200 IT professionals from around the world found that 72 percent admitted they have no idea of the scope of shadow IT usage within their organizations. This comes even as the survey found that interest in cloud adoption is growing outside of IT departments: 61 percent of respondents said executives are now involved in such decisions.

Jim Reavis, CEO of the Cloud Security Alliance, said the survey backs up trends he has been hearing about anecdotally over the past 18 months.

“There’s pretty aggressive cloud adoption that we picked up on,” Reavis told FedScoop. “The issue that we find is that a great deal of it is being done in a distributed, grassroots way where business units and even individuals are procuring cloud services on behalf of the business and outside of the IT security organization. That’s a significant issue to deal with.”


Even as respondents say their organizations are either moving “full steam ahead” (33 percent) or “with caution” (41 percent) toward cloud adoption, the survey uncovers some friction in how fast IT offices want to move in relation to the rest of the company. More than half (51 percent) of the respondents said they’ve been pressured to approve an application or device that did not meet security standards.

One of the biggest applications causing friction is Dropbox, which was by far the most likely cloud service to be blocked by IT offices. Conversely, file sharing and collaboration tools like Dropbox, Box, Google Docs and Microsoft Office 365 are by far the most requested cloud services.

The survey’s authors use this discrepancy to highlight how blocking popular services leads to increased shadow IT use within an organization, ultimately putting corporate or personal data at risk.

“Since IT is more likely to block well-known cloud services that tend to have more mature security controls, employees can be forced to find lesser-known but potentially even riskier services to use in their place,” the report states.

Moving a step further, what those employees are then doing with those riskier services is what worries IT professionals about shadow IT: Nearly half (49 percent) of respondents said their primary concern regarding shadow IT is the security of corporate data in the cloud.


Reavis said IT professionals should take a nuanced approach when blocking cloud services.


A graphic showing how many survey respondents have a cloud governance plan in place. (Cloud Survey Alliance)

“Blocking needs to be done on a very selective basis,” Reavis said. “There are services that are primarily used for good. Without a policy around it and without the proper controls there can be issues. The solution is really for IT to learn from the organization and the business units that are procuring these services, because it represents a gap in what IT is providing them.”

Part of what’s driving this worry may lie in organizations’ lack of an acceptable cloud usage policy. Seventy-seven percent of respondents say they either don’t have a policy on acceptable cloud usage or the policy currently in place isn’t enforced.

Despite the federal government’s plethora of regulations for cloud, it still isn’t immune to shadow IT, Reavis said.


“The megatrend of tech consumerization that put high-powered devices into an employer’s hands, that let them procure their own service, it happens,” Reavis said. “Even in the defense sector, it happens. There needs to be that approach that you need to really take the effort to look at what’s leading your network and look at that egress point and see what can be done.”

The survey concludes that as small and large enterprises continue to take advantage of the cloud, there needs to be more collaboration on how companies can use emerging applications without sacrificing security.

“Given both the promise and peril of the cloud, organizations will likely continue investing in the processes and procedures to govern cloud adoption, including security projects that protect data stored in the cloud,” the report states.

“The past few years have marked a paradigm shift in IT’s role, from provider to enabler,” said Rajiv Gupta, CEO of Skyhigh Networks, which sponsored the survey. “This survey, the largest of its kind, illustrates that companies are aware of the consumerization of IT but have room to more proactively address the security concerns of cloud adoption.”

Download the full report on the Cloud Security Alliance website.

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts