Shadow IT is not another installment in the Star Wars saga, but a discrepancy between the use of SaaS applications in the company and the IT department's knowledge of them.
Applications stored in the cloud are very easy to use since, by definition, there is no setup to perform. Employees needing new software no longer call on the IT department but decide directly to use this new application.
The IT department is unaware of the applications used in the various departments.
This implies major disadvantages:
- the IT department is excluded from the decision-making process for an application, which reveals mistrust towards it
- Security is not ensured, applications are misconfigured, there is no framework for connection, data is not controlled
- it is an entry point into the IS that is unknown to the IT department
- There will be no suspension of accounts when users leave, as they will not take the necessary steps and no one else is aware of the accounts' existence.
Why oust the IT department?
The two most obvious reasons are a lack of responsiveness and cumbersome procedures.
There is no intention to harm when there is a ghost account, but rather a desire to move quickly in response to a need felt by the user.
When a request is made, the IT department's response may be slow to arrive, sometimes involving committees, etc. It's slow, much too slow compared to the employee's need and sense of time. The employee acts, they feel more responsive.
Then, there are procedures to be followed which may seem to be obstacles in the use of the application for the employee, he may also want to avoid talking about it for these reasons.
Unfortunately, these procedures, as restrictive as they may be, are essential to ensure security for the company.
SaaS applications often have default rights and access assignments that are very high; it is up to the IT department to minimize these rights and access in a logic of least privilege.
Besoin d'échanger sur vos processus ?
15 minutes pour voir si on peut vous simplifier la vie côté accès. Sans pression, sans engagement.
Besoin d'automatisez vos accès sans chantier IT ?
En 60 minutes découvrez comment Youzer fiabilise vos onboarding et offboarding pour gagner plusieurs heures par semaine côté IT.
What are the consequences for the company?
Security breaches then begin with these open accounts that are not listed and monitored.
As we have seen, this leads to excessively high access privileges, which poses a significant risk if the account is taken over by a third party during a cyberattack.
Software expenses are inevitably poorly controlled; bulk negotiations cannot take place, or levels may be exceeded.
The performance of an audit is therefore invalid since applications are not known and cannot be listed.
