Understanding Shadow IT and Shadow SaaS: Definition, security risks, and how to manage it

Introduction

SaaS applications have made it incredibly easy for users to quickly sign up and adopt their tools independently. As a result, employees are signing up for the tools they need on their own, without IT approval.  This is a great thing as it allows businesses to embrace innovation and employees to move quickly and be more productive. But the cost of this digital transformation is the emergence of shadow IT. 

So, what exactly is shadow IT? 

In this article, we’ll define shadow IT and shadow SaaS and talk through some of the serious security risks associated with it and give some actionable guidance on how to manage both shadow IT and its risks. 

We’ll be focusing primarily on shadow SaaS, since this is a newer area that organizations need to address with new security methods, policies and tools. 

What is shadow IT?

Shadow IT is the use of technology, software, applications, or devices within an organization that hasn’t been explicitly approved or given oversight from IT and/or security teams. Usually, individual employees or teams have adopted these tools to streamline processes, enhance productivity, or address specific needs.

This article specifically focuses on the SaaS applications portion of shadow IT, also known as “shadow SaaS.”

What is shadow SaaS?

Shadow SaaS is a subset of shadow IT, specifically focused on — you guessed it — SaaS apps. Shadow SaaS are the SaaS and cloud applications used within an organization without the explicit knowledge or approval of the company’s IT department.

These unmanaged services and apps are added to the company’s attack surface when employees or teams subscribe to and use SaaS applications on their own, bypassing official IT procurement and security processes. 

What are the risks of shadow SaaS?

Bugs and vulnerabilities 

The SaaS applications and cloud services that fall under shadow IT don’t always go through proper security testing and assessments. 

Many may be bootstrapped tools or apps that are only managed by very small teams and startups who are primarily focused on adding product features, not security features.

That means some bugs and vulnerabilities may exist that attackers can exploit to gain access to the sensitive data stored within the app or to gain a foothold into your business by moving laterally through your attack surface.  

There’s always a risk of bugs and vulnerabilities, but the risk is higher when the vendor isn’t investing in security.

Data loss and potential compliance violations 

The issue with shadow SaaS is that the security team has no knowledge that the platform or app is being used in the company, so they have no idea where company data is being stored.

Without knowing which third-parties have access to company data, the security team aren’t aware what sensitive data could be exposed to attackers. Data leaks, supply chain, and third-party risks are the biggest security issues that result from shadow IT and shadow SaaS. 

When it comes to compliance,  you may find you’re not actually complying with data privacy regulations as well as you thought. More and more regulatory compliance standards are enforcing up-to-date SaaS application inventories along with their third-party supplier checklists these days.

Lack of support

When the IT team doesn’t know which SaaS apps the team is using, they can’t provide support with the tool, when needed. That leaves employees feeling stranded and frustrated as they struggle to troubleshoot on their own. This may even lead to employees being blocked on projects they’re relying on the SaaS app to help with.

How to manage shadow IT risks

Visibility 

To properly secure your data and that of your customers, you need to have visibility into all the SaaS applications employees are using, including free trials and apps they’re just testing. We’ve written an article on how to manage the security challenges of freemium and trial apps that’s worth exploring further.

There are plenty of modern tools on the market that focus on discovering the SaaS applications and cloud services employees in your company are using. Most also have some level of risk-based data for the apps people are using, so you can make better security decisions about the shadow IT you uncover.

Our SaaS Security Solution Evaluation Guide is a helpful resource to download when you’re evaluating solutions. In it, you’ll find:

• what to look for in the product features, 

• what questions to ask the vendors and, 

• how to compare solutions to find the best fit for your business.

Consolidate shadow IT and cloud-based applications

Once security and IT teams know about and have an accurate inventory of all the SaaS apps in use (those previously considered “shadow IT” or “shadow SaaS”), they can encourage teams to consolidate their SaaS tools. 

For IT and Security, consolidating apps is a huge win because they can focus on making sure that short-list of tools is secure enough for them to continue to use them.

