ANALYSIS OF THE IMPACT OF SHADOW IT ON THE ENTERPRISE CLOUD INFRASTRUCTURE
DOI:
https://doi.org/10.18372/2225-5036.30.19239Keywords:
Shadow IT, public cloud environments, AWS, cybersecurity risks, complianceAbstract
Shadow IT, defined as the use of IT systems and services without official approval from the IT department, has become a significant challenge for managing cloud infrastructure in modern organizations. With the expansion of cloud technologies, particularly their availability and scalability, an increasing number of employees are independently implementing technological solutions, bypassing official channels. These actions are often driven by a desire for faster results, improved productivity, or convenience. However, by circumventing formal IT governance procedures, these decisions can pose serious threats to data integrity and create significant challenges for regulatory compliance. The growth of Shadow IT is directly linked to the increasing functionality and accessibility of cloud services, such as AWS, Microsoft Azure, or Google Cloud. These services allow quick and minimal-effort access to computing power, data storage, and additional features without the need for interaction with the IT department. This can lead to bypassing established IT procedures and governance structures, jeopardizing data confidentiality, losing control over information, and creating substantial financial and legal risks for the company. One of the key problems arising from Shadow IT is data protection and cybersecurity. Uncontrolled use of cloud services can leave an organization vulnerable to external attacks, as such services may not meet internal security standards or provide the necessary level of protection. This can lead to unauthorized access to sensitive information, data breaches, or violations of requirements such as GDPR or PCI-DSS. Additionally, conflicts between corporate policies and the specific configurations of cloud services can create security gaps. Shadow IT also increases the risk of legal and financial liability. The use of unauthorized cloud services can result in fines for regulatory violations, reputational damage, and increased costs for restoring security. The lack of proper management and control also complicates audit compliance and creates serious challenges for the organization, especially under growing regulatory pressure. One of the most effective ways to mitigate the impact of Shadow IT is to implement automation for managing cloud environments. Automation significantly improves control over cloud resource usage, allowing IT departments to quickly respond to changes, identify vulnerabilities, and ensure compliance with security standards. Additionally, automated monitoring systems provide real-time visibility into the use of cloud services, reducing the likelihood of unauthorized usage. Another important strategy for combating Shadow IT is reevaluating the usability of official IT solutions used within the organization. Shadow IT often arises as a response to the inadequacy or complexity of existing corporate solutions. If official services are more user-friendly and better tailored to the needs of users, employee motivation to use unauthorized tools will decrease. Providing access to more intuitive and functional official cloud services can significantly reduce the number of Shadow IT incidents and increase security. Thus, combining automation with a constant reevaluation of the convenience and efficiency of official IT solutions is a key strategy for minimizing the risks associated with Shadow IT. These approaches not only enhance control and security but also make IT services more attractive to users, encouraging active use within established rules and procedures.
References
Taylor, R. (2022, June 22). Everything you need to know about shadow IT. BlueCat Networks. https://bluecatnetworks.com/blog/everything-you-need-to-know-about-shadow-it/
Kirin, Ivana, Shadow IT: Data Protection and Cloud Security (August 17, 2017). Available at SSRN: https://ssrn.com/abstract=3020880 or http://dx.doi.org/10.2139/ssrn.3020880
Khan, H., Zahoor, E., Akhtar, S., & Perrin, O. (2022). A Blockchain-Based approach for secure data migration from the cloud to the decentralized storage systems. International Journal of Web Services Research, 19(1), 1–20. https://doi.org/10.4018/ijwsr.296688
Šedivcová, Lada & Potančok, Martin. (2019). Shadow IT Management Concept for Public Sector. 65-73. 10.1007/978-3-030-37632-1_6.
Walterbusch, Marc & Fietz, Adrian & Teuteberg, Frank. (2017). Missing Cloud Security Awareness: Investigating Risk Exposure in Shadow IT. Journal of Enterprise Information Management. 30. 10.1108/JEIM-07-2015-0066.
Silic, M., & Back, A. (2014). Shadow it – A View from Behind the Curtain. Information Systems & Economics eJournal.
Edwards, Kasper. (2004). Expected and Realized Costs and Benefits when Implementing Product Configuration Systems. Mass Customization for Personalized Communication Environments: Integrating Human Factors. 10.4018/978-1-60566-260-2.ch012.
Ren, K., Wang, C., & Wang, Q. (2012). Security Challenges for the Public Cloud. IEEE Internet Computing.
Akello, P. (2021). Volitional Non-Malicious Insider Threats: At The Intersection of COVID-19, WFH and Cloud-Facilitated Shadow-Apps. 27th Annual Americas Conference on Information Systems, AMCIS 2021.
Selvam, P. (2022). Secure Cloud Services by Integrating CASB Based Approach. International Journal of Scientific Research in Engineering and Management.
Zhang, Y., Patwa, F., & Sandhu, R. (2015). Community-Based Secure Information and Resource Sharing in AWS Public Cloud. 2015 IEEE Conference on Collaboration and Internet Computing (CIC).
Walters, R. (2013). Bringing IT out of the shadows. Netw. Secur.
