Le vulnerabilità delle VPN ti preoccupano? Scopri come usufruire della nostra offerta per eliminare le VPN che include 60 giorni di prova gratuiti.

Parla con un esperto

What Is Shadow IT?

Shadow IT is a term for SaaS applications employees use and/or access without the knowledge or permission of their information technology departments. Such applications aren’t inherently flawed or dangerous—“shadow IT” simply means an app is being used outside of IT policy, which increases risk for an organization.

Data Protection Features: Shadow IT Control

How Did Shadow IT Come to Be?

Before the advent of cloud services, an organization’s end users could only access applications made available by IT, which procured and managed packaged software for the organization as a whole in addition to controlling licensing, software updates, and access rights , and security policy.

With the onset of the new technology of self-serve applications made possible by the cloud and app stores, users are no longer restricted to applications specifically sanctioned by IT. Instead, they can choose to work with the tools that enable them to get their jobs done more easily or efficiently.

Why Does Shadow IT Occur?

Shadow IT typically occurs when an employee has a particular job to do and a preferred way to get it done. The employee may have previous experience with a specific app, or simply prefer its functionality over the apps sanctioned by the organization. Or, perhaps the organization doesn’t have a sanctioned option at all in an app category the employee needs, be it messaging, file sharing (e.g., Dropbox, WhatsApp, Google Drive), or others.

Shadow IT also occurs when an employee accesses an unsanctioned application used by a third party, such as a:

  • Supplier
  • Technology partner
  • Channel partner

Then, of course, in many instances, shadow IT apps are simply for employees’ entertainment or other personal purposes.

In all these cases, the use of unsanctioned applications creates IT security challenges because IT teams have no visibility or control over these apps. Remote work has worsened this problem in that employees can use whichever software they’d like on their personal devices.

What Are the Security Risks of Shadow IT?

Shadow IT can lead to cybersecurity concerns, misuse of IT resources,  inefficiencies in productivity, even cyberattacks.  Some of the most significant risks include:

Data Exposure

Shadow IT is a significant avenue for data breaches and data loss. Unsanctioned apps, especially when used on smartphones or personal laptops, can easily lead to exposure or inappropriate sharing of sensitive data, whether the user means to do so or not.

Productivity Loss

Using an unsanctioned app—one for social media, for example—can impact collaboration and productivity due to its incompatibility with other apps, and because coworkers may not have access to it or knowledge of how to use it effectively.


CIOs and CISOs constantly worry about malware and ransomware penetrating their organization—and shadow IT often enables those threats. An unsanctioned app can easily house malicious files uploaded from unsecured personal devices (BYOD) or third parties.


According to ZDNet, 60% of Android apps have security vulnerabilities, with 39 bugs per app on average. In some cases, these bugs allow attackers to hijack devices in secret and, once on an organization’s network, infect IT systems, and steal sensitive information.


Shadow IT introduces the possibility of moving regulated information to places in the cloud that IT can’t see or secure. This can lead to compliance issues around regulations such as GDPR and result in fines as well as a loss of trust.

An Increased Attack Surface

If an employee chooses to use an application without consulting IT, they open the organization up to an increased risk of attack. The data flowing to and from the shadow IT applications or software in question isn’t tied to the baseline IT infrastructure, making it vulnerable.

How Do You Control Shadow IT?

The first thing an IT department must do is discover all the unsanctioned applications running throughout the distributed organization, and then bring a cloud access security broker (CASB) into the picture.

A CASB provides tremendous security value when it comes to shadow IT blocking in management. CASBs:

  • Ingest logs and workflows from network devices such as firewalls and proxies
  • Comb these logs and workflows for apps
  • Detail uncovered apps’ security attributes and any additional security measures required

While IT may choose to allow certain unsanctioned applications in specific conditions—perhaps when particular users access them—other apps will be prohibited outright. Leading solutions will also provide more granular remediation options for responding to unsanctioned applications.

Many CASBs will claim to be born in the cloud, but they’re often nothing more than virtual machines strapped to legacy security appliances. Only one security service provider builds its products in the cloud, for the cloud, so you can negate the risks of shadow IT and bolster your security posture. That provider is Zscaler.

Eliminating Shadow IT Risk with Zscaler

The Zscaler CASB is a fully inline solution that uses automation to perform shadow IT discovery without demanding that admins manually upload logs from network devices. It provides full visibility both on and off the network, so IT teams get the uninterrupted oversight necessary to identify all the shadow IT resources that may be in use. Zscaler has a catalog of more than 8,500 apps, each scrutinized across 25 risk attributes, to demonstrate trustworthiness in fine detail—so it more than picks up the slack when it comes to shadow IT mitigation.

Some of the many benefits of the Zscaler CASB include:

  • Granular data protection: Prevents malicious and accidental data leaks across cloud-based applications and other resources
  • Complete threat protection: Stops the spread of threats such as ransomware across cloud and user endpoints
  • Comprehensive visibility: Delivers in-depth logging and reporting for the complete oversight of all cloud data
  • Unified compliance: Provides deep compliance visibility and assurance across SaaS applications

The Zscaler CASB can automatically block risky apps at the moment of access, but it also has more granular options than outright allowing and blocking, which may impede user productivity. Zscaler can provide read-only access to unsanctioned applications to prevent uploads and stop data leakage, as well as set restrictions on employee usage by enforcing bandwidth and time quotas.

Want to learn more about how Zscaler helps protect your organization from the risks of shadow IT? Explore our expansive partner network—including Microsoft, ServiceNow, Google, and more—to see how we provide industry-leading SaaS and cloud security.

Learn how Zscaler Data Protection helps you discover shadow IT and improve data security while allowing organizations to leverage a bring your own device (BYOD) policy.

Learn how Zscaler Data Protection helps you discover shadow IT and improve data security while allowing your users to work from their own devices.

Risorse Suggerite

  • Data Protection Features: Shadow IT Discovery

    Guarda il video
  • Data Protection with DLP and CASB

    Guarda il video
  • Zscaler CASB at a Glance

    Read the data sheet
  • Safeguarding Your Data in a Work-from-Anywhere World

    Download the ebook
  • The Zscaler Data Protection Tour: Controlling the Use of Shadow IT

    Read the blog


What Benefits Does Shadow IT Offer?

There are two main benefits to shadow IT: employee empowerment and reduced IT cost. There’s a tangible benefit that comes with allowing employees to be self-sufficient enough to find ways to get tasks done in a more efficient manner—even if that means introducing new software into an environment. And, with this new software, IT doesn’t need to provision it, saving time and money.

What Are Some Common Examples of Shadow IT?

Productivity apps are the usual suspects when it comes to shadow IT. Trello, Slack, WhatsApp, and SaaS services such as Google Drive (Google Docs, Google Slides, etc.), as well as standard Google services such as Gmail.