Shadow IT – Uncovering the Hidden Applications Contributing to SaaS Security Risks

Alex Sukennik

By Alex Sukennik

Companies often underestimate the number of unauthorized applications used in their organization.  Retaining control over data within an organization is already a challenge that internal IT departments have to deal with on a daily basis.  With the addition of cloud services this challenge becomes greatly magnified.   According to Netskopemost people underestimate the number of cloud apps they have by 90 percent.

Communication between IT and Finance departments is often challenging, to say the least. Finance want to know more about what IT is doing behind the scenes and IT wants finance to get off their back.  If there is no visibility into the full spectrum of cloud applications, this disfunction will continue indefinitely.  Hence the rise of Shadow IT as a growing issue of complexity. 

The Growing Complexities of Shadow IT

The emergence of shadow IT has brought significant changes in the enterprise security landscape challenging IT groups with new scenarios they were not exposed to before. When files are stored in and transmitted via public cloud services business data is placed outside of the organization and it becomes impossible to control the data or even know who accesses it. Company data that is supposed to be supervised is now outside the scope of IT’s watch.  Forrester states that 65% of SaaS decisions and spend is outside IT.

The critical problem – IT departments lack the resources required to implement cloud-specific security to these hidden cloud applications. 

Use of these shadow IT cloud services by employees can quickly become an immense “needle-in-the-haystack” issue for proper discovery. Research by cloud security firm Netskope found that the average number of cloud services used by companies increased 4% in Q4 of 2016 from the year-earlier period to a total of 1,071. However, 7% of the cloud services are considered enterprise-ready, according to Netskope.

SaaS Shadow IT

More than 80 percent of employees worldwide are circumventing company policy to choose and use their own SaaS applications – Taking Shadow IT Out of the Shadows Frost and Sullivan

 The Risks of Shadow IT

The initial aim of using shadow IT resources was derived out of a necessity to work more efficiently and to practice modernization in their environment.  Proactive engagers of shadow IT are definitively committed to embracing cloud computing innovations.

They understand the clear advantage of using cloud tools. However, by installing unsanctioned applications and subscribing to unapproved cloud services, the employees of innovation subject their company to unexpected risks. Using IT assets that are invisible to the IT complicates security risks such as data security, regulatory compliance and can increases the cost of IT operations. 

“A 2016 survey of IT professionals by NTT Communications found that 83 percent report employees store company data on unsanctioned cloud services and 71 percent say the practice has been going on for two or more years.”

Shadow IT exposes organizations to several risks from a security perspective. Applications like remote administration tools, and other third-party applications in a company can lead to security breaches, that are unknown internally to IT departments, as it is nearly impossible to track all the services and apps being used by company employees.  

Shadow IT – Turning an IT liability into a corporate asset

The mistake some IT departments make is to consider the shadow IT phenomenon as a risk that must be minimized rather than an opportunity that they can capitalize on as stated by Tech Target’s Kerry Doyle in her article – Beyond Shadow IT Risks, Opportunity Awaits” .

Cloud Shadow IT

By putting the needs of users first, while clearly communicating shadow IT risks, administrators and their teams can attempt to manage shadow IT.

Once IT departments abandon their traditional role as the sole source for all workplace technology, they are free to expend their resources more productively. IT staff then can become leaders of enterprise wide cloud initiatives in which It plays a more active role. By serving as an “innovation agent” instead of a “security disrupter”, IT enters into partnerships with business departments that lead to streamlined planning, implementation, and maintenance of increasingly vital information services and offerings.

Developing a Strategy to Understand the Risk of Shadow IT

With consumers buying tools with their credit cards, more and more of those consumers do it to be better, faster and smarter at their place of employment.  They know getting approval from their manager to expense a $10/month item will be easy but getting CIO approval will be hard.  Thus they go get the tool because it will help them close deals faster, etc.  Manager are more likely to allow this because they know the process internal is especially hard. 

In the past, technology would not allow a tool to be downloaded and installed on a PC as you could block local admin rights.  But now most SaaS applications are simply a login to a webpage and there is no software to install.  The benefit is better employee productivity, the danger is when such tools go viral in an organization and people start to put company information into something which is not seen by the CIO, CFO or the CISO.  Many tools exist to try to catch data from being lost, however those tools to not show the fact that costs are getting out of control.  Expenses are growing and by the time this is caught due to the monthly expense process, companies are at risk for millions of dollars. 

Tools like SaaSLicense, residing in the SaaS Management Platform space, can assist IT departments in managing this critical area of risk by: 

1.   Identifying Unnecessary Exposure to Risks

2.   Identifying Top Data Security Risks

3.   Identifying Top Enterprise Regulatory Compliance Issues

The Final Shadow IT Strategy – Identify and Optimize Hidden Costs

Once you’ve identified apps in use but developed outside the IT department, you determine the sensitive information the app may include. The only way to monitor which cloud apps employees are using is by paying close attention to where your data is going. 

If there is a discovery tool like SaasLicense (that integrates with your ERP) looking and monitoring your expense management operations and the tool finds such expenses, IT can get involved and not try to stop it but rather get control of the risk, inventory the application, do a proper security review and most importantly help control the on-going cost. 

At the same time, you may find that you already have those tools and simply your employee base was not aware, thus you could add such employees to your corporate accounts.  With SaaSLicense technology we will identify duplicative services such as content sharing storage tools like:  Box, Drivebox, Sugarsync and begin to suggest with you can eliminate to standardize or migrate to in an effort to get the best savings. 

That’s what makes a platform like SaaSLicense so critical at this 65% “Outside of IT” juncture.  The advantages of monitoring license usage, discovering applications and mitigating risk present a solution to the growing complexity of Shadow IT must be considered as part of the overall governance strategy in your 2019 IT plan.

To learn more about SaaSLicense please visit our website

Spread the word