Shadow IT is an unfortunate reality in most organizations. Employees downloading SaaS apps onto their work devices without IT’s knowledge may believe these tools make them more productive. However, these apps can expose the organization to the same kinds of threats unknown to the user and unprotected by IT because the user isn’t aware of the app’s usage and integrations.
As we found in our State of SaaS Report, there are approximately 2.5 times the number of apps running in an organization than what a typical IT audit uncovers. Because shadow SaaS apps are easy to access while bypassing the organization’s vetting process, they produce gaps in the security perimeter that can lead to:
- Insider risks such as data exfiltration and data destruction.
- Misconfigured apps lead to compliance issues and violations.
- Financial impacts on the organization, include lost revenue, opportunity costs, reduced productivity, and greater burden on the IT security team.
At their core, the security challenges are related to identity. Hijacking SaaS identities, both human and non-human, is the perfect gateway into the organization. Whether user credentials are acquired on the dark web or captured through social engineering, the result is the same: a legitimate way into the network. The more applications that users run, and the more those applications are integrated with other systems, the greater the attack surface and exposure.
The fast-growing use of AI that is embedded in many applications adds another layer of risk. Users may not even be aware that these tools make use of AI, and these apps may not use safe AI development practices, leading to leaked knowledge and supply chain data breaches.
Forrester Research predicted that 60% of employees will use their own chosen AI tools for work. Wing Security’s research also uncovered that 70% of the most common AI apps use company data for training their models. Meanwhile, shadow SaaS apps often go undetected because legacy IT security technologies can’t spot them, let alone block them.
Knowing that the risks are real, why does shadow IT continue to plague organizations of every size and across industries — and what can be done to identify and stop its use? The answers start with understanding why shadow IT usage is so common in the first place.
What’s behind the rise of shadow IT?
On average, employees each use 29 applications, yet 41% of these apps are used exclusively by one employee. Whether those apps are sanctioned by IT or used without permission, this SaaS sprawl represents a lot of potential security risks. Yet the use of shadow SaaS continues to grow; according to Gartner, Inc., this number could reach 75% by 2027.
Shadow IT’s prevalence stems from several factors, including:
- Frustration with the limits of “official” apps. Users may need capabilities that aren’t in the approved tech list. Advertising, word of mouth, and reviews make it seem like these SaaS applications can quickly and painlessly solve almost any problem.
- Effortless adoption of SaaS apps. Simple sign-up, including “Sign in with Google”, plus free trials or even completely free-to-use apps make it quick and easy to start using cloud-based tools.
- Remote work. Working from home in recent years has become a common practice within organizations often making interacting with IT difficult or slow for some employees.
Doing more with less. Meeting tight deadlines puts pressure on employees to find and use tools they believe will help them hit their targets, whether that means using an unauthorized tool to finish up software development or using a video conferencing app that their customer prefers.
App-to-app connectivity adds to the risk, as it may not be obvious how applications interact with each other. Depending on the permissions given, a seemingly “safe” app could, in fact, be connecting to other systems across the enterprise without the knowledge of the employee who launched it. Simply accepting the default permissions might allow data to flow between apps, potentially exposing proprietary information to bad actors or letting malware or spyware migrate throughout the organization.
IT’s challenge: Detecting and mitigating shadow IT in SaaS
Security and audit tools designed for legacy systems and older methods of cyber protection aren’t tuned to spot SaaS apps. This means that shadow SaaS frequently goes completely undetected.
While IT teams are fully aware of the existence of shadow apps, that isn’t the same as knowing exactly what — or how many — unauthorized apps are running on any given platform or the permissions granted to each of them. Our research shows that the average organization typically has 250% more apps in use than a workspace query shows.
The solution is to use a tool purpose-built to identify all SaaS identities and apps in use across the organization, prioritize the risk each one represents, and remediate access to mitigate the threat.
Identifying Unauthorized SaaS Applications with an SSPM solution
Wing Security’s SaaS Security Posture Management (SSPM) solution automatically discovers every SaaS app, user, and third-party integration throughout your organization, including orphaned or rarely used apps.
The system detects all known and unknown applications and users and then provides an overall security score for the entire SaaS environment. The score is based on the CWSS framework, enabling organizations to understand their general security posture at a glance.
The solution provides risk prioritization according to the MITRE ATT&CK stages and enables IT teams to quickly mitigate these threats, either manually with just a click or through automated remediation that implements the organization’s security policies. The entire process takes less than 15 minutes. It’s a proactive approach to SaaS security that enables overburdened IT security teams to take back control of the technology landscape.
Shadow IT Management Strategies: Prevention is as essential as the cure
A major factor in the growth of shadow IT is culture, not technology. Reducing the risks of shadow apps requires engagement across the organization, by taking actions such as:
- Implementing an acceptable application use policy
- Updating governance surrounding IT systems access and security, accounting for SaaS apps and the use of AI
- Education, training, and reinforcement about the risks of shadow IT
- Revisiting application authorization processes, potentially enabling users to select from a broader set of approved apps
Mitigating the risks of shadow IT takes an ongoing effort, one that includes regular screening for all SaaS apps in use. An automated remediation solution can ensure that IT teams can quickly identify and resolve security risks hidden across the enterprise.
