It’s understandably tempting to use a software-as-a-service (SaaS) application without permission when the IT department is taking too long to test it. Or, procurement is dragging its feet. Or, the security team has issues with it…. So, you use a credit card to set up an account for yourself and your co-workers. What’s the harm? A lot, actually. Such “shadow SaaS” use exposes your organization to cyber risk. It’s best if you don’t do it.
If you are responsible for IT or security, it’s a good idea to crack down on shadow SaaS before it causes serious problems. This has been a difficult challenge until now. This article explains what’s changed and how IT managers and security teams can eliminate shadow SaaS.
What Is Shadow SaaS and Why Does It Create Security Risk Exposure
Shadow SaaS refers to the use of SaaS apps that are neither managed by the IT department nor protected by security countermeasures. Shadow SaaS scenarios run the gamut from a group of employees collaborating on a consumer messenger service to employees storing data and documents on consumer storage services, or even enterprise use cases like signing up for a customer relationship management (CRM) platform outside of normal IT channels.
A number of security risks arise from shadow SaaS. For one thing, the practice is invisible to IT and security. This lack of awareness is itself a driver of risk. Shadow SaaS also often places sensitive corporate data on publicly accessible sites, e.g., on Google Drive with open sharing settings. Such data may remain exposed after employees leave the company.
Measuring the Prevalence of Shadow SaaS in Your Enterprise
If you’re wondering, “How prevalent is shadow SaaS in my enterprise?” you should know the answer is “very prevalent,” if your organization is like most. According to data from the Cloud Security Alliance, 55% of employees adopt SaaS without the involvement of the security team. About half of your people are engaging in some form of shadow SaaS.
Can you measure how much shadow SaaS you have in your company? Yes, new tools, such as Unixi, give you the ability to measure the prevalence of shadow SaaS in your enterprise. The tool reveals which SaaS apps are being used without permission, who is using them, and what data is stored on them.
Detecting Shadow SaaS, User-by-User
Dealing with shadow SaaS involves taking two distinct actions. The first is to detect shadow SaaS. The second is to stop it. You have to do both. You could find people engaging in shadow SaaS and tell them, “You’re a bad boy. Don’t do that again.” However, they could easily return to the practice, and you’d be back at square one.
If you’re wondering, “Who is using shadow SaaS in my company?” Now there’s a way to answer that question. You just need the right tools to detect which people have set up shadow SaaS accounts. Unixi enables you to detect shadow SaaS through its browser-based, secure extension, which delivers detailed application-level visibility at the point of user interaction. Monitoring browser usage in real time, the tool tracks the users of corporate credentials to log into every application, including unauthorized and unapproved ones. Unixi then proceeds to report detailed information about users engaging in shadow SaaS to security teams.
Finding a Solution for the Shadow SaaS Problem
Can you stop shadow SaaS? This is the second critical step in getting on top of the problem. Yes, there is a solution that stops shadow SaaS. Unixi manages authentication at the browser level, so it can detect shadow SaaS when users try to log into unauthorized SaaS apps, flagging shadow SaaS instances for remediation. Security teams can make a risk-based list of shadow SaaS activity and block access to anything outside of the approved list. This effectively shuts down shadow SaaS.
Conclusion
Shadow SaaS creates risk. Users may store sensitive data on SaaS apps that are at once unprotected but also unknown to IT and security teams. There are now ways to detect the practice and prevent it from occurring in the future. Unixi offers this capability with its SaaS authentication in the browser.
