Shadow IT refers to the use of software, devices, applications, and IT systems without the express consent of the IT department or systems administrator. In the context of the cloud, then, it could be a user making unauthorized use of various IaaS, PaaS, or SaaS offerings.

In most cases, Shadow IT forms not out of malice, but due to frustration with the inefficiency of current systems. As such, it can at times, be a source of innovation. Employees are often faster to jump on new tech and think of solutions than IT departments, who must carefully consider costs and risk first.

More often, though, Shadow IT users are right about the problem, but not necessarily the solution. As a basic example, a lack of OneDrive space may cause the user to open a Dropbox account. In the process, they could open their organization to security risks when requesting a storage increase would have been enough.

Generally, Shadow IT in Cloud Computing presents risks in several areas.

Data integrity

Likely, your organization has set backup procedures and does its best to handle data safely and effectively. Shadow IT solutions are unlikely to offer the same level of protection. In most cases, they won’t have been vetted or audited, and may not be considered in a penetration test. It’s also doubtful they have the same level of security education and training alongside them.

Essentially, the level of unknown attack surfaces increases. Data may, for example, be traveling outside of the organization to a worker’s home PC or to a third-party who has not been sufficiently vetted. Even if the solution is secure, once that employee leaves, they could do so with proprietary data or leave behind systems that others can’t manage securely.


The problems with data extend to compliance. With data flowing in and out of the company from various undiscovered sources, it becomes incredibly difficult to ensure an organization complies with regulations.

In recent times, the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) are areas where it’s easy for Shadow IT users to misstep. The solutions they adopt may be collecting additional data points from customers that aren’t outlined in the privacy policy or don’t meet standards in some other way.


Whether it’s in budget or productivity, Shadow IT in cloud computing can lead to inefficiencies. Shadow IT apps may not gel with the rest of your ecosystem. This may create a fragmented or unreliable experience that ultimately harms communication and effectiveness. Shadow IT can also prevent enterprises from gaining a full return on investment with their current tools due to underutilization.

Decreased Visibility

When users make use of unvetted services, they don’t pass the same level of analytics to the IT department or MSP. Visibility over the entire ecosystem is important in many ways. It can help to identify breaches through non-typical usage patterns, determine which solutions are worth keeping, and discover areas where users are struggling.

Balancing Ease of Use and Security

Unfortunately, it’s unlikely an organization will be able to stamp out all Shadow IT usage permanently. Employees will always be looking for ways to make their life easier – and that’s not a trait you want to eliminate.

Instead, it can be useful to develop a proactive mindset. Much can be gained in understanding why users are “going rogue” and working with them to create a secure solution. Tools like Microsoft Cloud App Security can help with this, allowing for the continuous analysis of Shadow IT cloud apps and the ability to secure sanctioned ones with Single Sign On (SSO). The Azure Information Protection features also allow increased oversight. Setting policies and classifying documents can control access to data, even if a user manages to circumvent controls and move data outside the network perimeter.

Employees should also be made aware of the risk of Shadow IT and be encouraged to make suggestions via an open-door attitude. IT policies should reflect this mindset and be open to the testing of solutions that meet security standards. Creating an environment where their solutions are considered rather than punished will only benefit the discovery of unsanctioned tools.

If you need additional help mitigating the risks of Shadow IT, get in touch with VirtuWorks to see how we can help you.