=Paper=
{{Paper
|id=Vol-3800/paper3
|storemode=property
|title=Shadow IT risk analysis in public cloud infrastructure
|pdfUrl=https://ceur-ws.org/Vol-3800/paper3.pdf
|volume=Vol-3800
|authors=Yevhenii Martseniuk,Andrii Partyka,Oleh Harasymchuk,Elena Nyemkova,Mikolaj Karpinski
|dblpUrl=https://dblp.org/rec/conf/csdp/MartseniukPHNK24
}}
==Shadow IT risk analysis in public cloud infrastructure==
https://ceur-ws.org/Vol-3800/paper3.pdf
Shadow IT risk analysis in public cloud infrastructure⋆
Yevhenii Martseniuk1,*,†, Andrii Partyka1,†, Oleh Harasymchuk1,†, Elena Nyemkova1,†
and Mikolaj Karpinski2,†
1
Lviv Polytechnic National University, 12 Stepana Bandery str., 79000 Lviv, Ukraine
2
University of the National Education Commission, 2 Podchorazych str., 30-084 Krakow, Polska
Abstract
Shadow IT, where IT systems and services are used without explicit approval from an organizational IT
department, has risen to be an important issue for cloud computing. Its growth emanates from the growing
capabilities and accessibility of cloud services that often circumvent the IT pre-established policies and
governance mechanisms. This paper aims to research and investigate the complex nature of Shadow IT
within public cloud environments, focusing on the risks it poses, its effects, and the strategies to manage it
effectively. These risks are varied and significant, with great concern over data protection and security.
Thus, unauthorized use of cloud services exposes organizational data to vulnerabilities. Furthermore, cloud
environments could face a situation of policy shadowing in which higher-level policies shadow more
granular but potentially conflicting policies, therefore leading to unnoticed security gaps. There are also
great threats associated with legal and compliance risks, through which companies might have to incur
huge penalties because of unauthorized cloud service usage. This research explains the various types of
Shadow IT: from unauthorized software and hardware to unapproved cloud computing services and
unsanctioned development activities. Additionally, the paper will detail the major Shadow IT risks related
to security, compliance, cost, and interoperability problems. It further deals with strategic management
towards the mitigation of risks involved in Shadow IT. More so, it focuses on IT governance models that
can cope with the increasing need for control against the pressures for more flexibility and swifter
innovation. Such effective strategies include implementing Cloud Access Security Broker (CASB) solutions,
adopting secure information-sharing models in public clouds, and the proactive management of usage in
clouds. Moreover, the paper shows the potential advantages of Shadow IT in terms of innovation and
exploration of real user needs and preferences. By recognizing and exploiting the good sides of Shadow IT,
organizations can turn the challenges into opportunities for growing and improving their IT strategies. By
doing so, all of these challenges help concretely frame Shadow IT in a way that enables it to be handled
with a structured and proactive management strategy to achieve a comprehensive approach to maintaining
security, compliance, and operational efficiency. The paper underlines the need for changing IT
management practices as per the emerging changes brought in by rapid developments in cloud technology
and the ever-changing needs of enterprise IT.
Keywords
shadow IT, public clouds, AWS, cyber security risks, compliance, cloud operations, automation, risk
analysis, cloud infrastructure 1
1. Introduction to sensitive information, posing substantial risks to
organizational data integrity and security. Similarly, Akello
Shadow IT, defined as the use of information technology (2021) [2] explored the volitional non-malicious insider
systems, solutions, and services without explicit threats associated with Shadow IT, especially in the context
organizational approval, has become an increasingly critical of Work-From-Home (WFH) arrangements during the
issue with the advent and widespread adoption of cloud COVID-19 pandemic. This research emphasized the
computing. Recent studies have extensively examined the heightened risk of data exposure and security breaches due
multifaceted risks and challenges associated with Shadow to the uncontrolled use of cloud-based applications by
IT, particularly within public cloud environments. employees working remotely.
For example, Edwards et al. (2019) [1] highlighted that Furthermore, Selvam (2022) [3] discussed the efficacy of
Shadow IT introduces significant security vulnerabilities Cloud Access Security Broker (CASB) solutions in
due to the lack of oversight and proper security measures. mitigating Shadow IT risks. The study demonstrated how
Their study illustrated how unauthorized cloud services CASBs could help organizations monitor and control cloud
could lead to severe data breaches and unauthorized access traffic, thereby reducing the unauthorized use of SaaS
CSDP-2024: Cyber Security and Data Protection, June 30, 2024, Lviv, 0009-0009-2289-0968 (Y. Martseniuk); 0000-0003-3037-8373
Ukraine (A. Partyka); 0000-0002-8742-8872 (O. Harasymchuk); 0000-0003-0690-
∗ Corresponding author. 2657 (E. Nyemkova); 0000-0002-8846-332X (M. Karpinski)
†
These authors contributed equally.
© 2024 Copyright for this paper by its authors. Use permitted under
yevhenii.v.martseniuk@lpnu.ua (Y. Martseniuk); Creative Commons License Attribution 4.0 International (CC BY 4.0).
andrii.i.partyka@lpnu.ua (A. Partyka); garasymchuk@ukr.net (O.