For the rest of the company, working within the same tools can aid in collaboration, clear communication and status for ongoing projects.

And, of course, Finance will love spending less money on a sea of disparate tools and consolidating the spend on the SaaS applications that are regularly used by the wider team.

Offer secure alternatives

To consolidate SaaS apps and rein in shadow IT, you’ll need to offer alternative solutions that will solve the problems employees have. Work with them to understand the use cases they’re solving with these apps, identify their requirements, and provide a few tools you’ve already vetted which still serve their needs but are more secure or have security features like SAML SSO so you can tuck them behind your existing SSO solution. 

Safely embrace shadow IT

We’re not suggesting that security and information technology teams throw their hands up and say “shadow IT will happen and we can’t control it,” but we are suggesting that they consider a mindset that balances the needs of the team and their own need to control the security of sensitive information and the organization. 

New technologies exist that can help you uncover shadow IT so you can get involved in the software adoption process early on. This will give you the advantage of working with employees to understand why they’re using the tool before they’ve fully adopted it and become dependent on it. This will also give you more time to risk assess the app once it’s clear that the employee or team needs it. 

Some modern SaaS security solutions also help you enable security features like multi-factor authentication (MFA) and guide employees to use strong, unique passwords or social logins (“Login with your Google account” or “Login with Microsoft 365 account”), at the account level. These small, but powerful SaaS account security actions raise the bar for attackers, making it much harder for them to gain a foothold into your systems via an employee’s SaaS account.

This is a solvable problem

Shadow IT introduces security risks, sometimes serious security risks, but there’s no stopping it — even if Security goes the route of blocking access to SaaS apps that they haven’t yet approved or sanctioned employees will work around these security policies to gain access to the tools they need to do their jobs. 

The biggest reasons employees engage in this behavior is to streamline their work and, often, to collaborate with one another in a remote-work environment. Cloud apps enable these things really well, which is why they’re so popular.

But shadow IT doesn’t have to be a completely uncontrolled disaster, either. With visibility, security and IT teams can be a powerful ally for the business and a trusted partner for employees, rather than taking on the role of draconian authoritarian. Security teams no longer have to be the Department of No and, in fact, by changing this mindset, Security may find that they have more pull with business leaders within the company.

By working with employees, rather than against them, Security and IT become “enablers of the business,” which typically resonates with higher ups. If helping to streamline the cloud-based services the company uses doesn’t get them excited, saving the company money by consolidating tools certainly will.

Shadow IT is a visibility problem, not a technology one 

The issue with shadow IT isn’t that it exists, it’s that these SaaS apps exist outside of the IT department and security team’s remit — they just don’t know about them. By discovering the apps employees are using, they can integrate these SaaS apps safely into the company’s SaaS estate, alongside all the other tools in the tech stack.

Shift IT department and security team mindsets to make an impact

Security and IT need to be approachable and transparent with employees as the first step, rather than shaming them for their behavior. They’re not gleefully going behind the information technology team’s back for fun, they’re trying to get their work done quickly. 

Asking employees to shift from hiding these SaaS apps from you to being transparent that they’re using them requires a level of mutual trust and respect.  

Become a partner to improve security

You will, of course, still have some SaaS apps that are outright not approved because they’re too high-risk for the company’s security policies and, in that case, you’ll want to offer one of those safer alternatives that we mentioned above and offer that as a replacement to users who were using the risky, unsafe tool. 

This is much easier to do when you’re seen as a collaborative, friendly team that’s doing the best thing for the company than when you’re the enforcer of rules and policies, which restrict them at every turn. 

Building a strong relationship with employees (or repairing the relationship if you’ve previously been seen as the Department of No), takes work and a major shift in the security team’s mindset, but the ramifications are far reaching. By considering how employees feel about the security team and IT department’s decisions, both teams win. The end result should never be that employees make security decisions, however their needs for getting their jobs done needs to be considered as security measures are put in place.

The National Cyber Security Centre (NCSC) posted a great article on this topic if you’d like to explore further.