Skip to main content
banner image
venafi logo

What Are Shadow Certificates?

What Are Shadow Certificates?

July 26, 2021 | Anastasios Arampatzis

It is estimated that 43% of all IT spending occurs without the formal involvement of the IT department, according to a Harvey Nash/KPMG report. This is most likely occurring outside their knowledge as well, and without proper security controls. While unsanctioned software is problematic for its own reasons, it can be absolutely detrimental within a cybersecurity context. Known as Shadow IT, these unapproved and often unknown software crawls are becoming increasingly prevalent as industries continue advancing their journey towards digital transformation.

While on the positive side every department may now benefit—at an ever more rapid rate—from each novel tech solution on the market, we risk an imbalance between growth and security. One downside of this is that Shadow IT can result in shadow certificates that may go unmanaged, and thus vulnerable to an expiry outage or other compromise.

What is Shadow IT?

Shadow IT is the unauthorized download and use of software by departments other than IT, and it can present a problem when dealing with key and certificate management. The value of Shadow IT has been debated, and the preference for or against often depends on if you are a vendor, a user or an IT admin. For lay-users and software companies, the unguarded proliferation and “trial” of non-approved SaaS products can be termed beneficial for giving rise to new workflow tools in use and improved ways of performing duties. McAfee states that as many as 80% of employees use non-IT approved software at work. For vendors, this obviously means more business. But, for IT and cybersecurity teams, Shadow IT germinates several                      problems.

There are three types of Shadow IT categories:

  • In-network cloud-based apps
  • OAuth accessible cloud-based apps
  • Software loaded into systems and devices
The problems of Shadow IT: zero visibility and exposed certificates

For IT and cybersecurity teams, having limited to zero visibility on a wide range of growing SaaS products within an environment can be highly problematic. First of all, it is difficult enough for IT to manage and renew their own keys and certificates (especially because so many PKI teams still do it manually), but now they must hunt down and manage these machine identities and their renewals on unknown systems within other departments. Full visibility is all but destroyed and securing the enterprise becomes a matter of chance.

When the work of accurately renewing digital keys and certificates in a timely fashion proves too much for the IT team—or when they don’t have full visibility of which keys and certificates they need to replace due to Shadow IT spread—the enterprise can experience a certificate outage, leaving it vulnerable to attack. These outages are not only costly, but painful and all-too-familiar.

The costs of covering exploited outages go well beyond currency. In the worst case scenario, an expired certificate compromises intangibles such as reputation, consumer trust and partnership viability. Besides the above concerns, these additional problems arise in the wake of Shadow IT:

  • Legacy permissions. Unwitting downloaders could grant access to employees that lasts beyond the terms of their contract.
  • Duplicate apps and costs.
  • Misallocated funds. SaaS solutions expensed, rather than negotiated into IT budget. This can obscure the true budget needs of IT.
  • License breaches. any solutions have restrictions on corporate and solo accounts coexisting, among other things.
  • Regulatory compliance breaches. Without proper oversight, standards such as SOX, HIPPA and GDPR can be overlooked.
How to solve certificate-based problems in Shadow IT

The best way to tackle certificate-based problems in Shadow IT is to get ahead of the problem. Many traditional certificate management systems can only track what they are aware of. Shadow IT leaves a vast number of certificates in the dark. For this reason, a full-visibility scan such as the one offered in the Venafi Trust Protection Platform solution is advantageous. It searches your entire network for any and all available certificates, logs them, updates them and keeps them on track to continue renewing on time. Barring a solution of this scope and capability, Shadow IT will get the better of many responsible PKI strategies, and undermine what might otherwise be a healthy-looking CMS.

Additionally, underpinning the technology should be a sound security strategy for communication between any department utilizing SaaS solutions, with the IT department as the obvious hub. If a company is experiencing a sprawl of unauthorized apps across all their department, it should invest in finding, managing and ensuring the machine identities that allow them to operate safely. To do so, they must first acknowledge the Shadow IT problem and its impactotherwise every approach will only be a partial solution.


We may outstrip ourselves if we are not careful to establish security controls that will account for both exploration and accountability. Without sufficient cybersecurity tools or strategy, the job of keeping up with every piece of software downloaded by every department, and every key, certificate and machine identity belonging to those becomes a herculean task. Enterprises need to find a way to allow both the exploration of new applications and the use of enterprise-scale solutions that can keep up and allow them to utilize, download and maintain them safely—without risking the safety of the whole.

Venafi’s Trust Protection Platform solution allows enterprises the freedom to discover and utilize new software freely, while it accounts for all the responsibility of finding, gathering and maintaining the machine identities that come with them. To invest in a solution of this scope and scale is becoming not only useful but necessary as enterprises face the certain reality of Shadow IT.


Related Posts

Like this blog? We think you will love this.
Featured Blog

How DoS/DDoS Attacks Impact Machine Identity, Digital Certificates

For safe and secure utilization of machine identities such as SSL/TLS cer

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more