Harasymchuk); garasymchuk@ukr.net (E. Nyemkova);
garasymchuk@ukr.net (M. Karpinski)
CEUR
Workshop
ceur-ws.org
ISSN 1613-0073
22
Proceedings
�applications and managing third-party app permissions. Shadow IT more effectively, ensuring data protection,
This underscores the need for advanced security solutions security, and compliance in cloud computing.
to address the unique challenges posed by Shadow IT in
cloud environments. 2. The risks and impacts of shadow
Moreover, Khan, H., Zahoor, E., Akhtar, S., & Perrin, O.
(2022) [4] examined the challenges of secure information
IT
sharing in public clouds, focusing on community-based 2.1. Security risks
secure information sharing models. They argued that while
these models could facilitate controlled collaboration and Shadow IT, by its very nature, introduces significant
data sharing, they also highlighted the inherent risks of security challenges for organizations, as it encompasses the
use of IT resources that have not been vetted or approved
Shadow IT, such as the potential for data leaks and policy
by the official IT department. These rogue applications and
conflicts between different cloud services.
devices may be inherently insecure, potentially packed with
Finally, a study by Vakhula, Kurii, and Opirskyy (2024)
malware, or present exploitable vulnerabilities that hackers
[5] on security challenges in cloud environments
can leverage to gain unauthorized access. The lack of formal
emphasized the importance of adopting a Security-As-Code
oversight means such devices and software are seldom
approach. This research indicated that automated security
updated or patched promptly, if at all, leaving them
measures and continuous monitoring could significantly
perpetually vulnerable to emerging threats. Furthermore,
mitigate the risks associated with unauthorized cloud
the improper configuration of shadow IT resources can
services, thereby enhancing overall cloud security and
inadvertently open up additional security loopholes. The ad
compliance.
hoc management of sensitive data within the shadow IT
This work aims to explore the complex nature of
ecosystem also raises serious concerns, as it may not be
Shadow IT within public cloud environments, focusing on
backed up or stored with the necessary security measures,
the risks it poses, the impacts it incurs, and the strategies
increasing the risk of data loss or exposure. Lastly, the
that can be employed for its effective management. By
unchecked use of shadow IT can lead to unmonitored access
synthesizing recent literature and proposing
to critical and confidential company information,
comprehensive risk mitigation strategies, this study seeks to
provide a robust framework for organizations to manage significantly elevating the risk profile for data breaches and
information theft.
Figure 1: Applications from Shadow IT perspective
Data Protection and Security Risks. The unauthorized corporation recently faced a severe data breach when
adoption of cloud services, a hallmark of Shadow IT, confidential customer information was leaked through an
significantly jeopardizes data protection and security. In the unapproved cloud storage service. This incident
realm of cloud computing, where data is often stored off- underscores the tangible risks of Shadow IT in
premises, the lack of oversight on these services can lead to compromising data integrity and security.
breaches and unauthorized access [6] highlighting how the Policy Shadowing in Cloud Authorization. Another
allure of convenient cloud solutions tempts users to sidestep critical risk associated with Shadow IT in cloud
established IT protocols, thus exposing sensitive data to environments is policy shadowing. As detailed by
potential cyber threats. For instance, a multinational Šedivcová, Lada & Potančok, Martin. [7], higher-level cloud
23
�policies may inadvertently obscure or conflict with lower- across the organization. For instance, different departments
level security policies, leading to overlooked vulnerabilities. might adopt varying cloud services for similar tasks, leading
An example of this can be seen in organizations where to inefficiencies and difficulties in data integration and
overarching cloud access policies do not account for the management.
granular permissions required by different user groups, Balancing Flexibility and Control. The rise of
thereby creating security loopholes that can be exploited. Shadow IT also highlights the need for IT governance
models to evolve, balancing the need for control with the
2.2. Compliance risks demand for flexibility and rapid innovation. Traditional
governance models, often seen as rigid and slow to respond
The presence of shadow IT in organizations, particularly
to new technology trends, can drive employees towards
those operating within tightly regulated fields, poses a
Shadow IT as a means to circumvent these limitations.
significant risk from a compliance standpoint. Auditors
Therefore, IT governance must adapt to provide guidelines
tasked with ensuring that organizations adhere to specific
that accommodate the rapid adoption of new technologies
regulatory standards may respond unfavorably upon
while maintaining control over security and compliance
identifying the use of unauthorized IT resources. This
standards. For example, some organizations are now
adverse reaction is due to the potential for such resources to
implementing hybrid governance models that allow for the
circumvent established data protection and security
controlled use of certain cloud services, providing the flexibility
protocols, thereby violating compliance requirements.
that employees need while maintaining oversight [9].
The financial repercussions for organizations can be
IT Governance as a Strategic Partner. To effectively
severe, with hefty fines imposed as a penalty for the lack of
manage Shadow IT, IT governance needs to transition from
adequate data controls. These fines serve as a tangible
being a gatekeeper to a strategic partner. This involves
reflection of the compliance risks associated with shadow
understanding the business needs that drive employees
IT, underscoring the necessity for organizations to establish
towards Shadow IT and providing solutions that meet these
robust governance frameworks to mitigate the risks
needs within the governance framework. By adopting a more
associated with unauthorized IT assets and ensure
collaborative approach, IT departments can better align their
regulatory compliance.
strategies with business objectives, ensuring that technology
Legal Ramifications of Unauthorized Cloud Service
adoption is both effective and secure. Successful cases have
Usage. The use of unapproved cloud services in Shadow IT
shown that when IT governance is closely integrated with
scenarios can lead to serious legal consequences for
business strategy, it can lead to innovative solutions that
organizations. As Walterbusch, Fietz, and Teuteberg [8]
enhance productivity without compromising security and
discuss, many employees engaging in Shadow IT activities
compliance.
are often unaware of the legal implications of using
unauthorized cloud services. These can range from breaches
of data privacy laws to violations of regulatory compliance
2.3. Cost risks
standards. For instance, a healthcare provider might The allure of public cloud platforms lies in their ease of
unknowingly violate the Health Insurance Portability and access, scalability, and the perception of cost-effectiveness.
