Shadow IT in Under 5 Minutes Shadow IT describes the notion that organizations have users and employees that are utilizing applications that are not necessarily sanctioned and are being…

Shadow IT in Under 5 Minutes

Bernd Leger

As Chief Marketing Officer, Bernd drives CloudLock’s go-to-market strategy, including inbound marketing, product marketing, content marketing, public and analyst relations, marketing communications and sales enablement.


Shadow IT describes the notion that organizations have users and employees that are utilizing applications that are not necessarily sanctioned and are being used outside of the corporate realm. We need to better understand what types of applications those are: are they productivity applications? are they applications for personal use? Are they applications we don’t want to see on our network such as pornography?

When we talk about shadow IT at CloudLock, we actually like to call it shadow productivity, because not all of these applications are necessarily bad. They might be applications your employees are discovering that may actually add to their own productivity. You don’t want to necessarily block all these applications, you may potentially want to allow some of them.

What Approaches are Organizations Taking to Solve Shadow IT Challenges?

The terminology being used for our solution category today is called CASB, which stands for Cloud Access Security Broker. The traditional approach that organizations are taking is that they’re putting these CASBs between their users and their cloud environments to broker and provide access to applications. The alternative approach is to have a CASB live directly in the cloud, communicate with apps via APIs and regulate access to those applications.

What Elements of Shadow IT Should You Focus On?

When we think about shadow IT, we can group applications into three buckets: IT sanctioned apps, irrelevant shadow IT, and relevant shadow IT.

Your IT sanctioned apps are the backbone of your organization. These include your traditional office applications such as Office 365, DropBox, Salesforce, Box, Google Apps, and so on. On the other hand, you have applications that are used for personal use. Quite frankly, for privacy reasons, we don’t believe organizations should focus on what applications their employees are using at work on their personal devices (irrelevant shadow IT).

Now, what’s interesting is what we refer to as relevant shadow IT. These are applications that are being used for personal use but have been granted access to the corporate environment. For example, you might have a user simply authenticating an application such as Podio, which is a project management solution. When authenticated through OAuth, the app is granted access to all of your google information such as your calendar, emails, drive, etc. Now, all of a sudden, you’ve opened an inroad into your environment.

Managed and Unmanaged Users

Very often organizations think shadow IT is a matter of managing devices, and as long as devices are controlled, they can manage the information that’s being granted. This is only somewhat true. As long as that employee sits on the network, you’re good to go because you can control what happens in that environment. However, what happens when you have non-employees accessing that same environment? For example, you might have a community user that accesses Salesforce through a support portal and none of that traffic actually goes through the network.

Rather than asking yourself if your devices are managed, we believe the more important question to ask is “are your users managed?” It’s crucial to put the right vehicles in place to monitor your managed and unmanaged users, and this is where an API-centric approach to CASB comes in.

See How an API-Based CASB Can Solve the Shadow IT Issue

Request a Free Security Assessment to witness the value of unparalleled visibility, control, and peace of mind when you uncover vulnerabilities across your entire cloud environment– SaaS, PaaS, IaaS, and IDaaS:

  • Expose potential compromised accounts, cloud malware, or data security violations
  • Validate adherence with internal or industry-governed regulations – PCI, HIPAA, FERPA, and more
  • Receive a business analysis, mapping findings to your organizational goals

CloudLock Security Assessment

Browser Not Supported

Your browser version is outdated.

We would recommend you upgrade to a recent version to ensure that you have a good experience on the CloudLock site. Outdated browsers also increase your security risk. So please update your browser and come back later!

Click on the icon below to download the latest version of your browser