What Is Shadow IT?
Technology purchasing has also become more distributed with SaaS vendors targeting departmental buyers (CMO, CRO, CTO) and end users via product-led growth initiatives. Broadly speaking, Shadow IT can encompass:
- Applications purchased by individuals
- Enterprise applications purchased by a department/line of business
- Open source or free applications
- Deny-listed applications still being used by employees
- And applications that might be end of life that are still in use
Shadow IT risks
There are several risks associated with shadow IT. The main challenges include:
- Application sprawl: Sprawl is problematic for a couple of reasons. One is that applications are purchased for a specific use case, or needed by a few team members, and then rarely used and forgotten about – until the bill is due. Another issue with sprawl is organizations end up with multiple tools that do the same function. You can probably identify overlapping technologies off the top of your head – collaboration tools, project management tools, performance monitoring tools, email applications, etc. In addition to the financial and security implications, application sprawl also leads to productivity and data sprawl issues, e.g. employees routinely asking where artifacts are held (Microsoft Teams, Confluence, Sharepoint, Miro, etc.).
- Security risks: If your security team is not aware of applications used by employees they don’t know if the application used has required security standards, where company/customer data is being stored, and password protections used by employees (because the applications isn’t going through SSO). Organizations can’t afford security risks associated with Shadow IT. According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million. Financial services are higher with $5.9M/breach. In addition to actual remediation costs, data breaches damage revenue potential due to loss of trust and disrupt an organization’s strategic objectives with so much time and attention devoted to remediating the issue.
- Surprise bills: Organizations need to be able to predict revenue and spend to be financially prudent. Without a view into all the applications purchased, and the trends of how they are being used, it is very difficult to predict budgets. With distributed purchasing, this challenge is even more difficult, especially when the application ‘owner’ leaves the organization, and a surprise bill lands on the finance desk.
- Compliance and audit failures: Related to surprise bills, without a good handle on product usage against licenses purchased, organizations can see large fines associated with vendor audits. This is especially true for organizations that have undergone a lot of M&A activity. Compliance failures can also bring unwelcome expenses. For example, failure to comply with the EU’s Digital Operational Resilient Act can result in a fine of £10M fine or 5% of annual sales. Additionally, failure to have a solid view of IT assets can impact credit ratings, as reported recently by the S&P Global Ratings Agency.
How to find Shadow IT
There are multiple ways to discover shadow IT.
- Usage metering: Usage metering helps you identify what applications are actually being used by employees. In addition to understanding last login, you can find details like how many runs over a period of time and average hours/minutes per run to spot heavy vs. infrequent users of applications. There are two methods for identifying usage metering for shadow IT. One is via a browser extension. This helps you identify usage of paid and free SaaS applications. Many organizations are concerned about the use of generative AI, and having a browser extension to capture this usage can detect employees using these technologies. The second method is leveraging an agent to understand usage of installed applications. The benefit of this method is you can also tie application details to a data intelligence service to understand if these applications are end-of-life, and if you’ve flagged them as deny-listed, you can uninstall the applications.
- Cloud access security brokers (CASB): CASBs can identify use of cloud applications, including detecting use anomalies (identifying potential threats like Ransomware), and enforce policies to restrict access. CASB deployments do have some limitations in that it is not able to detect usage if not on the corporate network (which today is most often the case with remote workers) and often CASB products are difficult to deploy and scale.
- Low tech: Using your sleuth skills you can inquire about ‘must have’ applications used in each department. Most times, operations teams will have details of the important applications that make their teams successful. From there you can do more digging to uncover how these applications were contracted, and how licenses are allocated and tracked.
Learn more in this article, SaaS discovery methods.
Governing Shadow IT
Since everyone has access to the internet and can start a trial with an email address or sign up for a service with a credit card, you can’t prevent shadow IT, but with the proper visibility and policies in place, you can govern it. Here are some tips on governing shadow IT throughout the lifecycle:
Procurement:
- Make it easy for employees to get what they need. Let employees discover common applications through your SSO platform or a self-service application catalog. Self-service app stores also provide a level of automation to manage licenses. When assigning a license, you can indicate if it goes unused, the license will be automatically reclaimed.
- You can also facilitate this by understanding common applications used by job function and provision application licenses for these applications in the onboarding phase. Communicate to employees they have all the standard applications everyone else has for their job function, and if they need anything else, check the application catalog or work with IT to see if there is something that would work that is already approved.
- Have an inventory of all applications by category and department. If a requisition does hit your desk, you can compare the application requested with a list of authorized applications already used. Too often we speak to procurement professionals who are working on a contract for a type of software, to find that another team is also looking to purchase a similar application. By having a good inventory, this will also fast track getting the right tools for your end users.
Support/Monitoring:
- Leverage technology to discover applications in use. It’s impossible to determine if all the application providers used by your organization have the right level of security controls in place if you don’t have visibility into all the technologies used across the organization. Leveraging browser extensions and agents on the user device, you will be able to assess all installed and SaaS applications in use, by what department and what poses the biggest risk. Remember that not all software requires a license and using financial data for software inventory will not capture free application usage.
- Understanding real usage will also help you inspect what you expect. If your organization has standardized an authorized application list, you can report on the use of applications that are questionable.
- Educate and collaborate. Once you know which applications employees are using, you can take a targeted approach to having conversations about why going outside of policy to use free or licensed applications is risky for the business. In having these conversations, you will also learn about the departments or user’s application requirements and will be better equipped to partner with them on identifying a safe solution to help them be productive.
Learn more about to identify risks in your technology estate in this guide, Technology Intelligence for Security Professionals.