Accountability Act (HIPAA) if sensitive patient data is However, when employees or departments bypass official
stored or transmitted via an unauthorized cloud service. channels to leverage these services without proper oversight,
Such violations can result in substantial fines and damage the organization faces multifaceted financial risks.
to the organization’s reputation. Economic Redundancy in Public Cloud Usage. The
Compliance Risks in Shadow IT. Compliance risks in use of unauthorized public cloud services for functionalities
Shadow IT are predominantly related to the failure to meet already provided by sanctioned organizational resources
industry-specific regulations and standards. In sectors like epitomizes economic redundancy. Organizations find
finance or healthcare, where data security and privacy are themselves paying for duplicate services, as official and
paramount, the uncontrolled use of cloud services can lead shadow public cloud instances run in parallel to fulfill the
to non-compliance with standards like Sarbanes-Oxley or same operational needs. This redundancy not only inflates
GDPR. This non-compliance is not merely about facing IT expenditures unnecessarily but also complicates data
penalties but also concerns the broader aspect of trust and management and integration processes, leading to
reliability in the eyes of customers and stakeholders. A inefficiencies that further strain organizational resources.
notable example includes a financial institution that faced Hidden Costs and Security Implications. Even free or
regulatory scrutiny and hefty fines due to its failure to seemingly low-cost public cloud applications can entail
monitor and control Shadow IT practices, leading to non- significant hidden costs. Unauthorized use of public cloud
compliance with financial reporting standards. services elevates the risk of data breaches, as these platforms
Impact on IT Governance. Erosion of Traditional IT might not conform to the organization’s security and
Governance Structures. Shadow IT represents a significant compliance standards. The consequences of such breaches
challenge to traditional IT governance structures. In an include not just the direct costs of incident response and data
environment where decisions about IT resources and recovery but also longer-term financial liabilities stemming
services are increasingly made outside the purview of the IT from regulatory fines, legal actions, and reputational damage.
department, the centralized control and strategic planning The indirect costs associated with the loss of customer trust
of IT resources are undermined. This decentralization not and potential business disruptions can far exceed any
only disrupts the established IT governance framework but perceived savings from using unsanctioned cloud services.
also leads to inconsistencies in IT standards and policies
24
�Duplicitous Spending and Operational Risks. Choosing organization. When employees turn to unauthorized tools
unauthorized public cloud solutions over approved and services, it often indicates that existing IT solutions do
organizational options leads to duplicative spending on not fully meet their requirements or that there are gaps in
cloud services. This practice not only represents an the available technology offerings. This direct feedback
unnecessary financial outlay but also introduces operational from the user base provides the IT department with critical
risks. The lack of coordination between shadow and insights into where improvements are needed, allowing for
sanctioned IT resources can result in data silos, inconsistent more user-centric IT planning and development.
data management practices, and inefficiencies in resource Key Advantage 1: Shadow IT acts as a grassroots
utilization. Additionally, the unmonitored use of public feedback mechanism, highlighting the specific needs and
cloud services can lead to compliance gaps, exposing the workflow preferences of different departments. By
organization to regulatory scrutiny and potential penalties analyzing the types of solutions employees seek out on their
and expenses arising from their risks, illustrating the own, the IT department can better understand the evolving
financial pitfalls of shadow IT beyond mere duplication of technology needs of the organization and adapt its strategy
costs [10]. accordingly.
Collective Problem-Solving and Innovation. Shadow
2.4. Interoperability IT represents collective problem-solving in action. Employees
engaging in shadow IT are not just bypassing official channels
Interoperability Challenges in Public Cloud
but are actively seeking solutions to their challenges. This
Infrastructure: Bridging Shadow IT and Official IT
proactive approach to problem-solving can lead to the
Department Activities. The emergence of shadow IT
discovery of innovative tools and workflows that the IT
within an organization, particularly when it involves public
department may not have considered. Many successful IT
cloud services, significantly complicates interoperability
programs and tools used today originated from such
between different departments and the official IT
grassroots initiatives and were later formally adopted and
department. This complexity arises due to the adoption of
integrated into the organization’s official IT infrastructure.
various programs and cloud services without a coordinated
Key Advantage 2: Embracing shadow IT as a form of
strategy, leading to a fragmented IT landscape that hampers
collective innovation encourages a culture of creativity and
data cohesion and operational efficiency.
problem-solving within the organization. It acknowledges
Data Harmonization Challenges. The use of
the valuable contributions employees can make to the IT
disparate software solutions across departments
landscape and leverages their firsthand experience to
necessitates additional processes to ensure data
improve and innovate IT services and solutions [11].
harmonization. This involves converting and formatting
data into a universally recognized format that can be
seamlessly integrated and utilized across the organization.
