In today’s agile workplace, employees are constantly adopting new tools that allow them to work more effectively. Often times, they bypass technology sanctioned by the IT team, adopting unauthorized applications and introducing new risks into your environment. Digital transformation initiatives and the proliferation of SaaS solutions, especially as businesses embrace the cloud, further increase these shadow IT risks.
Flipping off the switch on SaaS adoption is not an option for modern organizations. And you can’t prevent shadow IT. So how can you control your shadow IT risks? The short answer is to manage shadow IT by enabling decentralized adoption — in a secure, compliant and optimized way.
Why is shadow IT a problem?
Gartner defines shadow IT as “IT devices, software and services outside the ownership or control of IT organizations.” Here are some scenarios:
- An employee brings in a personal laptop to the office and connects it to the network.
- A software developer uses APIs without proper permissions for a project.
- An office manager buys a consumer-grade router at an electronics store because the team needs it immediately.
The most common type of shadow IT is SaaS services and applications. This is due to the robust adoption of the cloud, as businesses seek to transform their processes to better serve customers, create new products and services, and introduce new business models.
Another driver of shadow IT is the consumerization of SaaS services, such as collaboration and communication apps. These tools make it easy and simple for employees to source and adopt the technology and become more productive.
In addition to improving productivity, shadow IT makes your business more resilient and empowers your employees to work from anywhere. But the downside is that the lack of clear processes and oversight enables them to do this outside of the proper IT channels.
Typical organizations have 3 to 4 times more SaaS apps in use than IT knows about. Many of these apps have their own access controls and security that are not consistent with your policies. Some, especially consumer SaaS solutions that are popular among employees, lack controls altogether. Either situation leads to shadow IT risks.
Without visibility and control over their SaaS environment, organizations are constantly in a reactive state, struggling to gain control of their data and security.
Top shadow IT risks
These are some of the common shadow IT risks that organizations face:
Data loss and compromise: The biggest shadow IT risk stems from employees using unsanctioned SaaS services for sharing or storing sensitive company information. The risks include:
- Unauthorized access to the data, whether that’s due to lax security of the SaaS service or a user sharing the data inappropriately outside the company
- Inability to apply identity access and management policies and controls
- Permanent loss of data since employees are likely not creating backups
Noncompliance: In the past, regulatory compliance was largely a concern for businesses in highly regulated industries. But with new privacy mandates such as European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act, compliance is a priority for every business.
Shadow IT makes compliance a challenge because, among other things, you can’t:
- Apply the same risk-assessment measures that you have for authorized applications
- Audit the unauthorized services to understand risks and to prove compliance
- Identify the full scope and impact of a security event if an incident occurs
Security: As noted earlier, many SaaS services don’t have robust security measures in the first place. Since they’re not managed by IT, you can’t apply the mitigation measures that you have in place for your IT architecture. In addition to data access risks, shadow IT creates security risks due to things like:
- Unpatched vulnerabilities
- Weak, unsecure passwords
- Lack of visibility into the increased attack surface
These security gaps weaken your overall security posture and compromise your ability to defend against today’s dynamic threats.
Cost: Estimates show that nearly a third of all SaaS licenses are unused or underused, contributing to inefficiencies and unnecessary costs. Additionally, some organizations that attempt to take control over shadow IT resort to manual processes, including lengthy spreadsheets to keep track of all the SaaS services—resulting in further drain on resources.
Managing shadow IT risks
First steps to managing shadow IT risks is to gain visibility into your SaaS ecosystem, then monitoring it and applying policy-driven access controls. Making identity the core of your risk management and bringing your SaaS apps under a centralized management and government process can help solve both the access and the security risks of shadow IT.
Benefits of this approach include:
- Uncovering SaaS sprawl—discover both unauthorized and hidden applications and get a central view into your entire SaaS footprint
- Centralizing control—use a seamless process, from discovery to governance, to apply identity security controls and protect all apps
- Monitoring shadow IT—continuously monitor SaaS usage in real time to understand and mitigate risks
- Improving compliance—assess risks, streamline audits and strengthen compliance
- Boosting efficiency—stop relying on manual and error-prone processes for tracking and managing your apps
By implementing an end-to-end approach to SaaS management, your business and your employees can take full advantage of SaaS services through decentralized adoption. At the same time, you’re not compromising security and compliancy, and are not wasting resources.
Final Thoughts
The modern workplace is evolving, and many organizations see remote and hybrid models as the way of the future. The cloud makes this transformation possible, but you have to address the implications. As SaaS services continue to fuel your innovation, your shadow IT risks will continue to challenge your security.
SailPoint SaaS Management enables you to take control over hidden and unauthorized SaaS applications so you can mitigate your data and security risks while boosting compliance. SailPoint also helps you manage spend, optimize usage and automate processes to improve overall efficiency.
