Unmanageable applications are a class of applications defined by their lack of support for common identity and security standards. While Shadow IT can refer to any application used without IT and security approval, unmanageable applications often fall into a gray area as they are often tolerated by IT and security and are used by departments or individuals with little to no options for security. Marketing, finance, or any other team that uses applications that haven’t been approved by IT and don’t support common identity and security standards, fall into the category of unmanageable applications.
The growth and use of unmanageable applications have accelerated with the consumerization of information technology. Employees use unmanageable applications to drive productivity and innovation, but the use of these applications introduces risk to a business through data breaches and possible privacy and compliance violations.
Behaviors on employee application choice have permanently shifted in the wake of COVID-19. A new generation of professionals reaching maturity in the era of mobile apps and social media now expect the ability to choose the applications they use to get their work done. In a recent study, 92% of employees and managers said they wanted complete control over their work applications. The majority also said that disallowing an application shows a lack of trust by their employer and would negatively impact how they think about their job.
Today, about 50% of all technology spending occurs outside of IT, trending to 90% by the end of the decade. This shift in the buyer is a significant change that alters the threat model of applications because employees don’t place as high an emphasis on specific identity and security standards as IT and security teams do. This has fragmented and will continue to fragment the application ecosystem further, leading to sustained growth in the use of unmanageable applications.
If an application does not support common identity and security standards, then Security and IT teams will not be able to secure them effectively. Security teams have collectively spent billions building their defenses, but unmanageable applications are typically outside their reach.
Unmanageable applications become risky once employees store and process sensitive information on these platforms. With a lack of support for enterprise-grade authentication, like single sign-on, employees often choose weak passwords and rarely enable features like two-factor authentication. According to the US Cybersecurity and Infrastructure Security Agency, enabling two-factor authentication reduces the risk of getting hacked by 99%. Yet IT and security teams cannot enforce this control when it comes to unmanageable applications.
Non-IT teams can unintentionally add significant risk to a business by using unmanageable applications. Real-world risks include:
While unmanageable applications are risky, they are undeniably helpful, or their use wouldn’t be growing in the enterprise. Employees looking to be productive are seeking out the best applications to help them get their work done. In the past, they would have been limited to a set of corporate applications provided by IT. Still, in the wake of the COVID-19 pandemic, employees now default to SaaS applications which fall into the unmanageable category more often than not. This shift in buying behavior is driving product roadmaps away from security features like single-sign and further towards the features users are asking for.