2.6. Strategic approaches to leveraging
Such efforts require not only technical resources but also shadow IT
time and financial investment, often necessitating the use of Formalize a Process for Innovation Submission: Create
specialized data integration tools or platforms. channels through which employees can propose the tools
Cloud Service Fragmentation and Associated Costs. and solutions they have found useful, allowing the IT
When departments independently select different public department to evaluate and potentially adopt these
cloud services, the organization faces a multi-cloud innovations officially.
environment where data resides in siloed ecosystems. Each Conduct Regular Needs Assessments: Engage with
cloud provider may have its own set of protocols, standards, users across the organization to understand their
and services, complicating data interoperability. Moreover, technology needs and frustrations, aiming to reduce the
transferring data between these services can incur additional necessity of seeking shadow IT solutions.
fees, especially if large volumes of data are involved or if Foster a Collaborative IT Culture: Develop an IT
frequent data sharing across platforms is necessary. Cloud department ethos that is seen as approachable and
service providers often charge for egress or API calls, which responsive to user needs, encouraging open dialogue about
can accumulate significant costs unbeknownst to the central new tools and technologies.
IT department. By shifting the narrative around shadow IT from a risk
to be mitigated to an opportunity for user-driven
2.5. The silver lining of shadow IT innovation, organizations can harness the creativity and
Embracing Innovation and User-Driven Solutions. ingenuity of their workforce to enhance their IT strategies
Shadow IT is often viewed through a lens of caution due to and solutions.
the potential risks it poses to data security, compliance, and In conclusion, the pervasive use of Shadow IT within
financial management. However, this perspective overlooks organizations represents a considerable threat to data
the valuable insights and innovative potential that shadow security, compliance, and overall IT governance. The
IT activities can bring to an organization. Recognizing and unauthorized adoption of cloud services, policy shadowing,
harnessing the positive aspects of shadow IT can transform and inadequate oversight collectively contribute to a
perceived challenges into opportunities for growth and heightened risk environment. Traditional IT governance
improvement in IT strategies. structures must evolve to address the complexities
Insight into User Needs and Preferences. One of the introduced by Shadow IT. As organizations increasingly
most significant benefits of shadow IT is its ability to reveal rely on cloud computing, the need for robust strategies to
the genuine needs and preferences of users within an mitigate these risks becomes imperative.
25
�3. Risk mitigation strategies and business and security needs of the organization. This
collaborative approach can significantly reduce the
reducing shadow IT proliferation of Shadow IT and ensure that cloud services
Understanding the scope and impact of shadow IT within an are used safely and effectively [15].
organization, particularly in the context of public cloud
environments, is crucial for developing effective 3.2. Optimizing IT operations for strategic
management strategies. The ease of access and widespread business alignment
adoption of public cloud services has significantly increased In the dynamic landscape of organizational technology
the prevalence of shadow IT, as departments and individuals management, the balance between meeting user demands
can readily procure cloud services without IT department and adhering to security, compliance, and budget
approval. Both technology solutions and proactive constraints presents a significant challenge. Addressing this
engagement are essential in gaining insights into these challenge requires not just managing IT resources but
unauthorized IT activities. By focusing on public cloud transforming the IT department into a strategic partner that
environments, organizations can tailor their management is closely aligned with the business’s needs and goals.
strategies to address the unique challenges and risks Streamlining IT Processes. Efficiency in IT operations
associated with the unauthorized use of cloud services, is crucial for meeting the fast-paced demands of today’s
ensuring a comprehensive approach to maintaining business environment. Streamlining IT processes involves
security, compliance, and operational efficiency. critically evaluating existing procedures to identify
bottlenecks and redundancies. This process includes:
3.1. Automated approach for risk
mitigation strategy • Automation: Implementing automation for
In addressing the risks associated with shadow IT, especially routine tasks, such as software updates, user
within public cloud environments, it’s crucial to identify and account management, and data backups, can
prioritize key risk areas. By focusing on these domains, significantly reduce the time and resources
organizations can develop a more effective strategy for required for these activities, allowing IT staff to
mitigating the potential threats shadow IT poses. The main focus on more strategic initiatives.
areas of risk include: • Simplifying Approval Processes: Revising
Implementing Cloud Access Security Broker (CASB) approval workflows to eliminate unnecessary
Solutions. One of the primary strategies for mitigating the steps without compromising security or
risks of Shadow IT involves the adoption of Cloud Access compliance can expedite the provisioning of IT
Security Broker (CASB) solutions. CASBs serve as a security resources and services, thereby enhancing user
policy enforcement point, placed between cloud service satisfaction and reducing the temptation to seek
consumers and cloud service providers to combine and shadow IT solutions.
interject enterprise security policies as cloud-based • Frequent Review and Adaptation: Continuously
resources are accessed. CASBs can provide visibility into monitoring and adapting IT processes to address
unauthorized cloud applications, helping organizations to evolving business needs ensures that the IT
control and monitor cloud traffic. Selvam [12] emphasizes department remains agile and responsive [16].
the effectiveness of CASBs in addressing unauthorized SaaS
Becoming a Business Partner. Transitioning from a
applications and managing third-party app permissions,
traditional service-oriented role to that of a strategic
thereby reducing the risks posed by Shadow IT.