Zeng, X., Chen, X., Shao, G., He, T., Han, Z., Wen, Y., & Wang, Q. (2019). Flow Context and Host Behavior Based Shadowsocks’s Traffic Identification. IEEE Access.
Jouini, Mouna & Aissa, Anis & Ben Arfa Rabai, Latifa. (2012). Towards quantitative measures of Information Security: A Cloud Computing case study. International Journal of Cyber-Security and Digital Forensics (IJCSDF). 1.
Pandita, U., Katy, H., Kalpana, & Sonawane, D. (2017). Effective Management Of Proofs Of Log. International Journal of Advance Research and Innovative Ideas in Education.
Shevchuk, D., Harasymchuk, O., Partyka, A., Korshun N. Designing Secured Services for Authentication, Authorization, and Accounting of Users, Workshop on Cybersecurity Providing in Information and Telecommunication Systems II, vol. 3550, (2023) 217–225.
Silic, Mario & Silic, Dario & Oblakovic, Goran. (2016). Influence of Shadow IT on Innovation in Organizations. Complex Systems Informatics and Modeling Quarterly. 68-80. 10.7250/csimq.2016-8.06.
Vakhula, O., Opirskyy, I., Mykhaylova, O. Research on Security Challenges in Cloud Environments and Solutions based on the security-as-Code Approach, Workshop on Cybersecurity Providing in Information and Telecommunication Systems II, vol. 3550, (2023) 55–69.
Fujinoki, Hiroshi & Mahmoudiandehkordi, Siamak. (2012). Split clouds: New security architecture for protecting user information from cloud insiders - Designs, implementation, and performance evaluations. 824-829.
Rajavaram, Harika & Rajula, Vineet & Balasubramanian, Thangaraju. (2019). Automation of Microservices Application Deployment Made Easy By Rundeck and Kubernetes. 1-3. 10.1109/CONECCT47791.2019.9012811.
Kenaza, Tayeb & Messai, Sami & Debicha, Islam & Sehaki, Mehdi. (2023). A Secure and Interoperable Architecture for Blockchain/IPFS Assisted Electronic Health Record Access Control and Sharing. 10.21203/rs.3.rs-3209163/v1.
Murakami, Koki & Yamada, Tsuyoshi & Yamaguchi, Rie & Goshima, Masahiro & Sakai, Shuichi. (2014). A cloud architecture for protecting guest's information from malicious operators with memory management. 155-158. 10.1145/2557547.2557585.
Wang, Huaqun. (2013). Proxy Provable Data Possession in Public Clouds. Services Computing, IEEE Transactions on. 6. 551-559. 10.1109/TSC.2012.35.
Deineka, O., Harasymchuk, O., Partyka, A., Obshta, A., Korshun N. Designing Data Classification and Secure Store Policy According to SOC 2 Type II, Workshop on Cybersecurity Providing in Information and Telecommunication Systems 2024, vol. 3654, (2024) 398–409.
Rajaraman, Vaidy. (2014). Cloud computing. Resonance. 19. 242-258. 10.1007/s12045-014-0030-1.
Technology, Panel & Programs, Committee & Board, Laboratory & Sciences, Division & Medicine, National. (2016). An Assessment of the National Institute of Standards and Technology Center for Neutron Research. 10.17226/21878.
Buyya, Rajkumar & Yeo, Chee Shin & Venugopal, Srikumar & Broberg, James & Brandic, Ivona. (2009). Cloud Computing and Emerging IT Platforms: Vision, Hype, and Reality for Delivering Computing as the 5th Utility. Future Generation Computer Systems. 25. 599-616. 10.1016/j.future.2008.12.001.
Çevik, Sezi & Ustundag, Alp. (2018). Smart and Connected Product Business Models. 10.1007/978-3-319-57870-5_2.
Clark, Ruth & Mayer, Richard & Thalheimer, Will. (2003). E-Learning and the Science of Instruction: Proven Guidelines for Consumers and Designers of Multimedia Learning. Performance Improvement. 42. 10.1002/pfi.4930420510.
Nordby, Anders & Vibeto, Håvard & Mobbs, Sophie & Sverdrup, Harald. (2024). System Thinking in Gamification. SN Computer Science. 5. 10.1007/s42979-023-02579-2.
Yaseen, Fenik. (2024). Chapter 2 2. Literature review 2.1. Information Security Policy availability and compliance literature.
Martseniuk, Y., Partyka, A., Harasymchuk, O., Korshun N. Automated Conformity Verification Concept for Cloud Security, Workshop on Cybersecurity Providing in Information and Telecommunication Systems 2024, vol. 3654, (2024) 25–37.
Vakhula, O., Kurii, Y., Opirskyy, I., Susukailo V. Security as Code Concept for Fulfilling ISO/IEC 27001:2022 Requirements, Workshop on Cybersecurity Providing in Information and Telecommunication Systems 2024, vol. 3654, (2024) 59–72.
Prisma Cloud | Comprehensive Cloud Security. (n.d.). Palo Alto Networks. https://www.paloaltonetworks.com/prisma/cloud
Splunk Enterprise | Splunk. (n.d.). Splunk. https://www.splunk.com/en_us/products/splunk-enterprise.html
