Shadow IT has the potential to affect every facet of an IT department and can cause a variety of problems for VDI admins.
Shadow IT generally refers to users working with unauthorized services as a way to circumvent an organization's IT department. Although the term shadow IT has only gained popularity in recent years, it has been an ongoing but evolving problem for IT administrators for decades. And even though VDI is often marketed as a technology that reduces shadow IT risk -- because administrators have complete control over what applications are available on each desktop -- it remains a problem.
Unauthorized application use is a big issue
Although VDI administrators make a variety of applications available to end users, some users will inevitably want to access applications the IT department does not provide. Some may even choose to subscribe to a software as a service provider to gain access to cloud-based versions of the applications they want to use.
The act of subscribing to a cloud-based application alone may violate an organization's acceptable use policies, but probably doesn't directly present a problem. The way users work with those apps is what can cause problems. The moment users bring corporate data into the application, it nullifies all the existing safeguards for that data.
Cloud service providers are big targets for hackers so they must be secure. A security breach could conceivably drive a cloud service provider out of business.
Even so, moving sensitive data into the public cloud without the IT department's knowledge or consent is a risk. The greatest risk is violating laws pertaining to the handling of sensitive data. HIPAA, for example, imposes stiff penalties for mishandling certain types of healthcare data. The penalties are even more severe if users expose data to unauthorized parties. End users who circumvent IT are unlikely to be aware of the intricacies and nuances of laws concerning how they should store and handle data. Such users could conceivably expose their organizations to fines and/or litigation as a result of their actions.
Look out for users passing on IT-provided devices and OSes
Another source of shadow IT risk for VDI admins is users who work with their own devices rather than those IT provides for them. A less common shadow IT risk to keep in mind is users picking cloud-based desktops, rather than the virtual desktops IT assigns them. Admins probably don't have to worry about the average user doing this; more advanced users might explore this option.
Regardless of a user's reason for choosing a personal device or cloud-based desktop, unauthorized desktops can put an organization at risk. If, for example, the user has gone through the trouble of setting up personal device for work use, it stands to reason that the user will also install some applications onto the unauthorized desktop. These applications pose the risk of users mishandling data, just like unauthorized cloud applications do.
License violations are another issue. The applications users install to their desktops have to come from somewhere. If users have software licenses they were supposed to use in the organization's VDI deployment but don't record the license as being in use, the user is in violation of the license for that application. As a result, the organization could face huge repercussions when a software audit reveals the discrepancy.
Another problem with unauthorized desktops in the cloud is security. IT departments carefully configure and maintain the virtual desktops they provide to ensure that they remain secure. With a user-deployed, cloud-based desktop, there are no guarantees about security. Unpatched security holes or an insecure configuration could lead to data leakage, malware infections or hacks.
Is shadow IT all bad?
Reduce shadow IT risks with strong data protection
How to remove shadow IT once and for all