business partner involves a proactive approach to
Developing Secure Information Sharing Models in
understanding and addressing the technology needs of the
Public Clouds. The creation of secure information-sharing
organization:
models within public clouds is another crucial strategy. As
noted by Pandita, U., Katy, H., Kalpana, & Sonawane, D. • Engagement and Communication: Regularly
[13], these models are essential for mitigating the risks engaging with users and stakeholders to discuss
associated with Shadow IT in public clouds. By enabling their challenges and requirements helps build
secure and controlled collaboration, these models ensure trust and ensures that IT solutions are closely
that even when employees use cloud services outside the aligned with business objectives.
formal IT infrastructure, the data remains protected. This • Education and Awareness: Actively educating
approach promotes a balance between the flexibility of users about available IT resources and solutions
cloud services and the security requirements of the can demystify technology and empower users to
organization. leverage official channels for their IT needs. This
Active Management and Control of Cloud Usage. includes workshops, newsletters, and one-on-one
Proactively managing and controlling cloud usage within an consultations to discuss potential IT solutions.
organization is key to preventing the spread of Shadow IT. • Collaborative Solution Development: Involving
This involves not just the implementation of technological users in evaluating and selecting new techno-
solutions but also the fostering of a culture where logies fosters a sense of ownership and partner-
employees understand the risks associated with ship. Collaborative decision-making ensures that
unauthorized cloud services. [14] suggests that IT IT investments are directly linked to enhancing
departments should work closely with other departments to productivity and achieving business goals.
identify and approve cloud services that meet both the
26
� • Policy Development: Employees need to be made Ansible for IT automation and Python for scripting [20].
aware of the potential security threats and legal These tools are integral to a continuous integration
implications of using unauthorized cloud services. development process, characterized by rigorous code control
Alongside education, organizations should and testing. The orchestrator and its scenario scripts are
develop IT policies that clearly define acceptable meticulously designed to avoid storing any cloud
and unacceptable uses of cloud services, thus environment data directly, instead relying on REST API
providing a framework that guides employee communications with Rundeck for job execution and status
behavior in a secure and compliant manner [17]. updates. This architecture is pivotal for scalability, system
availability, and enhanced security [21].
Impact of an IT-Business Partnership. When the IT To bolster the security framework of the orchestrator,
department operates as an integrated business partner, it particularly in the context of cloud environment
achieves a deeper understanding of the organization’s needs assessments, integration with HashiCorp Vault is
and is better positioned to develop solutions that are both recommended for secure information storage.
effective and strategically aligned. This partnership: The core of configuration scanning lies in its ability to
identify discrepancies within cloud configurations by
• Reduces the prevalence of shadow IT by providing
analyzing environment logs (Audit logs, Flow logs). This
timely and relevant solutions that meet users’
analysis is juxtaposed against established cybersecurity
needs.
standards such as NIST 800-53, HIPAA, PCI-DSS, SOC, and
• Enhances organizational agility by enabling
ISO, ensuring configurations adhere to the highest security
quicker adaptation to market changes and
protocols [22]. The implementation of continuous
technology advancements.
integration, facilitated by audit and flow logs between cloud
• Improves risk management by ensuring that
environments and platforms like Prisma Cloud, ensures
security and compliance are integral to all IT
ongoing monitoring and compliance. This setup offers an
solutions and practices [18].
instantaneous overview of the cloud infrastructure,
Transforming IT into a strategic business partner is a enabling swift identification and correction of deviations
journey that requires commitment, communication, and from security standards or operational benchmarks. The
continuous improvement. By focusing on streamlining adoption of continuous integration not only bolsters
processes and fostering a collaborative relationship with the security measures but also enhances the reliability and
rest of the business, IT can significantly contribute to the efficiency of operations [23].
organization’s success and innovation capacity. Advanced analytics play a crucial role in interpreting
As organizations continue to confront the complexities of log data, shedding light on usage trends and potential
Shadow IT, the implementation of automated solutions security vulnerabilities. This proactive stance towards
becomes increasingly vital. Automation can provide the security is further enriched by the application of machine
necessary tools to manage and monitor cloud environments learning algorithms, which predict possible issues based on
more efficiently, reducing manual oversight and minimizing historical data, allowing for anticipatory risk mitigation
human error. strategies.
Operational flexibility and adaptability are also central
to this system’s design. The modular nature of the scenario
4. Automation approach for public architecture affords quick adaptability and customization,
cloud provisioning which helps catering to the dynamic needs of businesses and evolving
exclude shadow IT technological landscapes. The choice of Ansible and Python
for automation and scripting places the system at the
The adoption of an automation approach for public cloud cutting edge of technology, backed by extensive community
provisioning plays a pivotal role in mitigating the risks support and regular updates [24].
associated with Shadow IT, primarily by streamlining the In essence, this self-service automated configuration
deployment of cloud resources and ensuring compliance scanning model achieves continuous control over cloud
with organizational policies. Automating the provisioning configurations, external security perimeters, costs, and
process [19] can significantly enhance efficiency, security, compliance with security standards, underscoring a
and governance across public cloud environments, directly commitment to security, operational efficiency, and
addressing the factors that often lead to the emergence of adaptability (Fig 2).
Shadow IT. Here are key aspects illustrating the importance
of automation in this context. 4.2. Financial advantages of implementing
automated configuration scanning
4.1. Enhancing cloud security and
efficiency with self-service Operational Efficiency and Cost Savings: The transition
automated configuration scanning to automated configuration scanning significantly lowers
operational expenses. By streamlining routine checks and
Automated configuration scanning emerges as a pivotal maintenance through automation, the need for manual
strategy for maintaining cloud security and operational oversight is drastically reduced. This efficiency not only
efficiency, leveraging a self-service model. This approach cuts down on the labor and time involved but also redirects
utilizes a central orchestrator, specifically the Rundeck staff efforts towards higher-value activities, resulting in
platform, complemented by a robust toolkit including direct financial benefits [25].
27
�Figure 2: Automation cloud provisioning process
Mitigation of Security-Related Financial Risks: Early by savings in operational expenditures, enhanced security
identification of vulnerabilities through automated measures, efficient resource management, reduced
scanning is crucial in averting security breaches, which can compliance costs, improved system uptime, and strategic
be financially draining and damaging to reputation. By organizational benefits. This analysis highlights automated
proactively addressing these vulnerabilities, organizations configuration scanning as an indispensable tool in
can sidestep the extensive costs associated with data contemporary cloud management frameworks.
breaches, making automated scanning a wise investment for
safeguarding assets. 4.3. Engagement and communication
Cloud Resource Optimization: Automated scanning
Automated Feedback and Communication Systems:
provides insights into the usage of cloud resources,
Utilizing automation for regular feedback collection, such as
pinpointing areas of waste or underutilization. Adjusting
through automated surveys and quick polls, facilitates
these resources accordingly can lead to considerable savings
constant dialogue between IT and users. Automated
on cloud spending, while also boosting the efficiency and
ticketing systems for IT requests can update users on the
performance of cloud-based operations [26].
status of their queries or problems in real time, improving
Avoidance of Compliance-Related Fines: Keeping up
transparency and trust.
with compliance requirements is essential to avoid financial
Automated Reporting: Dashboards and automated
penalties and legal issues. Automated configuration
reports on service usage, incident resolutions, and project
scanning facilitates ongoing adherence to regulatory
statuses can be shared with stakeholders, keeping everyone
standards, helping organizations avoid the financial pitfalls
informed and aligned with organizational goals and IT
of non-compliance and reinforcing their standing in
capabilities [28].
regulated sectors.
Enhancement of System Reliability: Proper 4.4. Education and awareness
configuration management through automated scanning
contributes to the reliability and uptime of systems. The cost E-Learning Platforms: Automated deployment of e-
implications of downtime—lost revenue and recovery learning modules tailored to different roles within the
efforts—are significant, making the stability ensured by organization helps in systematically educating employees
regular scanning a valuable asset in maintaining continuous about the safe and effective use of IT resources, including
business operations [27]. cloud services. These platforms can track progress and
Strategic Organizational Growth: Beyond immediate adapt learning paths based on user performance and
financial gains, automated configuration scanning aligns with feedback.
broader strategic objectives, nurturing an organizational Automated Notifications: Regular, automated
ethos of efficiency, security, and regulatory compliance. communications such as newsletters, security alerts,
While these advantages may not be immediately quantifiable, updates on new tools, and best practices help keep all users
they play a critical role in sustaining the long-term vitality informed and aware of the resources available to them and
and competitive edge of the business. the importance of following security and compliance
The financial analysis of automated configuration guidelines [29].
scanning underscores its substantial value proposition. The
initial investment in automation technology is quickly offset
28
�4.5. Collaborative solution development 5. Analysis of results after
Self-Service Portals: Automation can power self-service implementation of the proposed
portals where users can request new tools, access trial approach
software, and provide feedback on their needs and
experiences. Such platforms can aggregate user requests This comprehensive case study showcases a strategic and
and feedback, facilitating data-driven decision-making in structured approach to managing a multi-cloud
technology selection and implementation. infrastructure (AWS, Azure, and GCP) that began in late
Automated Prototyping Tools: For development 2020 and continued through 2023. Here is an overarching
teams, automated environments for testing and prototyping summary of the project’s progression, achievements, and
new solutions can accelerate the innovation process. These significant milestones:
tools allow for the quick setup and teardown of test End of 2020: The infrastructure comprised 230 known
environments, encouraging experimentation and iterative accounts, setting the baseline for the forthcoming
development with direct user involvement [30]. enhancements.
2021 Timeline and Strategic Initiatives:
4.6. Policy development 1. Audit and Monitoring: Initiation of active audit
Automated Policy Enforcement: Automation tools can processes and implementation of monitoring
monitor the IT environment to ensure compliance with systems on all discovered accounts to ensure full
established policies, automatically flagging or restricting the visibility and control.
use of unauthorized services. This includes the deployment 2. Compliance Enhancement: Rigorous correction
of security configurations and compliance standards across of compliance issues according to NIST 800-53
cloud services. rev.4 standards, raising the security and regulatory
Dynamic Policy Updates: As policies evolve, automated standards across the board (Fig. 3).
systems can update users on changes and ensure that all 3. Discovery and Management: Identification of
employees complete acknowledgment or training sessions over 120 previously unknown cloud accounts,
related to new policies. This ensures that policy awareness is integrating them into the organization’s formal
consistent and up-to-date [31]. management system.
By leveraging automation in these critical areas, 4. Account Optimization: Closure of more than 30
organizations can foster a more engaged, informed, and obsolete accounts, streamlining operations and
collaborative culture regarding IT resource use. This not eliminating unnecessary security risks.
only reduces the reliance on Shadow IT by making
authorized channels more accessible and responsive to user 2022–2023: Expansion and Stabilization:
needs but also strengthens compliance and security 1. Growth in Infrastructure: Systematic increase in
postures. Automating engagement, education, solution the number of cloud accounts to 447, reflecting an
development, and policy management processes thus expanded and more robust infrastructure.
becomes a cornerstone strategy in aligning IT practices with 2. Security and Compliance: Continued
business objectives and user requirements [32]. improvements in security measures leading to an
advanced and stable infrastructure adept at risk
analysis and incident response.
Figure 3: Compliance trend analysis
29
� End of 2023. Key Insights and Achievements: management and mitigation strategies employed,
ensuring a highly secure cloud environment.
1. Total resources managed: 35,493.
5. Compliance Increase: The significant rise in the
2. Vulnerability levels: Zero critical and high
compliance level from 67% to 82% within three
vulnerabilities; 954 medium; 1,870 low; 3,667
years underscores the successful enhancement in
informal (Fig. 4).
governance and adherence to stringent security
3. Compliance level: An increase from 67% to 82%,
standards.
indicating enhanced governance and adherence to
6. Account Management: The proactive
high standards.
management of both known and previously
4. Security Improvement: The elimination of
unknown accounts illustrates a decisive action
critical and high-level vulnerabilities by the end of
against shadow IT practices, improving control
2023 is a testament to the effective security
and visibility across the cloud environment.
Figure 4: Compliance trend analysis per alert priority
This case study exemplifies the importance of a structured The deployment of automated tools and processes fosters a
and proactive approach to cloud infrastructure culture of transparency, efficiency, and security, which is
management. Through regular audits, continuous essential for mitigating the risks associated with Shadow IT.
monitoring, and a strong focus on compliance and security, These risks, including security vulnerabilities, legal
the organization not only improved its operational security ramifications, and compliance breaches, pose significant
but also aligned its cloud resources more closely with threats to the integrity and operational efficacy of cloud
organizational goals. The strategic management of cloud computing frameworks.
accounts, including the identification and elimination of Furthermore, proactive engagement strategies
unnecessary or redundant accounts, played a crucial role in facilitated by automation—such as continuous feedback
enhancing cost efficiency and resource management. mechanisms, personalized educational programs, and
Overall, this journey reflects a model for effective cloud inclusive technology evaluation platforms—encourage a
governance that can serve as a benchmark for similar more informed and collaborative approach to IT resource
enterprises aiming to secure and optimize their cloud utilization. This not only enhances the user experience by
environments. making approved IT channels more accessible but also
aligns IT initiatives with the dynamic requirements of the
6. Conclusions modern enterprise.
Ultimately, addressing the challenges of Shadow IT
In conclusion, the strategic application of automation across through automation underscores a commitment to
various facets of IT management—ranging from user maintaining a secure, efficient, and adaptable cloud
engagement and education to collaborative solution environment. It highlights the necessity of evolving IT
development and policy enforcement—emerges as a pivotal management strategies to keep pace with the rapid
solution to the pervasive challenge of Shadow IT, advancements in cloud technology and the changing
particularly within public cloud environments. By landscape of enterprise IT needs. Adopting these automated
harnessing automation, organizations can significantly approaches signifies a decisive step towards empowering
enhance their IT governance, ensuring that IT practices are organizations to leverage the full potential of cloud
not only aligned with business objectives but also computing, ensuring that it serves as a catalyst for
responsive to user needs, thereby reducing the inclination innovation and growth rather than a source of risk and
towards unauthorized IT solutions. inefficiency.
30
�References Deployment Made Easy By Rundeck and Kubernetes.
IEEE International Conference on Electronics,
[1] K. Edwards, Expected and Realized Costs and Benefits Computing and Communication Technologies (2019)
when Implementing Product Configuration Systems, 1–3. doi: 10.1109/CONECCT47791.2019.9012811.
Mass Customization for Personalized Communication [18] T. Kenaza, et al., A Secure and Interoperable
Environments: Integrating Human Factors (2010) Architecture for Blockchain/IPFS Assisted Electronic
216–231. doi: 10.4018/978-1-60566-260-2.ch012. Health Record Access Control and Sharing (2023) doi:
[2] P. Akello, Volitional Non-Malicious Insider Threats: 10.21203/rs.3.rs-3209163/v1.
At The Intersection of COVID-19, WFH and Cloud- [19] K. Murakami, et al., A Cloud Architecture for
Facilitated Shadow-Apps, 27th Annual Americas Protecting Guest’s Information from Malicious
Conference on Information Systems, AMCIS 2021 Operators with Memory Management (2014) 155–158.
(2021). doi: 10.1145/2557547.2557585.
[3] P. Selvam, (2022). Secure Cloud Services by [20] Y. Martseniuk, et al., Automated Conformity
Integrating CASB based Approach, Int. J. Sci. Res. Eng. Verification Concept for Cloud Security, in:
Manag. 6(7) (2022) 1–5. doi: 10.55041/IJSREM15210. Cybersecurity Providing in Information and
[4] H. Khan, et al., A Blockchain-Based Approach for Telecommunication Systems, vol. 3654 (2024) 25–37.
Secure Data Migration from the Cloud to the [21] H. Wang, Proxy Provable Data Possession in Public
Decentralized Storage Systems, Int. J. Web Services Clouds. Services Computing, IEEE Transactions 6
Res. 19(1) (2022) 1–20. doi: 10.4018/ijwsr. 296688. (2013) 551–559. doi: 10.1109/TSC.2012.35.
[5] O. Vakhula, I. Opirskyy, O. Mykhaylova, Research on [22] V. Susukailo, I. Opirsky, O. Yaremko, Methodology of
Security Challenges in Cloud Environments and ISMS Establishment Against Modern Cybersecurity
Solutions based on the “Security-as-Code” Approach, Threats, Future Intent-Based Networking, LNEE 831
in: Cybersecurity Providing in Information and Tele- (2022). doi: 10.1007/978-3-030-92435-5_15.
communication Systems-II, vol. 3550 (2023) 55–69. [23] O. Deineka, et al., Designing Data Classification and
[6] I. Kirin, Shadow IT: Data Protection and Cloud Secure Store Policy According to SOC 2 Type II, in:
Security (2017). doi: 10.2139/ssrn.3020880. Cybersecurity Providing in Information and
[7] L. Šedivcová, M. Potančok, Shadow IT Management Telecommunication Systems, vol. 3654 (2024) 398–
Concept for Public Sector (2019) 65–73. doi: 409.
10.1007/978-3-030-37632-1_6. [24] V. Rajaraman, Cloud Computing, Resonance 19 (2014)
[8] M. Walterbusch, A. Fietz, F. Teuteberg, Missing Cloud 242–258. doi: 10.1007/s12045-014-0030-1.
Security Awareness: Investigating Risk Exposure in [25] An Assessment of the National Institute of Standards
Shadow IT, J. Enterprise Inf. Manag. 30 (2017) doi: and Technology Center for Neutron Research,
10.1108/JEIM-07-2015-0066. Technology, Panel & Programs, Committee & Board,
[9] R. Taylor, Everything You Need to Know About Laboratory & Sciences, Division & Medicine, National
Shadow IT, Bluecat Networks (2021). URL: (2016). doi: 10.17226/21878.
https://bluecatnetworks. com/blog/everything-you- [26] R. Buyya, et al., Cloud Computing and Emerging IT
need-to-know-about-shadow-it/ Platforms: Vision, Hype, and Reality for Delivering
[10] M. Silic, A. Back, Shadow it—A View from Behind the Computing as the 5th Utility, Future Gener. Comput.
Curtain, Inf. Syst. Econom. eJ. (2014). Syst. 25 (2009) 599-616. doi:
[11] R. Walters, Bringing IT Out of the Shadows, Netw. 10.1016/j.future.2008.12.001.
Secur. 2013(4) (2013) 5–11. doi: 10.1016/S1353- [27] S. Çevik, A. Ustundag, Smart and Connected Product
4858(13)700 49-7. Business Models (2018). doi: 10.1007/978-3-319-57870-
[12] X. Zeng, et al., Flow Context and Host Behavior Based 5_2.
Shadowsocks’s Traffic Identification, IEEE Access [28] R. Clark, R. Mayer, W. Thalheimer, E-Learning and
(2019). the Science of Instruction: Proven Guidelines for
[13] U. Pandita, et al., Effective Management of Proofs Of Consumers and Designers of Multimedia Learning,
Log, Int. J. Adv. Res. Innov. Ideas Educ. 3(3) (2017). Performance Improvement 42 (2003). doi:
[14] D. Shevchuk, et al., Designing Secured Services for 10.1002/pfi.4930420510.
Authentication, Authorization, and Accounting of [29] A. Nordby, et al., System Thinking in Gamification, SN
Users, in: Cybersecurity Providing in Information and Comput. Sci. 5 (2024). doi: 10.1007/s42979-023-02579-2.
Telecommunication Systems–II, vol. 3550 (2023) 217– [30] F. Yaseen, Chapter 2 2. Literature Review 2.1.
225. Information Security Policy Availability and
[15] M. Silic, D. Silic, G. Oblakovic, Influence of Shadow IT Compliance Literature. (2024).
on Innovation in Organizations, Complex Systems [31] V. Khoma, et al., Comprehensive Approach for
Informatics and Modeling Quarterly (2016) 68–80. doi: Developing an Enterprise Cloud Infrastructure, in:
10.7250/csimq. 2016-8.06. Cybersecurity Providing in Information and Telecom-
[16] H. Fujinoki, S. Dehkordi, Split Clouds: New Security munication Systems, vol. 3654 (2024) 201–215.
Architecture for Protecting User Information from [32] S. Yevseiev, et al., Models of Socio-Cyber-Physical
Cloud Insiders—Designs, Implementation, and Systems Security: monograph, PC Technology Center
Performance Evaluations (2012) 824–829. (2023). doi: 10.15587/978-617-7319-72-5.
[17] H. Rajavaram, T. Balasubramanian, V. Rajula,
Automation of Microservices Application
31
